Hackers used the potent EternalBlue malware stolen from the National Security Agency (NSA) in 2017 to cripple Baltimore’s city government, the New York Times reported on Saturday, May 25, 2019.
Quick refresher: In 2017, the clandestine Shadow Brokers dumped the NSA’s most coveted cyber attack weapons on the open market. Some of those cyber tools, included EternalBlue, have since been co-opted by state-backed hackers in China, North Korea and Russia. EternalBlue, which exploits a vulnerability in Microsoft’s Windows XP and Vista operating systems, was behind the devastating WannCry and the NonPetya assaults in 2017. Now it’s city and state governments, such as Cleveland, Atlanta, Albany, NY and others, that are the newest ransomware targets.
In the Baltimore attack, which occurred on May 7, the cyber kidnappers locked up city government systems and demanded about $100,000 in Bitcoin to unlock the hijacked files. While the city has restored some systems and created workarounds for others, the attack would have been far less devastating had it not sprung from EternalBlue, the Times reported, based on expert opinions.
Baltimore Seeks Disaster Recovery Financial Assistance
With the city still struggling to recover, City Council President Brandon Scott has asked Maryland Governor Larry Hogan to seek a federal emergency and disaster declaration, which could gain Baltimore federal reimbursement for damages, costs and infrastructure repairs related to the attack, local CBS outlet WJZ reported. “I’ve reached out to Governor Hogan’s Office today to urge his leadership and cooperation in seeking Federal Emergency & Disaster Declaration for this incident,” Scott said. “Given the new information and circumstances it’s even more clear that the federal government needs to have a larger role in supporting the City’s recovery, including federal reimbursement for damages.”
A seemingly non-committal Gov. Hogan said the state will “continue to work closely with city leaders, including leveraging both state and federal resources, to help restore affected systems,” according to the WJZ report.
Meanwhile, Baltimore has created a new review board to audit its cybersecurity response and preparation. The Committee on Cybersecurity and Emergency Preparedness, which will be chaired by Council members Eric Costello and Isaac Yitzy Schleifer, is tasked with examining the City's “coordination of cybersecurity efforts, including the Administration's response to the cybersecurity attack and testimony from cybersecurity experts,” Scott said. He called the ransomware attack against the City’s government a “crisis of the utmost urgency.”
The Blow by Blow
Among the key updates and takeaways so far...
Communication breakdown. With Baltimore’s network, infrastructure inoperative and normal communications channels addled, the mayor, city council members and many employees set up gmail accounts as a workaround to conduct city business. Sounds simple enough, but Google’s system shut the accounts down. Multiple consumer accounts tied to the same network raised a red flag, Google reportedly said. The search giant has since restored those gmail accounts.
Here’s the latest on what City officials are saying (via various media reports):
The city has not disclosed whether an MSSP relationship was in place ahead of the attacks.
Here's more of MSSP Alert's wall-to-wall coverage of the Baltimore ransomware attack.