The unique malware causing the attacks — which been spotted in tens of thousands of incidents in 99 countries, according to the cyber firm Avast — have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
The source of the worldwide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company’s networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.
The incident is just the latest in a string of eye-opening cyberattacks that have drawn attention to the ease of disrupting — on a global scale — the increasingly-connected world. Last October, digital assailants knocked out major websites like Spotify, Twitter and The New York Times, using an army of internet-connected devices — like cameras and baby monitors — to overrun a key internet routing company with fake traffic.
The unprecedented proliferation of the malware has also renewed long-standing criticisms that the NSA shouldn’t be sitting on a stockpile of cyberweapons that exploit what are known as “zero-days” — software flaws the manufacturer has yet to discover. Friday’s attacks could have been avoided if the NSA had simply told Microsoft about the flaw earlier, digital privacy activists argued.
Regardless, cyber specialists and lawmakers agreed that Friday was “a watershed moment” for cybersecurity, as Sen. Ben Sasse (R-Neb.) put it in a statement.
“This is big: around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people’s data is potentially exposed,” Sasse said. “Cybersecurity isn’t a hypothetical problem — today shows it can be life or death.”
Friday’s string of ransomware attacks appears to have started in the United Kingdom, Spain and the rest of Europe, before quickly hopping to the U.S., Japan, Vietnam and the Philippines, according to reports.
Some of the U.K.’s biggest hospitals and medical practices were hit by the infections, forcing vital services to be shut down. According to a British health reporter, at least two London hospitals had to stop admitting new patients with serious medical conditions because they couldn’t access patient files.
In Spain, the telecom giant Telefonica said it detected the attack on some company machines. The BBC said Spanish power companies Iberdrola and Gas Natural were also affected.
U.S.-based companies were quickly swept up by the expanding digital siege. The Tennessee-based shipping company FedEx told POLITICO it was “experiencing interference” as a result of the malware.
But the overwhelming majority of the infections are in Russia, security firm Kaspersky Labs said in a blog post.
And the ransomware hit about 1,000 computers at the Russian Interior Ministry, though the agency’s servers were not affected, according to a spokeswoman.
According to European officials in several countries, these companies are being hit by a modified version of what’s known as the WannaCry toolkit. The mysterious group ShadowBrokers dumped the toolkit online in April, which was just the latest in a string of releases of what they claim are NSA-built hacking tools. Experts say the leaked software appears to be legitimate.
The Shadow Brokers burst onto the scene at the height of last year’s contentious presidential election. The group’s dump of seemingly legitimate NSA spying tools set off alarm bells inside the intelligence community that the NSA may have been the victim of a disturbing hack or another devastating leak of classified information. Just three years earlier, ex-NSA contractor Edward Snowden had exposed many of the secretive agency’s surveillance programs.
Some even speculated that the Shadow Brokers group was a Russian front, and that the dump might be a warning to the Obama administration, which was contemplating at the time whether to publicly blame Moscow for the hacks that felled the Democratic Party and Hillary Clinton’s campaign during the 2016 election season.
So far there has been no public evidence linking the Shadow Brokers to Moscow.
Authorities were also investigating whether the group had somehow obtained its secret cache from another NSA contractor, Hal Martin, who was arrested in August for pilfering classified materials from the government for years, allegedly compiling mountains of sensitive information at his home.
Friday’s rapidly expanding virus is easily the largest incident to date of the leaked NSA tools being repurposed by criminal hackers.
The leaked hacking tool exposed a method of spreading malware across computers in a network using a flaw in Windows. Once a computer is infected with the ransomware, if that machine has not been patched, the infection can jump to other machines.
That’s how Friday’s attack spread so swiftly and unexpectedly, cyber experts said.
“We’ve not seen a large-scale ransomware campaign that uses self-propagating technique at this scale before, which makes it really unique,” said Adam Meyers, vice president of intelligence at cyber firm CrowdStrike.
Experts stressed the severity of the crippling ransomware attacks and warned that it likely would continue to expand throughout the U.S. Although Microsoft released a security update in March to fix the flaw that hackers are currently exploiting, it’s likely that many companies have not patched their networks, experts said.
“Given the rapid, prolific distribution of this ransomware, we consider this activity poses high risks that all organizations using potentially vulnerable Windows machines should address,” John Miller, manager of threat intelligence at the cybersecurity firm FireEye, said in a statement.
And U.S. hospitals may soon be in the cross-hairs, said Sean Curran, a senior director with West Monroe Partners, a tech consulting firm. Hospitals, he said, are often relatively unprepared for such incidents and often prioritize their limited budgets for patient care.
Digital privacy advocates were quick to blame the NSA for the incident, which will likely restart the debate about what the spy agency should do when it discovers “zero-day” software defects.
Kevin Bankston, director of New America’s Open Technology Institute, argued that Congress should hold hearings on spy agencies’ use of code flaws and when they should be required to notify manufacturers.
“If NSA had disclosed rather than stockpiled these [vulnerabilities] when it found them, more hospitals would be safer against this attack,” he tweeted.
The FBI and the White House National Security Council declined to comment. The Department of Homeland Security said it was aware of the reports and “stands ready to support any international or domestic partner’s request for assistance.”
Several cyber threat information sharing centers for a number of U.S. industries — financial services, water, oil and natural gas — did not respond to questions about whether any of their members had reported intrusions. An energy industry group said it had seen no reports of infection in North America.
Arthur Allen, Laurens Cerulus, Helen Collis, Tim Starks and Cory Bennett contributed to this report.