The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Why the NSA is pushing back against Baltimore ransomware link


The National Security Agency took an exceptionally rare step last week when it disputed a New York Times report that one of its hacking tools was used in a ransomware attack that has crippled Baltimore city services for more than three weeks.

The organization once nicknamed “No Such Agency” typically stays tight-lipped about stories it believes are incorrect or misleading. The rare exception underscores that the NSA is trying to avoid a hit to its reputation – which has taken numerous blows in recent years — that would surely come if its tools were linked to the Baltimore attack.

The NSA has been facing intense scrutiny over whether it can keep its hacking tools out of adversaries’ hands. EternalBlue, the powerful tool the Times reported was used in the Baltimore attack, was stolen from the NSA and leaked online by a group called Shadow Brokers in 2016. It has since appeared in numerous hacking campaigns — including WannaCry, North Korea’s 2017 global ransomware operation.

But the impact of those attacks was spread over numerous international and domestic targets, whereas the optics of a U.S. government tool forcing offline a major American city in a single, high-visibility attack are especially bad, Jason Healey, a former White House cybersecurity official during the George W. Bush administration, told me in an email.

“This truly brings the pain home,” said Healey, who is now a senior research scholar at Columbia University's School for International and Public Affairs.

What's more, it could earn the attention of lawmakers. The global companies hit by EternalBlue "are not represented in Congress. Baltimore is,” Healey said. 

And the more the public learns about EternalBlue attacks the more the focus stays on the massive ShadowBrokers leak, which remains shrouded in mystery, Jake Williams, a former NSA hacker who founded the company Rendition InfoSec told me. 

"The biggest issue that NSA wants to avoid talking about is that they still don't know who the Shadow Brokers are or how the exploits were leaked," Williams said. "I think they know that those questions will follow from any EternalBlue discussion."

The agency’s pushback started Thursday when NSA Senior Adviser Rob Joyce swiped at the Times story during a speech at a cybersecurity conference. He suggested the NSA shouldn’t be held responsible for any EternalBlue hacks in 2019 because organizations have had two years to update their systems to protect against it.

"Focusing on a single exploit, especially one that has a patch that was issued years ago, is really short-sighted,” Joyce said.

From the Wall Street Journal's Dustin Volz:

Then on Friday, Rep. Dutch Ruppersberger (D-Md.) said NSA officials told him that there was no evidence EternalBlue was used in the Baltimore attack. Ruppersberger’s district includes the NSA and part of Baltimore.

Ruppersberger added, however, that he wasn’t letting the NSA off the hook for instances in which EternalBlue was used against U.S. targets.

“Our country needs cyber tools to counter our enemies, including terrorists, but we also have to protect these tools from leaks,” he said. “We can’t ignore the damage that past breaches have done to American companies and, possibly, American cities.”

Ruppersberger’s statement didn’t settle the matter for some cyber pros, however.

Some of them pointed out that saying that the NSA doesn’t have “any evidence” that EternalBlue was used leaves open the possibility that there is indeed a connection to be found -- but the NSA doesn’t have it. 

Here’s former NSA attorney and current executive editor of the Lawfare blog Susan Hennessey:

And security researcher Robert Graham:

It’s also possible EternalBlue was part of the attack but didn’t leave clear traces, Williams noted.

The Times, meanwhile, stood by its story. In a follow-up story, reporters Scott Shane and Nicole Perlroth said sources directly involved in the investigation had told them that four separate contractors working on restoring Baltimore’s IT services had discovered EternalBlue. The sources said the hackers used the tool to move rapidly across the city’s networks.

“This week, the contractors discovered an additional software tool, called a web shell, on Baltimore’s networks. They believe the web shell may have been used in conjunction with EternalBlue and another hacking technique known as ‘pass-the-hash,’ which uses stolen credentials, to spread the ransomware,” the Times reported.

That description worried some cyber pros, however, who thought the contractors might be confused. Here’s former NSA hacker Robert M. Lee, founder of the cybersecurity company Dragos.


PINGED: The Justice Department won’t charge WikiLeaks founder Julian Assange with a crime for publishing a trove of leaked CIA hacking tools dubbed Vault 7, Politico’s Natasha Bertrand reported.

