US security officials meet to discuss global cyberattack using leaked NSA tools

Leaked NSA tools were used in cyberattack targeting companies around the world.

ByABC News
May 12, 2017, 6:08 PM

— -- Senior U.S. intelligence officials from various government agencies met late today to see what, if anything, they could do to stop the sophisticated global cyberattack using leaked NSA tools that is spreading across the globe, a senior U.S. official tells ABC News.

According to several cybersecurity experts, the unidentified attackers targeted networks all over the world, including one major U.S. company, exploiting a vulnerability in Microsoft Windows that was identified by the U.S. National Security Agency (NSA) and leaked to the public by the hacker group The Shadow Brokers in April.

Microsoft released a patch to address the vulnerability, but networks that did not adopt it would have remained vulnerable. In a statement, the tech company said that users who are running its free antivirus software or have Windows updates enabled are protected. Microsoft said it is also working with customers to provide additional assistance.

"Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful," Microsoft said in its statement. "Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers."

The Department of Homeland Security said in a press release Friday that it is aware of the global cyberattack.

“This appears to be the first incidence of the use of an NSA exploit in a broad and far reaching cybercriminal campaign,” John Bambenek of Fidelis Cybersecurity said.

According to Ryan Kalember, senior Vice President of cyber security strategy at the cybersecurity firm Proofpoint, a “ransomware worm” using the essentially unaltered NSA code is spreading across government and corporate networks in at least 74 countries, with European and Asian countries among the hardest hit. Russia, he said, was particularly vulnerable because many of its networks use older versions of Microsoft Windows.

“This is depressing as a cybersecurity expert,” Kalember said. “The patch has existed since the vulnerability was made public, so if people were applying it, this never had to happen.”

One U.S. senior official said “American companies may fare better than those overseas because they are better at cyber hygiene.” In many cases, the official said, the attacks have been successful because they are against pirated or unauthorized copies of Microsoft Windows, which cannot be easily patched to fix the vulnerability.

PHOTO: This is screengrab taken from the website of the East and North Hertfordshire NHS trust as Britain's National Health Service is investigating "an issue with IT," May 12, 2017.
This is screengrab taken from the website of the East and North Hertfordshire NHS trust as Britain's National Health Service is investigating "an issue with IT," May 12, 2017.

Kalember says the attack is spreading rapidly, making it difficult to identify “patient zero” and attribute the attack to a particular hacker group.

Tyler Wood, a former top cybersecurity official who now works for a major telecommunications firm, told ABC News the forensic work to identify the perpetrators may take some time, and it could be a private attacker or a state.

FedEx appears to be the first U.S.-based target, though Kalember said he is aware of others who have not spoken publicly. A spokesperson for FedEx confirmed to ABC News that the company is among the victims of the ransomware attacks.

“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” said a spokesperson in a statement. “We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers.”

Some of the first reports emerged from England, where hospitals across the country were hit by ransomware attacks, in which hackers infect computers with malicious software and demand ransoms to restore access, according to the National Health Service (NHS).

As of this afternoon, 16 facilities with the NHS, which is the publicly funded health care system for England, had reported that they were affected by what appeared to be a large-scale cyberattack.

"The investigation is at an early stage but we believe the malware variant is Wanna Decryptor," NHS Digital, the body of the Department of Health that uses information and technology to support the health care system, said in a statement.

The attack has locked computers and blocked access to patient files. But there's no evidence so far that patient data has been accessed, NHS Digital said.

Chris Camacho, chief strategy officer at the cybersecurity firm Flashpoint, said healthcare companies are particularly ripe for this kind exploitation because patient records are so critical to care.

“There’s nothing you can do but pay once you’re hit,” Camacho said. “If you need that data back, you’re going to pay.”

Following the leak of NSA tools, Bambenek told ABC News that he had conversations with high-ranking U.S. national security officials in which he urged them to share information with private vendors so that they could develop countermeasures because the NSA had “lost control of its own weapons.”

“That did not progress rapidly enough, and here we are today,” Bambenek said. “The NSA can have very smart people finding these vulnerabilities, but not very smart people can start using them to very devastating effect.”

ABC News' Julia Jacobo contributed to this report.