NotPetya developers obtained NSA exploits weeks before their public leak – Ars Technica
Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers.
The people behind Tuesday's massive malware outbreak had access to two National Security Agency-developed exploits several weeks before they were published on the Internet, according to evidence unearthed by researchers from antivirus F-Secure.
On Thursday, F-Secure researchers said they have evidence that the still-unknown developers of Tuesday's NotPetya malware had access to EternalBlue and EternalRomance as early as February, when they finished work on the malware component that used the stolen NSA exploits. The timeline is all the more significant considering the quality of the component, which proved surprisingly adept in spreading the malware from computer to computer inside infected networks. The elegance lay in the way the component combined the NSA exploits with three off-the-shelf tools including Mimikatz, PSExec, and WMIC. The result: NotPetya could infect both patched and unpatched computers quickly. Code that complex and effective likely required weeks of development and testing prior to completion.
"February is many weeks before the exploits EternalBlue and EternalRomance (both of which this module utilizes) were released to the public (in April) by the Shadow Brokers," F-Secure researcher Andy Patel wrote in a blog post. "And those exploits fit this component like a glove."
Whereas the two other main components of NotPetyaan encryption component and a component for attacking a computer's master boot recordwere "pretty shoddy and seem kinda cobbled together," Patel said the spreading component seems "very sophisticated and well-tested." For developers to finish work on the spreader by February, they clearly had the NSA exploits in hand by then. By contrast, Patel added:
WannaCry clearly picked [the NSA] exploits up after the Shadow Brokers dumped them into the public domain in April. Also WannaCry didn't do the best job at implementing these exploits correctly.
By comparison, this "Petya" looks well-implemented, and seems to have seen plenty of testing. It's fully-baked.
The weeks leading up to February's completion of the NotPetya spreader was a particularly critical time for computer security. A month earlier, the Shadow Brokers advertised an auction that revealed some of the names of the exploits they had, including EternalBlue. NSA officials responded by warning Microsoft of the theft so that the company could patch the underlying vulnerabilities. In February, Microsoft abruptly canceled that month's Patch Tuesday. The unprecedented move was all the more odd because exploit code for an unpatched Windows 10 flaw was already in the wild and Microsoft gave no explanation for the cancellation.
"Meanwhile, 'friends of the Shadow Brokers' were busy finishing up development of a rather nifty network propagation component, utilizing these exploits," Patel wrote.
When Patch Tuesday resumed in March, Microsoft released a critical security update that fixed EternalBlue. As the WCry outbreak would later demonstrate, large numbers of computersmainly running Windows 7failed to install the updates, allowing the worm to spread widely.
If the timeline is correct, it would mean the NotPetya developers had some sort of tie to the Shadow Brokers, possibly as customers, colleagues, acquaintances, or friends. It would also make NotPetya the first piece of in-the-wild malware that had known early access to the NSA exploits. Patel didn't say how the NotPetya developers got hold of EternalBlue and EternalRomance prior to their public release in April.
Early speculation was that Shadow Brokers members acquired a small number of hacking tools that NSA personnel stored on one or more staging servers used to carry out operations. The volume and sensitivity of the exploits and documents released over the next several months slowly painted a much grimmer picture. It's now clear that the group has capitalized on what is likely the worst breach in NSA history. There's no indication the agency has identified how it lost control of such a large collection of advanced tools or that it knows much at all about the Shadow Brokers' membership. The group, meanwhile, continues to publish blog posts written in deliberately broken English, with the most recent one on Wednesday.
The F-Secure evidence adds a new unsettling entry on the Shadow Brokers' resume. The world already knew the group presided over a breach of unprecedented scope and leaked exploits to the world. Now, we know it also provided crucial private assistance in developing one of the most virulent worms in recent memory.
