Criminal hacking groups have repurposed a second classified cyber weapon stolen from US spies and have made it available on the so-called dark web after the success of the WannaCry attack that swept across the globe on Friday.
The hacking tool, developed by the US National Security Agency and codenamed EsteemAudit, has been adapted and is now available for criminal use, according to security analysts.
As with the NSA’s EternalBlue — the tool on which WannaCry was based — EsteemAudit exploits a vulnerability in older versions of Microsoft’s Windows software in the way in which networked machines communicate with each other.
Microsoft issued patches for vulnerable versions of its Windows software over the weekend — though experts warn many organisations have yet to apply them.
Intelligence and law-enforcement officials said they fear WannaCry may foreshadow a wave of similarly damaging attacks, as criminals and others race to make use of digital weapons that for years were only available to the most technologically sophisticated nation states.
At least a dozen other NSA tools are currently being discussed and worked on as the basis of potential new cyber weapons on hacking forums on the dark web, parts of the internet not accessible via normal search engines.
On Monday, the WannaCry attack, which hit 200,000 computers across 150 countries, appeared to slow. Europol, the European police agency, said the spread of the virus had stalled in Europe.
“We weren’t expecting to see it, but there has been a slight decline in the number of computers affected in Europe,” a Europol spokeswoman said. But she added: “We do not think this is the end of the crisis. The hackers have already evolved the malware, and will probably continue to do so.”
Six analysts and intelligence officials spoken to by the FT said they were beginning to piece together the origins of the WannaCry attack, although the perpetrators were still unknown.
They have identified three main sources: the US National Security Agency, which developed a number of digital espionage capabilities; a second cluster of unidentified hackers who are working to “weaponise” those tools following their leaking online; and a third group — WannaCry’s operators — who added the ransomware that demands a fee for unlocking infected computers.
“We believe they [WannaCry’s operators] are amateurs,” said Catalin Cosoi, chief security strategist at the cyber security firm Bitdefender. “They saw an opportunity and they took it.”
Mr Cosoi said a number of groups were very active on the dark web looking to turn leaked NSA tools into viable weapons.
Beginning last year, an anonymous group known as the Shadow Brokers, which Western intelligence officials believe to be a proxy for Russian intelligence services, began to leak NSA cyber weapons online.
However, Vladimir Putin, Russia’s president, on Monday castigated US intelligence agencies for the WannaCry outbreak.
Speaking in Beijing, Mr Putin cited comments by a top Microsoft executive that criticised the US government’s “stockpiling” of cyber weapons and denied any link with Russia.
“Microsoft said it directly: the initial source of this virus is the US’s security agencies, Russia’s got absolutely nothing to do with it,” Mr Putin said.
The attack hit the Russian interior ministry, mobile provider MegaFon, Sberbank, the state-owned financial group, as well as a number of other ministries and state-run companies, making Russia the country hardest hit by the attack, according to Kaspersky Lab, a Moscow-based cyber security company.
“There is a global ecosystem of cyber criminals and sophisticated hackers which are putting a lot of attack methodology into open-source,” said Ciaran Martin, director of the UK’s National Cyber Security Centre.
“It gets modified and reused and upgraded. The volume of open-source exploits and that ecosystem are getting bigger.” Mr Martin declined to comment on the specific origins of WannaCry or other tools being offered online.
Mr Martin urged organisations to apply patches to their software currently available from Microsoft — which will protect them from any attacks based on leaked NSA tools.
Additional reporting by Tim Bradshaw in San Francisco