The WannaCry ransomware outburst is living proof that systems across the world need to be running the latest patches and supported operating system versions, but while Microsoft rolled out updates to block the exploit before the mass infection started, new information reveals some behind-the-scenes details.

A report from the Washington Post reveals that the NSA itself reported the vulnerability to Microsoft after discovering that a group of hackers managed to steal it from its systems.

The National Security Agency was hit by a cyberattack launched by Shadow Brokers last year, and the hackers managed to steal several exploits that the agency itself was using to break into Windows computers.

Since most of these exploits were based on unpatched vulnerabilities in Windows, leaking them online could have led to large-scale attacks, so in order to prevent this, the NSA itself reported the bugs to Microsoft to have them patched.

The agency, however, did this for its own good, as it was afraid that hackers might use the exploits against computers used by officials in the United States, including those belonging to the Department of Defense.

NSA used the flaw for 5 years

After being tipped off about the vulnerability, Microsoft developed a patch in mid-February and published it for supported Windows systems in March, with unsupported Windows versions getting the fix only if they were covered by a custom support license. After the massive ransomware infection started this month, Microsoft decided to release this patch for all users, including for those running Windows XP.

More worrying is that the NSA actually used the same vulnerability to hack into Windows systems for no less than 5 years before reporting it to Microsoft. And there’s a good chance that the flaw would have remained completely secret if the hackers didn’t break into NSA systems.

This is one of the reasons Microsoft criticized the NSA and government departments for not reporting security flaws to vendors, emphasizing that systems worldwide are made vulnerable just because they’re keeping major vulnerabilities for their own hacking programs.

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action,” Microsoft said.