This article was published on June 27, 2017

NSA knew about the vulnerability exploited by NotPetya for over 5 years


NSA knew about the vulnerability exploited by NotPetya for over 5 years

The National Security Agency (NSA) began using a hacking tool called EternalBlue more than five years ago. During that time, the agency discovered its unparalleled ability to breach networks, a flaw considered so dangerous within the NSA it considered revealing it to the company whose software it was exploiting, Microsoft.

While it debated, the agency continued using the tool and pondering the devastating implications of what could happen if EternalBlue ever made its way into the wild.

And then it did.

The NSA finally told Microsoft about the vulnerability earlier this year — but only after the exploit had been stolen, and subsequently released online. Microsoft issued a “critical” patch in March, and as of May WannaCry ransomware — which used EternalBlue to penetrate Windows PCs — had infected over 230,000 PCs in more than 150 countries.

And today we met NotPetya.

NotPetya is similar to another piece of ransomware, Petya, but belongs in a classification of its own, according to security researchers we spoke with. Both used EternalBlue, but the similarities mostly stopped there. NotPetya is an entirely new form of ransomware used earlier today to bring down everything from Chernobyl’s radiation detection system, to the Kiev metro, banks, and at least one US hospital.

All told, Kaspersky claims at least 2,000 organizations around the globe have been affected in the last 24 hours.

And WannaCry, for all its destructive power, was a sloppy tool full of bugs and created by amateurs. NotPetya, according to experts, is not.

“This is going to be a big one. Real big one,” former NSA analyst David Kennedy told Forbes.

Unlike WannaCry — which featured a kill switch to remotely disable the program, and mostly affected only older versions of Windows — there’s no kill switch here, and WannaCry can infect any version of Windows — including Windows 10. Worse, it’s capable of automatic lateral movement between devices, meaning it can infect even previously-patched machines if there’s a non-patched PC on the network.

Failure to keep EternalBlue out of the hands of hackers prompts real concern as to whether the agencies that rely on these tools can hope to keep them safe. While critical to the role agencies like the NSA and CIA play in gathering intelligence worldwide, the scope of these projects will only grow with time, and with it so will the damage they cause when they can’t be kept out of the hands of cybercriminals.

Let’s not forget, NotPetya was entirely preventable — if the NSA had the foresight.

Get the TNW newsletter

Get the most important tech news in your inbox each week.