michael barbaro

From The New York Times, I’m Michael Barbaro. This is “The Daily.” Today: A group of online criminals has held the city of Baltimore’s computer system hostage for nearly a month, paralyzing basic government functions. The software used to shut the system down was developed by a government agency just a few miles away. It’s Tuesday, June 4.

scott shane

So the National Security Agency was founded in 1952. There were earlier eavesdropping agencies. But that was sort of the post-World War II creation of one big agency to do all kinds of electronic intercepts. Any way that foreigners of interest communicate, N.S.A. tries to get there and collect.

michael barbaro

Scott Shane covers national security for The Times.

scott shane

And in perhaps the last 20 years, they have created a hacking team that would break into foreign computer networks and collect intelligence. And that sort of sets the backdrop to what’s happening today. The way N.S.A. breaks into foreign computer networks is it first hunts for vulnerabilities, as they’re called, in commonly used software. And very often, these vulnerabilities are in Windows. It’s extremely widely used around the world, including by governments, by foreign governments, which are often the target. But it’s used by terrorist groups, foreign diplomats, foreign militaries.

michael barbaro

Even terrorists use Windows.

scott shane

Even terrorists use Windows. When N.S.A. discovers a vulnerability these days, it goes to a sort of committee overseen by the White House representing a bunch of different agencies. And there’s a debate that takes place over whether N.S.A. should be allowed to keep the vulnerabilities secret or should really report it to the software maker so that they can come up with a patch and make their software more secure. So they found a particular vulnerability probably eight or nine years ago, and they gave the vulnerability the name EternalBlue.

michael barbaro

And when the N.S.A. discovers EternalBlue, do they decide to tell Microsoft about it — about this vulnerability in their own software?

scott shane

No, they don’t. If they told Microsoft, Microsoft would put out one of those Windows updates. So they would have put out a patch for EternalBlue and essentially covered over this security hole in Windows. So they didn’t tell Microsoft. And so EternalBlue became actually one of N.S.A.‘s go-to tools for collecting intelligence. You know, they could kind of crawl in the upstairs window, and rummage around, and take what they wanted, and no one was the wiser. Because this is all secret, we don’t know. But it’s certainly conceivable that somebody in Al Qaeda or ISIS was using Windows on a machine that N.S.A. broke into, one of those machines, and learned something crucial about a forthcoming attack, for example. You know, we don’t know. I’m just speculating here. But we were told that this tool was extremely effective in espionage and counterterrorism. So the N.S.A. keeps EternalBlue a secret for at least five years, until 2016, when something dire and shocking occurs. A group calling itself the Shadow Brokers — it’s never been heard of before — suddenly pops up on the web, and they announce that they have a lot of N.S.A.‘s hacking tools, which are, of course, extremely secret, extremely carefully protected, and they are now going to auction them off online.

michael barbaro

Wow.

scott shane

They make this announcement in a kind of strange, broken English: “Attention, government sponsors of cyberwarfare and those who profit from it. How much you pay for enemies’ cyberweapons? You enjoy. You break many things. You find many intrusions. You write many words, but not all. We are auction the best files.” So there is this sort of strange, in-your-face aspect of this, that not only have we stolen the crown jewels here, but we’re sort of having fun with them and trying to make a little money.

michael barbaro

And does this auction work? Are people bidding on it?

scott shane

The auction is not going so well. Not surprisingly, perhaps, purchasers seem wary of this situation. You don’t really want to tick off N.S.A..

michael barbaro

Right.

scott shane

So they don’t appear to get a lot of purchasers of these cybertools. And at one point, they say, “The Shadow Brokers is trying auction. Peoples no like. The Shadow Brokers is trying crowdfunding. Peoples is no liking. Now The Shadow Brokers is trying direct sales.” So they’re sort of telling the story of their start-up business, and things aren’t going so well. So in April of 2017, presumably frustrated that they’re not going to make a lot of money off this, they just dump all these hacking tools onto the internet.

archived recording 1 The New York Times reports a massive security breach has shaken the National Security Agency to its core. archived recording 2 A group calling themselves Shadow Brokers posted two major files online. One is a cybercrime free-for-all of tools and techniques the N.S.A. has compiled to break past computer system firewalls. The other is an advanced set of cyberweapons.