Go here to read the rest:
NotPetya developers obtained NSA exploits weeks before their public leak - Ars Technica
- McConnell calls out Trump for hiring amateur isolationists at Pentagon, firing NSA director - The Hill - April 8th, 2025 [April 8th, 2025]
- Trumps firing of NSA chief is rolling out the red carpet for cyber attacks - Politico - April 8th, 2025 [April 8th, 2025]
- A conspiracy theorist convinced Trump to fire the NSA director - Vox - April 8th, 2025 [April 8th, 2025]
- William Hartman Named Acting NSA Director Following Dismissal of Top Officials - ExecutiveGov - April 8th, 2025 [April 8th, 2025]
- NSA and partners Issue Guidance on Fast Flux as a National Security Threat - National Security Agency (NSA) (.gov) - April 8th, 2025 [April 8th, 2025]
- Security News This Week: NSA Chief Ousted Amid Trump Loyalty Firing Spree - WIRED - April 8th, 2025 [April 8th, 2025]
- Head of NSA and US Cyber Command reportedly fired - Cybersecurity Dive - April 8th, 2025 [April 8th, 2025]
- Trump fires Gen. Timothy Haugh from leadership of Cyber Command and NSA - DefenseScoop - April 8th, 2025 [April 8th, 2025]
- Gen. Timothy Haugh, head of NSA and Cyber Command, is fired - CBS News - April 8th, 2025 [April 8th, 2025]
- Trump's mixed tariff messaging and NSA director and deputy fired: Morning Rundown - NBC News - April 8th, 2025 [April 8th, 2025]
- NSA Director and Deputy Reportedly Dismissed: What We Know - Newsweek - April 8th, 2025 [April 8th, 2025]
- Haugh fired from leadership of NSA, Cyber Command - The Record from Recorded Future News - April 8th, 2025 [April 8th, 2025]
- Trump administration fires head of NSA and U.S. Cyber Command, along with other top officials - CBS News - April 8th, 2025 [April 8th, 2025]
- US Cyber Command, NSA Chief Gen. Timothy Haugh ousted by Trump admin - Breaking Defense - April 8th, 2025 [April 8th, 2025]
- Face the Facts: Rep. Himes talks about firing of two top NSA officials - NBC Connecticut - April 8th, 2025 [April 8th, 2025]
- NSA Issues Advisory on Fast Flux Cyberthreat - ExecutiveGov - April 8th, 2025 [April 8th, 2025]
- Loomer, far-right activist, urged Trump to remove NSA director and others: Sources - ABC News - April 8th, 2025 [April 8th, 2025]
- The NSA Sounds Security Alarm For Billions Of iPhone And Android Phones - HotHardware - April 8th, 2025 [April 8th, 2025]
- NSA director fired after Trumps meeting with right-wing influencer Laura Loomer - The Verge - April 8th, 2025 [April 8th, 2025]
- Trump fires head of NSA and Cyber Command - Nextgov - April 8th, 2025 [April 8th, 2025]
- What are the national security concerns of Trump firing the NSA, Cyber Command head? - CBS News - April 8th, 2025 [April 8th, 2025]
- Who is Timothy Haugh? The NSA chief fired amid cyber security concerns - Times of India - April 8th, 2025 [April 8th, 2025]
- NSA, CISA, FBI, and International Partners Release Cybersecurity Advisory on Fast Flux, a National Security Threat - Hstoday - April 8th, 2025 [April 8th, 2025]
- Senator King Responds to Reported Firing of NSA Director General Timothy Haugh - WAGM - April 8th, 2025 [April 8th, 2025]
- NSA warned of vulnerabilities in Signal app a month before Houthi strike chat - CBS News - March 26th, 2025 [March 26th, 2025]
- Trump said poised to fire NSA Mike Waltz for including journalist in top secret war chat - The Times of Israel - March 26th, 2025 [March 26th, 2025]
- Not the last Waltz: Trump defends NSA after security breach - The Times of India - March 26th, 2025 [March 26th, 2025]
