The EternalBlue Source Might Have Been Able to “Fish DOD with Dynamite;” Why Didn’t It?

Let’s look at some dates the WaPo’s sources and Shadow Brokers are giving for the EternalBlue exploit that caused havoc around the world starting on Friday.

Yesterday, WaPo had a story on how concerned people within NSA were about the EternalBlue Windows exploit used in the WannaCry ransomware. It was so powerful, one source described, it was like “fishing with dynamite.”

In the case of EternalBlue, the intelligence haul was “unreal,” said one former employee.

“It was like fishing with dynamite,” said a second.

But that power came with risks. Among others, when the NSA started using the powerful tool more than five years, the military would have been exposed to its use.

Since the NSA began using EternalBlue, which targets some versions of Microsoft Windows, the U.S. military and many other institutions have updated software that was especially vulnerable.

Though Cyberscoop notes the US military hasn’t been entirely protected from WannaCry. An IP address associated with the Army Research Lab in Fort Huachuca was infected (though that could have been a deliberate attempt to respond to the ransomware).

WannaCry ransomware infected a machine tied to an IP address associated with the Army Research Laboratory, CyberScoop has learned. The information, found on a list of affected IP addresses provided by a security vendor, would mark the first time the ransomware was found on a federal government computer.

The security vendor, who provided the data on condition of anonymity to discuss sensitive material, observed communications from the victim IP address to the attackers’ known command and control server on May 12; confirming that the ransomware infection involving the ARL was in fact successful.

The IP address is tied to a server block parked at a host located at Fort Huachuca, Arizona. The type of machine the IP address is attached to is unknown.

In the early days of EternalBlue, the WaPo explains, it would often crash the infected computer, resulting in a bluescreen that might alert victims to its presence. That opened the possibility that the victim might discover the exploit and then turn it back on the US.

“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”

The WaPo puts the date before which DOD was vulnerable to its own weapon at 2014.

What if the Shadow Brokers had dumped the exploits in 2014, before the government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

In yesterday’s post, Shadow Brokers claimed the Windows exploits released last month — which it had first named in January — came from a 2013 OpsDisk.

In January theshadowbrokers is deciding to show screenshots of lost theequationgroup 2013 Windows Ops Disk.

I’ll have a bit more to say about Shadow Brokers’ claims yesterday. But if this description of the source of the exploit is correct — an ops disk dating to 2013 — it opens up the possibility it was discovered around the same time (perhaps in response to the bluescreen effect). If it did, then it would have been able to attack DOD with it.

I keep asking people what the source for Shadow Brokers’ files might have been able — might still be able — to steal from the US using the tools in question. This timeline seems to suggest the Ops Disk would have been deployed before DOD was prepared to withstand its own weapons.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

6 replies
  1. scory says:

    So I like to think I stay minimally aware of trends in technology, including the antecdotal and on occasion, the outright rumour. But I’d never heard about the Equation Group until Shadow Brokers started discussing it w/r/t the Eternal Blue exploits. There are threads of actions and disclosures in the Wanna Crypt event that are starting to feel more and more like a false flag operation … and that possibly, the Equation Group might well be behind the event. Sorry to go all conspiracy theory on y’all.

    • SpaceLifeForm says:

      SB goes back to at least August 2016. EternalBlue was not revealed at that point. Revealed April 2017. After Microsoft had warning and time to provide fixes.

    • SpaceLifeForm says:

      As to conspiracy theories, you may be correct.
      In fact, I have been on a variation of that for years.

      But, things are getting into bizzaro land, and you must ask yourself if NSA or CIA would leak their own tools intentionally. Or, to be more accurate, that some in NSA would leak NSA tools, and some in CIA would leak CIA tools. Certainly possible. But to intentionally ‘leak’ because you want the tools to be used for attacks does not sound like the intent of a leaker that is trying to educate the public and the Congress.

      Leaking on purpose for political reasons can be a motive of course even if they do not care about damage.

      I can certainly come up with logical reasons why that they would do so. The main one being to provide plausible deniability.
      I.E., “it wasn’t us, look over there!”

      Another possible reason to intentionally leak is because the exploits are useless now because Microsoft has hardened their software so well.

      Sorry, I kid. Hope you did not do the old
      C | N > K
      thing.

      An even more worrisome reason: The exploits are not just old (relative in internet time), but they are ‘old hat’.

      At this time, still on theory that CIA and NSA hacked each other. Spy vs Spy.

      So, how does this fit in? This was before Wcry and *prevented* a Wcry attack.

      https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

  2. lefty665 says:

    Often with NSA we get snapshots of their capabilities at a point in the past. To estimate what they can do today we can evolve those capabilities forward in time. We can know our own hardware and software at the time of the snapshot and how it has progressed since. We can then be pretty sure that at a minimum NSA’s capabilities have evolved as far in the same period.  Today’s tools will be both better and exploiting different and newer vulnerabilities. The 2016/17 OpsDisks will have newer and more sophisticated exploits. We can see evolution in the EternalBlue(screenofdeath) example. There is a high probability that DoD will not be currently capable of defending (or competent to implement defenses) against at least some of the newer exploits.  Any bets on how many of the crown jewels Shadow Brokers (SB) has?

    Something else we can do is to rewind newly revealed vulnerabilities back to their origin to predict NSA’s capabilities and how long NSA has had them (what did they know and when did they know it?). For example, the other day SLF linked to an EFF posting on a vulnerability in Intel’s Management Engine (ME 2008) accessed through their Active Management Technology (AMT & predecessors – the millennium). If we learned nothing else from Ed Snowden it was how comprehensive NSA’s exploits are.  They are very, very bright folks assigned a mission and the resources to execute it. Odds seem pretty good that ShadowBrokers has the exploits of most longstanding vulnerabilities.  Much of the ME/AMT example technology was developed by Intel’s Israeli division. That makes the odds even higher that the Israelis have longer standing and better exploits of those vulnerabilities than NSA.

    We have had a demonstration of the global damage a single undefended exploit can cause. Our concerns need to be with understanding and defending the entire basket of SB accessible exploits, not just the specific example at hand. The implications are profound.

  3. lefty665 says:

    Paul Craig Roberts asks an interesting question:

    “Was it to be used to shut down Russian and Chinese systems prior to launching a nuclear first strike against the countries? Congress should be asking this question as it is certain that the Russian and Chinese governments are. As I previously reported, the Russian High Command has already concluded that Washington is preparing a nuclear first strike against Russia, and so has China.”

    I had assumed it was a comint tool, but maybe not.

    http://www.paulcraigroberts.org/2017/05/15/exponential-growth-insecurity/

Comments are closed.