NSA points to two-year patching window in remarks about Baltimore incident

In the wake of the Baltimore ransomware attack, a senior adviser at the National Security Agency said Thursday there is no “indefensible” nation-state-built tool that is responsible for the spread of ransomware and network administrators have a responsibility to patch their systems, especially when patches have been released for critical flaws.

The comments come after The New York Times reported this past week that RobbinHood, the ransomware strain behind the Baltimore ransomware attack, was able to spread on the city IT infrastructure partly due to its use of a leaked NSA tool known as EternalBlue. The Times report, which cites security experts briefed on the matter, states EternalBlue was discovered as incident response teams fixed the issues that had crippled a number of the city’s online services.

“The characterization that there is an indefensible nation-state tool propagating ransomware is simply untrue,” Rob Joyce, a senior adviser at the NSA, said Thursday according to prepared remarks obtained by CyberScoop. “That is not true.”

Joyce, speaking at a CrowdStrike security conference, indicated that network administrators should have patched their systems long ago given how long the exploit has been public.

“Two years have gone by — network administrators are responsible for ensuring that system patches are up-to-date,” Joyce said.

Security researchers have raised questions following the Times report, particularly wondering if it’s even possible for EternalBlue to have been used in the Baltimore incident. Allan Liska, a threat intelligence analyst with Recorded Future, says that while EternalBlue has been used in other ransomware attacks, it is not clear that it was used in the Baltimore attack.

“There have been several ransomware variants that have incorporated the EternalBlue exploit into their ransomware,” Liska said. “They are definitely out there. As far as I know, RobbinHood has not been one of them.”

Liska says it’s possible that this is the first instance EternalBlue was used in a RobinHood attack.

“That being said I have not seen forensic analysis of the RobinHood sample that was used in Baltimore,” Liska said. “It’s incredibly possible that they’ve adapted their ransomware to include EternalBlue.”

Beau Woods, a cyber safety innovation fellow with the Atlantic Council, also told CyberScoop that it’s possible EternalBlue was in part of the ransomware attack, but perhaps not a major component of the attack.

“Typically these things are deployed in a modular fashion,” Woods said. “It’s entirely possible that RobinHood uses an exploit like EternalBlue. It’s also possible that the ransomware contains other exploits as well, and its success didn’t rely on EternalBlue.”

Dave Aitel, chief security technical officer for Cyxtera Technologies, said that although it is possible EternalBlue was used in the attack, he took issue with the idea that the NSA could be considered responsible — whether or not EternalBlue had been used.

“It doesn’t matter who releases a patch,” Aitel, a former NSA employee, told CyberScoop. “Once the patch is out you have to assume the vulnerability is known about. It’s not NSA’s fault.”

Joyce added that even if system administrators think about single vulnerabilities at a time, it will not be sufficient to protect systems.

“Focusing on a single exploit, especially one that … has a solution through a patch, is shortsighted,” Joyce said. “Vulnerabilities will continue to be found.”

EternalBlue is the same exploit that allowed the WannaCry ransomware to spread around the world in 2017, and has since been leveraged in other attacks on other cities, including in Allentown, Pennsylvania, and in San Antonio, Texas, according to the Times.