michael barbaro

Wow, they just give it away.

scott shane

They give it away.

archived recording It could be the National Security Agency’s most significant leak of secrets since Edward Snowden blew the lid off the group’s surveillance tactics in 2013.

michael barbaro

Kind of like WikiLeaks-style.

scott shane

Yes, except that this is not information, it’s —

michael barbaro

Weapon.

scott shane

— very dangerous internet tools. And one of the most significant of them is the one called EternalBlue. Now, I should say that about a month before Shadow Brokers released all these tools, including EternalBlue, N.S.A. apparently contacted Microsoft and said, geez, there’s something you ought to know.

michael barbaro

And so thankfully, Microsoft is able to create a fix before it goes completely public through the Shadow Brokers.

scott shane

But the problem is — and anyone knows this who uses Windows — you get that thing that says, you know, Windows updates are now available, and some of them might even say, critical Windows updates, security updates. But you get busy with stuff. You’ve got other things going on.

michael barbaro

Or you minimize the box, and drag it down to the corner, and just kind of hope it goes away.

scott shane

Absolutely.

michael barbaro

Yeah.

scott shane

And you say, yeah, no, I’ll do that next week. And that even happens in large companies, in institutions, in governments. And so you know, people kick this down the road. Many, many, many Windows, you know, computers around the world were protected. People installed the patch, ran this update. But many, many were not.

michael barbaro

Mm-hmm.

scott shane

And sure enough —

archived recording A massive cyberattack now being described as unprecedented in its sheer size —

scott shane

On a Friday in May of 2017 —

archived recording Britain’s National Health Service computers were the first to be hit Friday morning, forcing hospital emergency rooms to shut down, stopping surgeries.

scott shane

— a computer is infected with something that’s come to be known as WannaCry.

archived recording This is a screenshot of what the virus dubbed WannaCry look like. Hackers exploited this weak point to infect Windows computers with ransomware through spam, email or attachments. The ransomware —

scott shane

Your computer screen suddenly goes blank. And there’s a message on the screen, and it says, you have to pay x amount, or we will destroy your files. And within a day, it spreads to computers in 150 countries.

archived recording 1 A massive cyberattack has crippled computers, grounded airlines, and pretty much halted shipping around the world. archived recording 2 It affected all types of industries, from the FedEx Corporation in the U.S., to the Russian Interior Ministry, to the French carmaker Renault, to British hospitals and medical centers. archived recording 3 Pharmaceutical giant Merck tweeted that its computer network was compromised, and people couldn’t even get in the building. They were sent home.

scott shane

Turns out behind this attack was North Korean intelligence. And one of the main tools that they were using was EternalBlue.

michael barbaro

Huh.

scott shane

Then later in 2017 —

archived recording 1 Yet another massive cyberattack hit organizations across the developed world today. archived recording 2 The attack involved malware known as Petya, locking victims’ computers and asking them to pay a bitcoin ransom of $300.

scott shane

There are corporations that report hundreds of millions of dollars of damages.

archived recording The disruption spread to several companies, including Merck, WPP and Rosneft.

scott shane

That one is traced to Russian intelligence. And that one, too, is using EternalBlue.

michael barbaro

So how did all of these countries and victims deal with this attack? Did they pay the ransoms?

scott shane

You know, we don’t know for sure. I’ve been told by people who do, you know, cybersecurity consulting that it’s very common, if a ransomware attack occurs against a company and it is not public knowledge, for the company to make a payment in hopes of unlocking their files and making the whole thing go away. And ultimately, the cost of repairing your system, replacing your files, setting up backups, and so on is usually much greater than the amount of money that’s demanded by the attackers. So in 2017, the story of EternalBlue and the other stolen N.S.A. hacking tools sort of faded from the news, for the most part. F.B.I. and N.S.A. still had not found the Shadow Brokers. But then, the same tool began to turn up in American cities, and finally, right in N.S.A.‘s own back yard.

michael barbaro

We’ll be right back. O.K., Scott, before we get into this recent attack in Baltimore, bring us up to speed on what’s been happening there over the past few months.

scott shane

Well, I think it’s fair to say that the last thing Baltimore needed in 2019 was a cyberattack.

archived recording Now to the scandal rocking the city of Baltimore. F.B.I. agents raiding the home and offices of Mayor Catherine Pugh.

