NotPetya developers obtained NSA exploits weeks before their public leak – Ars Technica
Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers.
The people behind Tuesday's massive malware outbreak had access to two National Security Agency-developed exploits several weeks before they were published on the Internet, according to evidence unearthed by researchers from antivirus F-Secure.
On Thursday, F-Secure researchers said they have evidence that the still-unknown developers of Tuesday's NotPetya malware had access to EternalBlue and EternalRomance as early as February, when they finished work on the malware component that used the stolen NSA exploits. The timeline is all the more significant considering the quality of the component, which proved surprisingly adept in spreading the malware from computer to computer inside infected networks. The elegance lay in the way the component combined the NSA exploits with three off-the-shelf tools including Mimikatz, PSExec, and WMIC. The result: NotPetya could infect both patched and unpatched computers quickly. Code that complex and effective likely required weeks of development and testing prior to completion.
"February is many weeks before the exploits EternalBlue and EternalRomance (both of which this module utilizes) were released to the public (in April) by the Shadow Brokers," F-Secure researcher Andy Patel wrote in a blog post. "And those exploits fit this component like a glove."
Whereas the two other main components of NotPetyaan encryption component and a component for attacking a computer's master boot recordwere "pretty shoddy and seem kinda cobbled together," Patel said the spreading component seems "very sophisticated and well-tested." For developers to finish work on the spreader by February, they clearly had the NSA exploits in hand by then. By contrast, Patel added:
WannaCry clearly picked [the NSA] exploits up after the Shadow Brokers dumped them into the public domain in April. Also WannaCry didn't do the best job at implementing these exploits correctly.
By comparison, this "Petya" looks well-implemented, and seems to have seen plenty of testing. It's fully-baked.
The weeks leading up to February's completion of the NotPetya spreader was a particularly critical time for computer security. A month earlier, the Shadow Brokers advertised an auction that revealed some of the names of the exploits they had, including EternalBlue. NSA officials responded by warning Microsoft of the theft so that the company could patch the underlying vulnerabilities. In February, Microsoft abruptly canceled that month's Patch Tuesday. The unprecedented move was all the more odd because exploit code for an unpatched Windows 10 flaw was already in the wild and Microsoft gave no explanation for the cancellation.
"Meanwhile, 'friends of the Shadow Brokers' were busy finishing up development of a rather nifty network propagation component, utilizing these exploits," Patel wrote.
When Patch Tuesday resumed in March, Microsoft released a critical security update that fixed EternalBlue. As the WCry outbreak would later demonstrate, large numbers of computersmainly running Windows 7failed to install the updates, allowing the worm to spread widely.
If the timeline is correct, it would mean the NotPetya developers had some sort of tie to the Shadow Brokers, possibly as customers, colleagues, acquaintances, or friends. It would also make NotPetya the first piece of in-the-wild malware that had known early access to the NSA exploits. Patel didn't say how the NotPetya developers got hold of EternalBlue and EternalRomance prior to their public release in April.
Early speculation was that Shadow Brokers members acquired a small number of hacking tools that NSA personnel stored on one or more staging servers used to carry out operations. The volume and sensitivity of the exploits and documents released over the next several months slowly painted a much grimmer picture. It's now clear that the group has capitalized on what is likely the worst breach in NSA history. There's no indication the agency has identified how it lost control of such a large collection of advanced tools or that it knows much at all about the Shadow Brokers' membership. The group, meanwhile, continues to publish blog posts written in deliberately broken English, with the most recent one on Wednesday.
The F-Secure evidence adds a new unsettling entry on the Shadow Brokers' resume. The world already knew the group presided over a breach of unprecedented scope and leaked exploits to the world. Now, we know it also provided crucial private assistance in developing one of the most virulent worms in recent memory.
