After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.
Those same NSA officials, according to Tuesday's report, failed to communicate the severity of the vulnerability to the outside world. A month after Microsoft released the patch, the Shadow Brokers published the attack code, code-named EternalBlue, that exploited the critical Windows vulnerability. A month after that, attackers used a modified version of EternalBlue to infect computers around the world with malware that blocked access to data. Within hours of the outbreak of the ransomware worm dubbed WCry, infected hospitals turned away patients; banks, telecommunications companies, and government agencies shut down computers.
"NSA identified a risk and communicated it to Microsoft, who put out an immediate patch," Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project, told The Washington Post. The problem, he said, is that no senior official took the step of shouting to the world: "This one is very serious, and we need to protect ourselves."
Elsewhere in the article, the paper, citing people who spoke on the condition of anonymity, said: "The agency eventually warned Microsoft after learning about EternalBlue's theft, allowing the company to prepare a software patch issued in March."
The Washington Post article is the first to explicitly report that the NSA was the source that alerted Microsoft to the vulnerability fixed in March's MS17-010 security bulletin. But it comes as little surprise. Several pieces of evidence led outsiders to speculate for weeks that the NSA was the disclosing party. Exhibit A was the timing. On January 7, the Shadow Brokers announced the auction of dozens of NSA tools, including one called DoublePulsar, a backdoor that is installed by EternalBlue.