scott shane

It had just undergone a pretty unusual corruption scandal.

archived recording 1 Folks, the political career of Catherine Pugh is over. archived recording 2 Former Democratic mayor Catherine Pugh was considered a reformer, but nobody saw the children’s book kickback scandal coming.

scott shane

The mayor, Catherine Pugh, had been writing a series of books about a character she called Healthy Holly.

archived recording In fairness, it was a pretty novel scam. You see, the mayor decided to self-publish a series of children’s books called “Healthy Holly.” Nothing wrong there. Granted, there were some quality control issues, like having one of the main characters’ names misspelled, along with the word “vegetable.” But hey, this wasn’t a crime against grammar.

scott shane

These books weren’t selling. She hadn’t really found an audience for them, until she discovered that she could sell hundreds of thousands of dollars’ worth of them to nonprofit organizations that she had connections to, notably a hospital system on whose board she served.

archived recording 1 In total, her business took in about $800,000 in sales. archived recording 2 I think the last Baltimore author who got a deal that good was the late Tom Clancy.

scott shane

Unclear with what motive, unless they were trying to win influence with the mayor of Baltimore.

michael barbaro

Hmm.

archived recording (catherine pugh) And I sincerely want to say that I apologize that I’ve done something to upset the people of Baltimore that I love and care about. archived recording This morning, Baltimore has a new mayor. Jack Young says his predecessor’s resignation will only make the city stronger. archived recording (jack young) The past few weeks have been painful and traumatizing for all of us. Like each of you, I am utterly heartbroken. We’re going to make sure that the city moves forward. So we’re going to keep this city moving, and we’re going to get things done.

michael barbaro

So tell me about this attack.

scott shane

So on the morning of May 7, city workers go to their offices as usual. And in the Department of Public Works, people are beginning their day, and suddenly, on their screens, whatever they’re working on disappears, and there’s a message. And it says, “We’ve watching you for days. We won’t talk more. All we know is money. Hurry up. Tick, tack, tick, tack, tick, tack.”

michael barbaro

Tick, tock?

scott shane

Exactly. Presumably, this is not originating with a native speaker of English. But who knows?

michael barbaro

Right.

scott shane

So this appears on computer screens all over the city. It spreads from the Department of Public Works across all of the departments of city government. And people suddenly don’t have access to their computers. They don’t have email. For a while, the phones stop working. And a lot of the functions of city government are paralyzed.

archived recording 1 The attack ground real estate transactions to a halt. archived recording 2 Prompting city employees to work 12-hour shifts in order to conduct all their day-to-day city business via phone and even in person. archived recording 3 Residents today still unable to pay water bills, tickets, taxes, and close real estate deals online. And folks are fed up. archived recording 4 A red light — had a parking ticket. archived recording 5 Now, I hope to come tomorrow. And if it’s not working tomorrow, then I have to come day after tomorrow also. archived recording 6 My car was stolen. I need to pay the tickets so they can release my car.

scott shane

There were health alerts that didn’t go out about disease outbreaks and bad batches of drugs. It’s kind of pouring molasses into the works of city government.

archived recording 1 Whoever’s responsible is demanding 13 bitcoins, or some $100,000, to unlock the system. archived recording 2 In this case, targeting a very vulnerable target, a U.S. city.

michael barbaro

Scott, I’m just curious. Why would whoever did this target a city and a kind of medium city without a ton of money at that, not a billion-dollar corporation that would probably not think much of paying off this ransom? What exactly is the idea of this target?

scott shane

So you know, sophisticated operations, big companies, and so on updated their software, patched their systems, back in March of 2017. And so there’s a dwindling number of Windows computers that are vulnerable to an attack that uses EternalBlue. And now, more recently, in the last year or so, there’s been quite a few attacks on American cities. Local governments without a lot of spare money, often without a lot of sophistication about I.T. and internet security, they provide a lot of services to the public. So presumably, the criminals are thinking, as they attack local governments, there will be a lot of pressure to get these systems up and running again, so maybe we can squeeze a ransom payment out of these guys. And their systems aren’t patched.

michael barbaro

And give me a sense of what is significant, specifically, about Baltimore.