Go here to read the rest:
NotPetya developers obtained NSA exploits weeks before their public leak - Ars Technica
- Army general tapped to lead NSA vows to follow the law if confirmed - Military Times - February 1st, 2026 [February 1st, 2026]
- Overturned tractor-trailer shuts portion of Route 32 near NSA - WBAL-TV - February 1st, 2026 [February 1st, 2026]
- Nominee to lead NSA backs controversial spying law - Defense One - February 1st, 2026 [February 1st, 2026]
- NSA pick champions foreign spying law as nomination advances - The Record from Recorded Future News - February 1st, 2026 [February 1st, 2026]
- NSA Releases Phase One and Phase Two of the Zero Trust Implementation Guidelines - National Security Agency (.gov) - February 1st, 2026 [February 1st, 2026]
- Army General Tapped to Lead NSA Said He Doesnt Know Much About the Biggest NSA Controversy - The Intercept - February 1st, 2026 [February 1st, 2026]
- Trump's pick to lead the NSA vows to follow the law if confirmed - ABC News - February 1st, 2026 [February 1st, 2026]
- Trump's pick to lead the NSA vows to follow the law if confirmed - Oskaloosa Herald - February 1st, 2026 [February 1st, 2026]
- Trump's pick to lead the NSA vows to follow the law if confirmed - The Derrick - February 1st, 2026 [February 1st, 2026]
- Overturned tractor-trailer shuts westbound Maryland Route 32 near NSA exit, police say - WBAL News Radio - February 1st, 2026 [February 1st, 2026]
- SC to hear plea against Sonam Wangchuks NSA detention on February 2 - The New Indian Express - February 1st, 2026 [February 1st, 2026]
- Powys sheep sector to hear from Llyr Gruffydd at NSA meeting - County Times - February 1st, 2026 [February 1st, 2026]
- NSA calls for consultation on castration and tail docking to involve sheep farmers - cravenherald.co.uk - January 24th, 2026 [January 24th, 2026]
- NSA launches 13th annual survey for insight into cases of sheep worrying by dogs - Yahoo News UK - January 24th, 2026 [January 24th, 2026]
- NSA Ajit Doval says he doesn't use phone or internet. Here's why - MSN - January 14th, 2026 [January 14th, 2026]
- NSA Ajit Doval says he doesnt use phone or internet; shares views on Indias future and youth - WION - January 11th, 2026 [January 11th, 2026]
- Liberia: NSA Director's Special Assistant Suspended Amid Alleged Gang Sodomy of 15-Year-Old; Authorities Remain Silent - FrontPageAfrica - January 11th, 2026 [January 11th, 2026]
- 'Wars happen because some countries want to impose their will on others': NSA Ajit Doval - Deccan Herald - January 11th, 2026 [January 11th, 2026]
- We have to avenge our history: NSA Ajit Doval urges youth to make India great in every aspect - The Indian Express - January 11th, 2026 [January 11th, 2026]
- CISA, NSA, and Canadian Cyber Centre update Brickstorm analysis with new Rust-based variants - Industrial Cyber - January 11th, 2026 [January 11th, 2026]
- ROVER communication terminals approved for international use by NSA - Military Embedded Systems - January 9th, 2026 [January 9th, 2026]
- L3Harris ROVER and TNR systems gain NSA approval enabling secure coalition interoperability - Defence Industry Europe - January 9th, 2026 [January 9th, 2026]
- Former NSA insider Kosiba brought back as spy agencys No. 2 - The Record from Recorded Future News - January 9th, 2026 [January 9th, 2026]
- Trumps tariff threat to India self-inflicted wound: Former US NSA John Bolton - The Indian EYE - January 9th, 2026 [January 9th, 2026]
- NSA Scotland demands support for sheep farmers ahead of Holyrood elections - Farmers Guardian - January 9th, 2026 [January 9th, 2026]
- Announcing tariffs for purchasing Russian oil unfortunate: Former US NSA backs closer relationship with India - Punjab News Express - January 9th, 2026 [January 9th, 2026]
- NSA Ajit Doval likely to be part of Indian delegation at WEF in Davos - The New Indian Express - January 9th, 2026 [January 9th, 2026]