- NSA warned about vulnerabilities in Signal prior to White House group chat fiasco - SiliconANGLE News - March 26th, 2025 [March 26th, 2025]
- NSA warned the Signal app was vulnerable last month - WTIC - March 26th, 2025 [March 26th, 2025]
- Codebreakers and Covert Agents: The Women Behind the NSA and CIA heads to Illinois State Museum - WAND - March 26th, 2025 [March 26th, 2025]
- NSA warned about using Signal a month before leak of Houthi strike chat - CBS News - March 26th, 2025 [March 26th, 2025]
- 'Putin is giddy': NSA knew Signal was vulnerable to Russian hackers before security breach - AlterNet - March 26th, 2025 [March 26th, 2025]
- RAW: NSA MIKE WALTZ EXPECTED TO VISIT GREENLAND - Local 3 News - March 26th, 2025 [March 26th, 2025]
- US NSA likely to visit India in third week of April - Hindustan Times - March 26th, 2025 [March 26th, 2025]
- Statement from Secretary Rubio and NSA Waltz on Call with Zelenskyy - Department of State - March 22nd, 2025 [March 22nd, 2025]
- Europe must invest more in defence amid global shifts: Greeces NSA Ntokos - Firstpost - March 22nd, 2025 [March 22nd, 2025]
- NSA Bahrain, NAVCENT Hold First-of-its-Kind Exercise Vigilant Resolve - navy.mil - March 22nd, 2025 [March 22nd, 2025]
- Former NSA boss Osei Assibey Antwi picked up by NIB - GhanaWeb - March 22nd, 2025 [March 22nd, 2025]
- WHAT THE TECH? NSA recommending weekly smartphone restarts & how it improves performance - Local 3 News - March 9th, 2025 [March 9th, 2025]
- Ex-NSA cyber chief warns of devastating impact of potential DOGE-inspired firings - Breaking Defense - March 9th, 2025 [March 9th, 2025]
- Former top NSA cyber official: Probationary firings devastating to cyber, national security - CyberScoop - March 9th, 2025 [March 9th, 2025]
- Prime Targets Martha Plimpton On Her NSA Character & Why This Political Thriller Works: Never Trust People In Charge - Deadline - March 9th, 2025 [March 9th, 2025]
- Former NSA Dep. Director, Gifty Oware-Mensah will see NIB over 80k ghost names allegations - GhanaWeb - March 5th, 2025 [March 5th, 2025]
- Zelensky is not ready for peace talks, US NSA says - Mehr News Agency - English Version - March 3rd, 2025 [March 3rd, 2025]
- More Than 100 Intelligence Staffers Will Be Fired Over Sexually Explicit Texts In NSA Chatrooms, Gabbard Says - Forbes - March 1st, 2025 [March 1st, 2025]
- NSA says it is investigating potential misuse of chat platform - The Record from Recorded Future News - March 1st, 2025 [March 1st, 2025]
- 100-plus spies fired after NSA internal chat board used for kinky sex talk - The Register - March 1st, 2025 [March 1st, 2025]
- Tulsi Gabbard says more than 100 intelligence officers will be fired for sexually explicit NSA chat messages - CNN - March 1st, 2025 [March 1st, 2025]
- Elon Asked What Government Workers Did. The NSA Overshared - Schiff Sovereign - March 1st, 2025 [March 1st, 2025]
- Tulsi Gabbard Fires 100 Intelligence Officers for Sex Chats on NSA-Hosted Tool - The Daily Beast - March 1st, 2025 [March 1st, 2025]
- Elon Musk reacts to leaked chat alleging NSA, CIA officials discussed raising intersex babies as non-bina - The Times of India - March 1st, 2025 [March 1st, 2025]
- What NSA, DIA agents said about Libs of TikTok, Ben Shapiro in leaked messages - The Times of India - March 1st, 2025 [March 1st, 2025]
- NSA staff accused of lurid sex chats at work they were just discussing LGBTQ+ issues - PinkNews - March 1st, 2025 [March 1st, 2025]
- Sen. Tom Cotton reacts to lewd NSA chats: 'We don't want these people anywhere near classified information' - Fox News - March 1st, 2025 [March 1st, 2025]
