Hackers Likely Stole NSA Research To Conduct Global Ransomware Attack

May 15, 2017
Originally published on May 15, 2017 3:40 pm
Copyright 2017 NPR. To see more, visit


It's been reported that the software behind WannaCry was taken from a secretive group inside the National Security Agency. Now, in a blog post, Microsoft President Brad Smith likened it to the U.S. military's having some of its Tomahawk missiles stolen.

Now, for more on the NSA's role in all this, we've reached Nicholas Weaver, a researcher at Berkeley's International Computer Science Institute. Welcome to the program.

NICHOLAS WEAVER: Thank you very much for having me.

CORNISH: So we should begin by saying the NSA has not come out and said, yes, the tools that led to this massive attack came from our toolbox, right?

WEAVER: Correct. But at the same time, there's basically no doubt that these are the NSA's tools that the bad guys started with because there's this group, The Shadow Brokers, who over the past several months have been releasing multiple sets of NSA tools that all appear legitimate.

CORNISH: So how did these tools make their way online?

WEAVER: We don't know, and that's part of the mystery, as The Shadow Brokers group has the capability to have stolen multiple things from the NSA. And it's willing to not only go public about it but public in a way that the NSA should know how these things got stolen.

CORNISH: To your mind, what responsibility does the government have here to contain this kind of malware?

WEAVER: To be honest, the U.S. government acted exactly the way I think it should. So back in January The Shadow Brokers released a listing of the Windows tools that they had, and this told the NSA that, hey, an adversary has these tools. These vulnerabilities are no longer unique to the NSA. Therefore, somebody, presumably the NSA, went and told Microsoft for inclusion in the February patch. And this ended up being a big enough deal that Microsoft delayed the February patch into March and released it, at which point The Shadow Brokers' tools are useless to anybody who actually updates their system.

CORNISH: So do we know if there are I guess worse or more serious tools that have been taken? I mean is this the end of this?

WEAVER: We don't know because we don't know if they got other things. But at the same time, this probably represented the crown jewels, that the windows attack tools are probably the most important because they affect the most systems. They were the most important for the NSA in terms of being able to gain access to systems that they need for their job. And they represent the biggest widespread vulnerabilities. So I suspect although we may hear more from The Shadow Brokers, we won't see any vulnerabilities on the scale of these Windows exploits again.

CORNISH: Do we know much about who The Shadow Brokers are or the identity of any of the hackers?

WEAVER: We don't. There is a general presumption that it's Russia, which meant the worms attack on the Russian Ministry of Interior is a bit of delicious schadenfreude. But we don't know. We can just presume that somebody who can penetrate the NSA multiple times - well, that's Russia, China, France, Israel - and who'd want to embarrass the NSA and so be willing to do it in such a way that it compromises sources and methods - you're just left with Russia as the most likely suspect. But there's no evidence, just motivation.

CORNISH: What are you going to be looking for the next couple of days? What are you going to be listening for from our own kind of security officials?

WEAVER: I think for us, this particular crisis has passed mostly because they did such a cruddy job of it that it's going to inoculate a lot of systems without providing significant criminal benefit. But long-term, I am really worried about the rise of more self-propagating ransomware when the ransomware is actually done right.

I suspect that this case was actually an accident, that the bad guys were developing the code and accidentally released it early because their payment infrastructure was broken, and they really have no way of actually collecting the money. The next people who do some widespread ransom campaign - they're going to be a lot more successful because among other things, they'll make it a lot easier to pay. And when you pay them, you'll actually be able to get their data back. I think this is going to inspire a lot of copycats that are more competent.

CORNISH: Nicholas Weaver is a researcher at the International Computer Science Institute and lecturer at UC Berkeley. Thank you for speaking with us.

WEAVER: Thank you very much. Transcript provided by NPR, Copyright NPR.