- "A lot of hot air": Former NSA John Bolton on Trump's remarks on possible action beyond Venezuela - ANI News - January 9th, 2026 [January 9th, 2026]
- NSA employee sues Trump administration over order on transgender rights and two 'immutable' genders - Yahoo - December 22nd, 2025 [December 22nd, 2025]
- NSA employee sues the Trump administration over transgender rights and 'immutable' genders - AP News - December 22nd, 2025 [December 22nd, 2025]
- Senior official at Indo-Pacific Command is set to be Trumps pick to lead Cyber Command, NSA - The Record from Recorded Future News - December 22nd, 2025 [December 22nd, 2025]
- NSA employee sues the Trump administration over transgender rights and 'immutable' genders - Temple Daily Telegram - December 22nd, 2025 [December 22nd, 2025]
- Potential NSA, Cyber Command leader nomination transmitted to Senate - Nextgov/FCW - December 22nd, 2025 [December 22nd, 2025]
- After Eight Months, White House Names Nominee To Head NSA And CYBERCOM - Defense Daily - December 22nd, 2025 [December 22nd, 2025]
- Fubara Hosts NSA, Says Tinubu Happy With Rivers Governor - TVC News - December 22nd, 2025 [December 22nd, 2025]
- CISA, NSA warn of Chinas BRICKSTORM malware after incident response efforts - The Record from Recorded Future News - December 10th, 2025 [December 10th, 2025]
- CISA and NSA Warn of BRICKSTORM Malware Attacking VMware ESXi and Windows Environments - CybersecurityNews - December 10th, 2025 [December 10th, 2025]
- NSA, CISA, and Others Release Guidance on Integrating AI in Operational Technology - National Security Agency (.gov) - December 4th, 2025 [December 4th, 2025]
- NSA has met 2,000-person workforce reduction goal, people familiar say - Nextgov/FCW - December 4th, 2025 [December 4th, 2025]
- NSA Doval, Thai Foreign Minister Phuangketkeow discuss maritime security, threats of online scams - The Indian EYE - December 4th, 2025 [December 4th, 2025]
- NSA Doval, Thai FM discuss maritime security, threats of online scams - Awaz The Voice - December 4th, 2025 [December 4th, 2025]
- All-clear issued about 2 hours after NSA Naples schools evacuated over potential threat - Stars and Stripes - November 18th, 2025 [November 18th, 2025]
- 'Dhurandhar': R Madhavan reveals Aditya Dhar's little trick that perfected his NSA-inspired look for the - The Times of India - November 18th, 2025 [November 18th, 2025]
- Army officer with Indo-Pacific experience emerges as potential Cyber Command, NSA pick - The Record from Recorded Future News - November 18th, 2025 [November 18th, 2025]
- NSA Dr Rahman to attend Security Conclave in New Delhi - United News of Bangladesh - November 18th, 2025 [November 18th, 2025]
- Man claims NSA told him to shatter glass at AT&T building with hatchet, Nashville police say - WSMV - November 18th, 2025 [November 18th, 2025]
- How the heartbreaking lack of a confirmed leader is impacting CYBERCOM and NSA - Breaking Defense - November 7th, 2025 [November 7th, 2025]
- Goa invokes NSA for three months to tackle anti-socials - The Times of India - November 7th, 2025 [November 7th, 2025]
- CISA, NSA and other unveil security blueprint to harden Microsoft Exchange servers - Homeland Preparedness News - November 7th, 2025 [November 7th, 2025]
- NSA Shares Q3 Revenue Results Below Expectations - GuruFocus - November 7th, 2025 [November 7th, 2025]
- Filipinos aware of civilian supremacy over military NSA Ao - Philippine News Agency - October 28th, 2025 [October 28th, 2025]
- Sonam Wangchuk says his words were twisted to justify his NSA detention - The Statesman - October 26th, 2025 [October 26th, 2025]
- Nokia and stc pioneer the first commercial 5G NSA Cloud RAN deployment in the MEA region - ZAWYA - October 26th, 2025 [October 26th, 2025]
- China accuses NSA of multi-year hack targeting its national time systems - Nextgov/FCW - October 23rd, 2025 [October 23rd, 2025]