- At least 100 NSA staffers to be fired for explicit chats during work hours - WDRB - March 1st, 2025 [March 1st, 2025]
- Gifty Oware-Mensah on the run as NIB investigates NSA scandal - GhanaWeb - February 25th, 2025 [February 25th, 2025]
- Former NSA, Cyber Command chief Paul Nakasone says U.S. falling behind its enemies in cyberspace - CyberScoop - February 25th, 2025 [February 25th, 2025]
- NSA emphasizes strong defensive posture as it responds to report it hacked China - Washington Times - February 25th, 2025 [February 25th, 2025]
- How the NSA Head of Accounts was undermined by his deputy for eight months after appointment - GhanaWeb - February 25th, 2025 [February 25th, 2025]
- What Is Proteus in Zero Day? How the NSA Weapon Changes Everything - Collider - February 25th, 2025 [February 25th, 2025]
- 'Zelenskyy will sign the minerals deal, no matter': US NSA Mike Waltz on Trump's Ukraine plan - The Economic Times - February 25th, 2025 [February 25th, 2025]
- EXCLUSIVE: Clearcover launches Illinois-based reciprocal exchange to jumpstart entry into NSA - Re-Insurance.com - February 12th, 2025 [February 12th, 2025]
- Chief of Naval Operations Visits NSA Crane, Purdue University [Image 18 of 25] - DVIDS - February 12th, 2025 [February 12th, 2025]
- Liminal Health Launches NSA ClearPath: Revolutionizing Reimbursement for Out-of-Network Providers - PR Newswire - February 12th, 2025 [February 12th, 2025]
- Elon Musks D.O.G.E is giving the CIA and NSA nightmares now - MSN - February 12th, 2025 [February 12th, 2025]
- NSA Ajit Doval likely to visit US along with PM Modi - The Economic Times - February 12th, 2025 [February 12th, 2025]
- The NSA says do these 5 things with your phone right now - Fox News - January 30th, 2025 [January 30th, 2025]
- NSA: Iraqi territory will not be used to attack neighboring countries Iraqi News Agency - ina.iq - January 30th, 2025 [January 30th, 2025]
- NDC is not here to witch-hunt - Opare Addo to NSA staff - GhanaWeb - January 30th, 2025 [January 30th, 2025]
- NSA Warns iPhone And Android UsersDisable Location Tracking - Forbes - January 19th, 2025 [January 19th, 2025]
- Trumps incoming NSA: Hamas must have no role in governing Gaza - JNS.org - January 19th, 2025 [January 19th, 2025]
- Trump NSA Disputes Report That Neocons Are Influencing MAGA Staffing - RealClearDefense - January 19th, 2025 [January 19th, 2025]
- US NSA lauds Ajit Doval for pivoting ties to advanced future tech - The Times of India - January 9th, 2025 [January 9th, 2025]
- Auto insurtech Clearcover expands into Texas NSA market with CGA launch - Re-Insurance.com - January 9th, 2025 [January 9th, 2025]
- "Cannot Think Of A Better Way To End My Tenure": US NSA On His India Visit - NDTV - January 9th, 2025 [January 9th, 2025]
- Heightened Security At U.S. Naval Academy And NSA Annapolis: Public Access Suspended Amid Increased Force Protection Measures - Bay Net - January 9th, 2025 [January 9th, 2025]
- From The Seabed To The Stars: 10 Takeaways From U.S. NSA Sullivans Visit - Strategic News Global - January 9th, 2025 [January 9th, 2025]
- NSA Sullivan to visit India to finalise important ongoing initiatives: White House - The Hindu - January 9th, 2025 [January 9th, 2025]
- What NSA Jake Sullivans India Visit Signals For Nuclear And Tech Ties As US Lifts Curbs On Indian Entities - Swarajya - January 9th, 2025 [January 9th, 2025]
- NSA Sullivan arrives today, seeks to strengthen AI, space, tech ties - The Tribune India - January 9th, 2025 [January 9th, 2025]