scott shane

Well, if you think about EternalBlue, born years ago at Fort Meade, Maryland, on the N.S.A. campus, well, that’s about a 15-minute drive from Baltimore. Lots of N.S.A. employees — N.S.A. has a huge workforce, and lots of N.S.A. employees live in the city of Baltimore and in its southern suburbs. So essentially, EternalBlue made its way around the world and then came home.

michael barbaro

What have you heard, Scott, from the N.S.A.?

scott shane

Well, the N.S.A., whose name has sometimes been interpreted as “Never Say Anything” or “No Such Agency,” has, true to form, said nothing. The big picture here is that they’ve said nothing since the Shadow Brokers first popped up and said, we have a bunch of N.S.A. tools, in 2016. They really haven’t been held publicly accountable for the loss of this big chunk of their arsenal.

michael barbaro

And why is that, exactly? My sense is that there are ways that Congress and lawmakers can hold N.S.A. officials responsible in kind of closed-door ways that will not compromise national securities. Isn’t that why we have these secure rooms in the basement of the Capitol?

scott shane

There have been questions asked of N.S.A. officials in closed hearings, but none of this has become public. And N.S.A. correctly says that its entire cyberespionage program is classified and that it’s actually illegal to talk about it in public. But I think in this instance, it’s a situation in which at some point, you kind of have to ask, is the N.S.A. using classification, sort of official secrecy, to avoid responsibility for what has really become a disastrous saga in the history of the agency? You know, these are, or can be, very dangerous weapons. And if the N.S.A. is unable to keep them safe, you know, it raises all kinds of questions about the costs and benefits of these operations. And part of the problem here is that at least as far as we’ve been able to determine, the F.B.I. and N.S.A. have, to this day, not determined who the Shadow Brokers are or how they obtained these hacking tools. We still don’t know the answer to those questions, so we don’t really know how negligent N.S.A. was. And therefore, we don’t really know what the lessons are and whether they have been learned.

michael barbaro

So now it’s been nearly a month since this attack in Baltimore. Where is the city? What kind of shape is it in?

scott shane

Well, the new acting mayor, Jack Young, made the decision not to pay the ransom.

archived recording (jack young) No, I will not pay a ransom to anybody. No.

scott shane

And the city hired a number of cybersecurity contractors to come in and assess the damage and try to figure out how to work their way out of it. And I’m told that as of Wednesday of last week, employees, city employees, began to get their email back.

michael barbaro

How much, in the end, do you think this will cost the city?

scott shane

City budget officials at a hearing last week estimated the cost at more than $18 million, I think about $10 million in immediate recovery costs and about $8 million in fees that they didn’t collect or collected late as a result of the shutdown.

michael barbaro

So particularly compared with the ransom of $100,000, that’s a lot of money.

scott shane

For a city like Baltimore, that is real money. And there’s a particular irony and particular pain to Baltimore being attacked by tools made at N.S.A..

archived recording (jack young) While we have had trying times recently, I’m confident we will prevail. I would like to thank our fellow and state partners for working closely with us as we work to fix a virus that has affected the city’s network of computer servers. But the people of Baltimore, much like our great city, are made tough. I don’t know nobody else that’s more resilient than Baltimore. [CHEERS AND APPLAUSE]

michael barbaro

Scott, thank you very much. And as someone who lives in the Baltimore region, I wish you good luck.

scott shane

Thank you, Michael.

michael barbaro

Since we spoke with Scott, a Maryland congressman said he was informed by the N.S.A. that EternalBlue was not used in the ransomware attack on Baltimore. In a story following up on that claim, Scott and fellow Times reporter Nicole Perlroth stood by their reporting, writing that sources directly involved in the investigation told them that all four contractors hired to study what happened in Baltimore had discovered EternalBlue. The N.S.A., however, has declined to publicly comment. We’ll be right back. Here’s what else you need to know today.

archived recording [MUSIC]

michael barbaro

President Trump began a highly anticipated state visit to Britain on Monday with a series of tweets sent while still in the air, insulting the mayor of London, whom the president called a, quote, “stone cold loser.” The mayor, Sadiq Khan, appeared to provoke the president’s anger by calling on British Prime Minister Theresa May to denounce Trump’s policies and conduct ahead of the visit, something May did not do.

archived recording [GUN SALUTE]

michael barbaro