- Cybersecurity News: AWS outage, NSA hacking accusations, High risk WhatsApp automation - CISO Series - October 23rd, 2025 [October 23rd, 2025]
- Hackers Say They Have Personal Data of Thousands of NSA and Other Government Officials - Homeland Security Today - October 23rd, 2025 [October 23rd, 2025]
- AWS outage, NSA hacking accusations, High risk WhatsApp automation - LinkedIn - October 23rd, 2025 [October 23rd, 2025]
- Palestinian President Mahmoud Abbas: No Concessions Were Made In The Oslo Accords 1.85 Million Palestinians Returned To Their Homeland;... - October 23rd, 2025 [October 23rd, 2025]
- NSA to partner JKG to drive sports technology through Artificial Intelligence - GhanaWeb - October 23rd, 2025 [October 23rd, 2025]
- China claims NSA hacked its national timing systems using 42 "special cyber weapons" - TechSpot - October 23rd, 2025 [October 23rd, 2025]
- US NSA alleged to have launched a cyber attack on a Chinese agency - csoonline.com - October 21st, 2025 [October 21st, 2025]
- Hackers Say They Have Personal Data of Thousands of NSA and Other Government Officials - 404 Media - October 21st, 2025 [October 21st, 2025]
- China says it has foiled a series U.S. cyberattacks on its critical infrastructure Ministry of State Security says it has 'irrefutable evidence' NSA... - October 21st, 2025 [October 21st, 2025]
- China claims the NSA conducted cyberattacks on its national time center - Engadget - October 21st, 2025 [October 21st, 2025]
- China claims the US NSA conducted cyberattacks on its national time center - TechRadar - October 21st, 2025 [October 21st, 2025]
- Donald Trump's ex-NSA John Bolton indicted; charged over mishandling classified information; Trump calls - Times of India - October 19th, 2025 [October 19th, 2025]
- Trump critic and former NSA adviser John Bolton indicted on classified documents charges - MLive.com - October 19th, 2025 [October 19th, 2025]
- NSA Accused of Stealing Secrets from Chinas National Time Centre - Modern Diplomacy - October 19th, 2025 [October 19th, 2025]
- Ex-Donald Trump NSA John Bolton Indicted: All About The 18 Charges - NDTV - October 19th, 2025 [October 19th, 2025]
- Explained: What are the charges against ex-US NSA John Bolton? What next? - Firstpost - October 19th, 2025 [October 19th, 2025]
- Former Trump NSA John Bolton Indicted On 18 Counts For Sharing Classified Information - Republic World - October 19th, 2025 [October 19th, 2025]
- Ex-Trump NSA Bolton charged with storing, sharing classified information - Business Standard - October 17th, 2025 [October 17th, 2025]
- Lt. Gen. William Hartman, acting leader of NSA and Cyber Command, will not be nominated for the dual-hat role - POLITICO Pro - October 17th, 2025 [October 17th, 2025]
- Shaping health futures together: NSA engagement for EPW2 and Ageing is Living - World Health Organization (WHO) - October 17th, 2025 [October 17th, 2025]
- Trump's ex-NSA John Bolton indicted over sharing US defence secrets: Was his email hacked by Iran? - WION - October 17th, 2025 [October 17th, 2025]
- John Bolton Indicted: What are the Charges Against Trump's Former NSA? - Times Now - October 17th, 2025 [October 17th, 2025]
- China infrastructure hacks are 'unrestricted warfare' against America, former NSA director says - Washington Times - October 15th, 2025 [October 15th, 2025]
- Children were scared to sleep outside, many stopped going to schools: Why NSA was invoked against a rape accused in UPs Bhadohi - The Indian Express - October 15th, 2025 [October 15th, 2025]
- Chinas Capacity to Hack the U.S. Is Growing, Former NSA and Retired Gen. Tim Haugh Warns - Homeland Security Today - October 15th, 2025 [October 15th, 2025]
- Ousted NSA head Gen. Tim Haugh on his firing by the Trump administration - CBS News - October 13th, 2025 [October 13th, 2025]