“It’s a move that has surprised national security experts and some former officials, given prosecutors’ recent decision to aggressively go after the WikiLeaks founder on more controversial Espionage Act charges that some legal experts said would not hold up in court,” Bertrand reported.

The decision was partly sparked by concerns that a public trial on those charges would force the government to reveal even more secrets about CIA hacking operations, Bertrand reported. The CIA has never officially acknowledged the Vault 7 leak.

Assange — who spent seven years avoiding U.S. charges by holing up in the Ecuadoran Embassy in London — was initially charged with computer hacking for offering to help Chelsea Manning crack the password on a Defense Department network. The Espionage Act charges — which First Amendment activists say come dangerously close to criminalizing journalism — were added later.

“DOJ has charged one person in the Vault 7 theft,” Bertrand reported. “A former CIA employee, Joshua Schulte, was indicted for transmitting the Vault 7 documents to WikiLeaks. He has pleaded not guilty and his trial is set for November.”

PATCHED: As the clock ticks down to 2020, the Department of Homeland Security is still falling short on efforts to secure state and local election infrastructure, the department’s internal watchdog says.

The department hasn’t completed all the necessary plans to identify and mitigate digital election threats or established metrics to gauge whether its election security efforts are successful, the department’s inspector general said in a semiannual report to Congress released last week.  

The report cited “senior leadership turnover and a lack of guidance and administrative staff” as the main hindrances, as well as long lag time to give new employees security clearances.

“Additional staff could enhance DHS’ ability to provide technical assistance and outreach to state and local election officials during elections,” the report states.

Here’s more on the report from FCW’s Mark Rockwell.

PWNED: Secretary of State Mike Pompeo warned German officials Friday that the United States may withhold intelligence from them if they allow the Chinese telecom Huawei to build any portion of their next-generation 5G wireless networks, Reuters's David Brunnstrom reported.

Trump administration leaders have made similar threats in the past, but rarely so directly.

“(There is) a risk we will have to change our behavior in light of the fact that we can’t permit data on private citizens or data on national security to go across networks that we don’t have confidence (in),” Pompeo told a news conference after meeting with German Foreign Minister Heiko Maas.

Pompeo also said that the United States' European allies “will take their own sovereign decisions, (but we) will speak to them openly about the risks . . . and in the case of Huawei the concern is it is not possible to mitigate those anywhere inside of a 5G network,” Reuters reported.


Cybersecurity news from the public sector:

Arrest of Los Alamos scientist opens new front in crackdown on Chinese infiltration of U.S. labs (Yahoo News)

DHS Needs to Set Guardrails for Its Expanded Insider Threat Program (Nextgov)

Alleged LinkedIn hacker Yevgeniy Nikulin will stand trial in U.S. court, despite mental illness symptoms - CyberScoop (Cyberscoop)

Prosecutor downplays email tracking in Navy SEAL murder case (Julie Watson and Brian Melley | AP)

Manning renews effort to be released from Virginia jail (Associated Press)


-- Reuters reporter Joseph Menn’s book "Cult of the Dead Cow" — focused on one of the earliest hacking collectives, which counted a teenage Beto O’Rourke among its members — will be coming out this week. Check out this excerpt courtesy of Wired — focused on the early cybersecurity firm @Stake whose employees included many of today’s top cybersecurity researchers and executives.

More cybersecurity news from the private sector:

Huawei’s Main Chip Maker Faces Long-Term Risks From U.S. Ban (Wall Street Journal)

Facebook Loses Appeal to Stall EU Data Transfer Battle (Bloomberg Law)

Hackers Baselessly Blame Women and ‘SJWs’ for the End of DerbyCon Security Conference (Vice)

Eurofins Scientific detects ransomware in some of its IT systems (Reuters)

Another fast-food hack, this time at Checkers and Rally's restaurants - CyberScoop (Cyberscoop)

Microsoft warns users to patch as exploits for ‘wormable’ BlueKeep bug appear – TechCrunch

The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack (Wired)


Cybersecurity news from abroad:

China to establish 'unreliable entity list' of foreign companies (The Hill)

Hackers take down Iranian social security website (Associated Press)

Tech giants say UK spy agency’s encryption proposal is threat to security and human rights (Cyberscoop)

The African Union is doubling down on deepening its relationship with Huawei (Quartz)