Hack that cost Baltimore $18M a mystery after experts eye NSA link

By Daniel Uria

June 10 (UPI) -- Weeks after Baltimore and a North Carolina city fell victim to ransomware known as "RobbinHood" -- attacks some experts say involved a tool developed by the National Security Agency -- Maryland officials and intelligence agencies don't have a clear picture of exactly what or who caused the crippling cyberattack.

Attacks targeted Greenville, N.C., on April 10 and Baltimore on May 7, which locked both local governments out of their computer servers for ransom. City systems are slowly recovering from the attack, which officials said cost Baltimore more than $18 million. The head of the city's information technology office apologized for what's been called a slow response to the incident.


Last month, it was reported that an NSA tool called EternalBlue was part of the cyberattack -- a claim Maryland Rep. Dutch Ruppersberger said the agency denied during a briefing between Maryland representatives and NSA leaders last week.


"I have been told that there is no evidence at this time that EternalBlue played a role in the ransomware attack currently affecting Baltimore City," he said in a statement. "I'm told it was not used to gain access nor to propagate further activity within the network."

Multiple security experts briefed on the case initially told The New York Times EternalBlue was a key component in the attack. Joe Stewart, a malware expert at security firm Armor, said the NSA component could have been used in the attacks -- but it's unlikely.

""We took a look at it and found a pretty vanilla ransomware binary," Stewart said last week. "It doesn't even have any means of spreading across networks on its own."

Johns Hopkins University computer science professor Avi Rubin said EternalBlue is a toolkit of software designed to allow malicious code to enter Windows devices by exploiting vulnerabilities in their systems.

"It was initially designed by the NSA to allow for offensive capabilities, going after their targets by breaking into their computers and installing whatever it is that they wanted, whether tracking or mining information for data," said Rubin.

The exploit eventually was obtained -- either through infiltration or an insider leak -- by a group of hackers known as the Shadow Brokers, who attempted to sell it for profit before leaking it online for other hackers to use.


EternalBlue was linked to previous large-scale cyberattacks, such as WannaCry, which paralyzed computers in more than 150 countries in 2017. The NSA is believed to have reached out to Microsoft after that attack, which issued a patch that addressed the vulnerabilities.

"The systems that are vulnerable to EternalBlue are ones that are still using Windows, pre-2017 without updates," said Rubin. "If anybody updated their systems with a patch from Microsoft, EternalBlue wouldn't work against it. But a lot of people, including the City here in Baltimore didn't."

Ruppersberger said the attack was the result of phishing, but Rubin said it's possible ransomware and exploits like EternalBlue could still be involved.

"Ransomware gets in however it gets in. Phishing, drive-by downloads, open ports, buffer overflow vulnerabilities -- all are possible ways that attackers can get ransomware onto a system," Rubin said.

While Microsoft's update effectively removes the threat of EternalBlue, Rubin said improving awareness is the key to avoiding phishing attacks.

James E. Bentley II, a spokesman for Baltimore Mayor Bernard Young, said the city is still waiting for the results of forensic and criminal investigations, and that information will determine how the city will guard its systems in the future.


Baltimore is following a road map to restore infected systems, he added -- systems that include email, city payments and real estate. The entire recovery is expected to take months. The $18 million cost includes $10 million to restore the infected systems and $8 million in lost revenue.

Bentley said the city is about a third of the way finished restoring email services to the city's 10,000 employees and is actively working to bring other systems back online. As a temporary fix, city employees set up Gmail accounts.

"We are continuing to work on recovery and restoration of data, applications and servers," he said. "They will come back into services as they are safely and securely restored."

Latest Headlines