Written by Shannon Vavra
A second lawmaker from Maryland now says it doesn’t appear that the ransomware attack in Baltimore relied on a stolen National Security Agency exploit, EternalBlue.
“It’s the federal government’s view that EternalBlue was not involved in the ransomware attack in Baltimore City,” Democratic Sen. Chris Van Hollen told CyberScoop on Monday following a briefing on Capitol Hill from NSA officials.
The briefing was organized following requests from officials who sought details on whether the government’s own exploit, which was exposed in a 2017 leak from the NSA, had been used in an attack that hobbled Baltimore for weeks. The New York Times reported May 25 that EternalBlue was used to spread the ransomware, known as RobbinHood, across networks in Baltimore and in several other American cities.
Van Hollen joined Democratic Rep. Dutch Ruppersberger in his assessment, which was based on a separate briefing from the NSA last week, that the government has determined EternalBlue was not leveraged in the attack.
Ruppersberger’s statement after his briefing with the NSA last week was less definitive; he said he was told “there is no evidence” that EternalBlue played a role in the attack, leaving room for the possibility the exploit played a role.
Baltimore for nearly a month has struggled to regain access to all its systems and restore functionality following a ransomware attack that officials say will cost the city at least $18 million. The unknown attackers encrypted thousands of computers, disrupting real estate sales, shutting down city email, water bills, health alerts and other key services.
People directly involved in the investigation into the ransomware attack had said EternalBlue was used to move across the city’s networks, the Times reported Friday.
But the evidence — or lack thereof — against EternalBlue’s use in the ransomware attack in Baltimore is piling up.
A malware analyst who obtained a sample that he has confirmed was connected to the Baltimore ransomware attack, Joe Stewart, told security journalist Brian Krebs the malware used in the RobbinHood attack did not contain EternalBlue exploit code.
“It doesn’t even have any means of spreading across networks on its own,” said Stewart, who is now consulting with the security firm Armor.
Stewart also assesses that the hackers behind the Baltimore attack launched the attack in order to promote selling RobbinHood in a ransomware-as-a-service scheme. Stewart links his assessments to a now-suspended Twitter account that appears to have been tweeting stolen documents from Baltimore.
It remains possible that EternalBlue was used to spread RobbinHood, according to Stewart, although he told Krebs this is not likely.
RobbinHood has never before used EternalBlue, which means this could just be the first instance they have been used in conjunction, security researchers have told CyberScoop.
The NSA has weighed in publicly, too. A senior cyber advisor to the NSA director, Rob Joyce, told a cybersecurity conference last week there is no “indefensible” nation-state-built tool being used to spread ransomware.
It is not clear if the NSA is basing its findings or its briefings for lawmakers on its own knowledge of the attack, or information from the ongoing Federal Bureau of Investigation’s probe into the attack.
“Different federal agencies have been investigating what happened. And the current conclusion of those federal agencies is that EternalBlue was not involved in the ransomware attack in Baltimore City,” Van Hollen said when asked if the briefing was based on the FBI investigation’s current findings.
The NSA would not comment on the contents of the briefing due to the sensitive nature of the material presented, but confirmed it had briefed lawmakers on Capitol Hill Monday.
Better preparation and mitigation
Security practitioners have suggested the Baltimore ransomware attack speaks to the broader issue of preparation and mitigation, regardless of whether EternalBlue was used. Van Hollen said he thinks there needs to be more collaboration between the Department of Homeland Security, which can offer cybersecurity expertise and support to critical infrastructure, and Baltimore City.
Microsoft released a patch for EternalBlue two years ago and IT officials in Baltimore warned years ago the city was “a natural target for hackers and a path for more attacks in the system.”
“My view is that the city should engage the Department of Homeland Security more fully to address the [attack], to sort of patch the vulnerabilities going forward, that they be sure to engage [DHS],” Van Hollen said.
Van Hollen told CyberScoop he intends to nudge DHS and the city to work together better moving forward, since his impression is that “the city has not yet gotten really engaged.”
“I’m going to be reaching out to the DHS to make sure that they connect with the city of Baltimore,” he said.
But mitigating ransomware attacks may not be enough moving forward. Preventative action is needed, according to Joyce and Van Hollen. Joyce put the onus on city administrators.
“Network administrators are responsible for ensuring that system patches are up-to-date,” Joyce said last week.
Van Hollen said he thinks the government needs to help cities across the country strengthen their systems to avoid attacks like the one in Baltimore moving forward.
“My view is the federal government should be involved in cities to help strengthen their systems to avoid this kind of attack,” Van Hollen said. “That’s where they should be: preventative.”
Representatives from DHS and Baltimore City did not immediately return requests for comment.