Stop Blaming NSA for Cyber Attacks

The May 7th ransomware attack against Baltimore has crippled much of the local government’s IT infrastructure while holding its network hostage. Not since the March 2018 attacks against Atlanta has a major U.S. city been so digitally impaired.

The subsequent media coverage of Baltimore’s struggle has generated some misplaced criticism of the U.S. government. Initial news reports erroneously claimed that the ransomware leveraged an NSA-developed exploit to compromise Baltimore’s municipal systems. Unfortunately, this snowballed into numerous sources placing blame on the NSA, claiming that they mismanaged their cyber weaponry. 

This is grossly incorrect.

Most people know that malware consists of malicious code, but few understand how it works. While perhaps oversimplified, malware consists of an exploit and a payload. The exploit can be considered the means in which the code gets into a network and spreads to machines. The payload is responsible for the maliciously damaging activity performed once inside the target machine. Combining an exploit and payload creates the infectious and destructive application we know as malware. Many different types of malware exist and are usually characterized by the function of their payload, rootkit or ransomware for example.  

Server Message Block (SMB) is a network sharing protocol used by Windows systems. Typically, SMB is used for sharing resources over a local network. However, due to a vulnerability in older versions of this protocol, internet-facing machines using SMB can be remotely compromised. 

In April of 2017, a hacking group known as the Shadow Brokers leaked an arsenal of weaponized code allegedly developed by the NSA. Among the digital cache released was the SMB exploit, EternalBlue. One month later, the use of malware utilizing EternalBlue was first seen with the global spread of WannaCry ransomware. 

By exploiting the network sharing protocol SMB, EternalBlue provides a wormlike propagation for its payload. In the case of WannaCry, the payload contained the file encrypting portion for holding systems hostage. Initially, the WanaCypt0r payload was relatively ineffective with little distribution.  However, once combined with EternalBlue, WanaCrypt0r 2.0 was very effective and responsible for the global spread of WannaCry in 2018.  Regardless, Microsoft released a security update (MS17-010) which patched the exploited SMB vulnerability in March of 2017.

Similar to what Greenville, North Carolina, experienced in April of this year, the attack against Baltimore was executed with the RobbinHood ransomware.  However, RobbinHood does not contain the EternalBlue exploit. These simple facts seem to have eluded most news reports. 

The only currently known public analysis of RobbinHood is the one performed by Vitali Kremez at Sentinel One. In his analysis Kremez states, “It is also notable that the ransomware does not spread within the network; quite the opposite, it drops all Windows shares…”.  According to Kremez, the ransomware is unable to self-propagate and requires attackers to manually infect machines. Furthermore, his findings have led to the conclusion that the ransomware is pushed on each machine individually via the PsExec command. This manual method of infection is almost in complete opposition to the autonomous propagation seen with EternalBlue.

Even if RobbinHood had contained the leaked exploit EternalBlue, holding the NSA partially responsible is flawed on many levels. People should stop the reflexive accusatory finger pointing at the NSA. Furthermore, blaming Baltimore’s IT security—or lack of—is not realistic or helpful. While the culprits of this ransomware attack are still unknown, they are the only ones to hold accountable.   

Noah Schiffman is the chief technology adviser for KBR.