A massive ransomware offensive that raged across 150 countries has not hit any U.S. federal agencies or critical infrastructure such as energy plants and airports, President Donald Trump’s top homeland security adviser said Monday.
The campaign has struck more than 300,000 machines globally, Homeland Security Adviser Tom Bossert said during a White House news conference Monday. The attack relies on a computer vulnerability that may have been initially discovered by the National Security Agency and used to spy on adversaries.
The unknown attackers are using one of three variants of a computer bug known as “WannaCry” or “WannaCrypt” that exploits a vulnerability in the Windows operating system to lock and encrypt a victim’s computers until the victim pays a ransom to unlock them.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The vulnerability was exposed by the hacking group Shadow Brokers last summer as part of a cache of tools that appear to have been developed by NSA.
Microsoft issued a patch that protects against the exploits in March, but many computers remain vulnerable because people are slow to install software patches.
“The bottom line for the consumer is: Patch your software,” Bossert said.
Bossert declined to say whether U.S. citizens may be victimized by other NSA-developed hacking tools released by Shadow Brokers, saying, “the provenance … of the underlying vulnerability is something that is a little bit less of a direct point for me.”
He also stressed the WannaCry hackers had developed the ultimate ransomware tool that relied on the vulnerability Shadow Brokers exposed, not NSA.
“This was not a tool developed by the NSA to hold ransom data,” he said. “This was a tool developed by culpable parties, potentially criminals or foreign nation-states.”
He added, “the best and the brightest are working on finding out who the hackers are."
Major WannaCry victims include the British National Health Service, the Russian Foreign Ministry and FedEx in the U.S.
Despite the immense number of infections, the U.S. government believes the hacking group has only collected about $75,000 in ransoms, Bossert said, and the government is “not aware” any machines were unlocked after ransoms were paid.
Because companies are often not required to report ransomware attacks, there’s no firm data on how often hackers unlock a computer after a ransom is paid. Law enforcement and security researchers say anecdotally ransomware attackers often do unlock encrypted machines, though they may attack the same organization again if it doesn’t patch the exploited vulnerability.
The WannaCry attack has raised questions about U.S. intelligence agencies’ practice of storing some otherwise unknown software vulnerabilities they discover, known as "zero days," rather than alerting software makers.
Obama administration officials said the U.S. government stored less than 10 percent of the zero days it discovered and privileged disclosure in cases where criminals or adversary nation-states were likely to discover the same vulnerability or the effects of the vulnerability being exploited would be highly damaging to consumers.
The Shadow Brokers' release of NSA hacking tools and a separate recent dump of alleged CIA hacking tools by WikiLeaks, however, raise questions about whether the U.S. government can keep its zero days truly secret.
The Trump administration has not signaled whether it will retain the Obama process for reviewing zero days, but any rejiggering that follows the same rough cost-benefit calculations is unlikely to result in a great increase in the government’s zero-day cache, Obama White House Cybersecurity Coordinator Michael Daniel has said.
Bossert defended the government’s zero-days practice Monday, saying the U.S. is “extremely careful with their processes of how they handle any vulnerabilities they’re aware of.”
“That’s something that we do when we know of the vulnerability, not when we know we lost the vulnerability,” Bossert said. “I think that’s a key distinction between us and other countries and other adversaries that don’t provide any such consideration to their people, customers or industry.”