Cyber Attack On Baltimore Uncovers NSA Leak

In the early morning hours of May 7, some Baltimore city staff began to notice that their email systems weren’t working properly. It didn’t take long for things to go from bad to worse as computer systems locked up and a message in broken English materialized on screens. “We’ve watching you for days,” they said. “We won’t talk more, all we know is MONEY! Hurry up!”

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

The unknown hackers went on to demand almost $100,000 in bitcoin in return for restoration of data lost during the attack. Baltimore is cooperating with an FBI investigation into the matter and cannot comment on the specifics but did state they would not pay the ransom.

The cyber-attack is thought to have first been triggered on certain city systems after there was an interruption in email service. Baltimore’s Department of Public Works was the first to raise the red flag after tweeting out that their email and phone systems were offline from their official Twitter account. It’s unclear how extensive the attack was on the city’s network but the damage done has meant that real estate purchases cannot be closed, utility payments cannot be made, and city police cannot access their surveillance cameras.

Baltimore is not the first city to be hit by a cyberattack. Atlanta was also a victim of a ransomware incident that took place in March 2018. The Georgia-based city was reported to have spent $2.6 million on emergency efforts to reclaim and secure their networks. While the big peach had invested in insurance coverage for cyber-security attacks, Baltimore’s city council passed on the extra expense when their final budget was approved. Unfortunately, it will be Baltimore citizens that will be footing the bill for the cyber clean-up efforts

The National Security Agency is bearing the blame for Baltimore’s ransomware attack. A recent NYTimes article alleged that security officials briefed on the investigation revealed that an integral part of the malware code used to infiltrate the city’s information technology infrastructure came from EternalBlue – a hacking tool developed by the intelligence agency that was leaked in 2017 by an unidentified group calling themselves the Shadow Brokers.

According to former NSA employees, EternalBlue was initially created to exploit a vulnerability in Microsoft’s software and used the hack to spy on foreign agencies for at least five years before it was allegedly stolen by an unknown group. When the hacking tool was leaked, the intelligence organization notified the tech giant of the issue and a patch was released to address the problem.

Despite the availability of the update, many networks remain vulnerable to an EnternalBlue-based attack. According to Shodan – a search engine that lets users search for computer systems and devices connected to the internet – there are nearly a million systems that are running the outdated Microsoft software. Over 40 percent of those machines are located in the United States.

Local governments operating with antiquated IT infrastructures and outdated versions of software remain the most susceptible to these digital attacks. Baltimore’s municipal government has been experiencing ongoing turmoil as a former mayor is being investigated for corruption. In addition, the mayor’s Office of Information Technology has also struggled as they transitioned through four consecutive Chief Information Officers who were fired or forced to resign over a two-year period.

Baltimore’s mayor, Bernard C. “Jack” Young, stated he was not sure when the city’s systems would be fully operational once again:

“I am not able to provide you with an exact timeline on when all systems will be restored. Like any large enterprise, we have thousands of systems and applications. Our focus is getting critical services back online, and doing so in a manner that ensures we keep security as one of our top priorities throughout this process. You may see partial services begin to restore within a matter of weeks, while some of our more intricate systems may take months in the recovery process…we engaged leading industry cybersecurity experts who are on-site 24-7 working with us.

Some of the restoration efforts also require that we rebuild certain systems to make sure that when we restore business functions, we are doing so in a secure manner.”

While the NSA vehemently denies that their EternalBlue tool played any role in the Baltimore ransomware attack, the attacks themselves emphasize the importance for agencies and organizations to have an updated security strategy - a comprehensive plan for ensuring upgrades are made in a timely manner; employees are properly trained on security precautions; data is appropriately stored and protected; and that there is a reliable, multi-layered security solution to safeguard systems.