Politicians representing a US city struck by a ransomware attack are asking questions of the National Security Agency after claims it helped make the breach possible.
The New York Times reported on Saturday that a hacking vulnerability known as EternalBlue has been exploited to blackmail Baltimore’s local government.
The NSA discovered the flaw, but the paper claims that its cyber-spies kept the discovery secret for years.
The NSA declined to comment.
But the report has particular resonance as the organisation is headquartered at Fort Meade, Maryland, which is a short drive from Baltimore.
“We don’t have anything for you on this,” an NSA spokesman told the BBC.
The EternalBlue flaw has been implicated in a range of cyber-attacks over the past three years, including the WannaCry assault that disrupted the UK’s NHS.
It involves a bug in old versions of Microsoft’s Windows operating system that allows other malicious code to be run on infected computers.
The NSA reportedly created a tool to do this, which it also called EternalBlue.
- Ethical hackers take bugs to the bank
- Google thwarts Baltimore ransomware fightback
- Baltimore government held hostage by hackers’ ransomware
The New York Times said the agency did not disclose the problem to Microsoft for more than five years until a breach forced its hand.
Microsoft released a fix for EternalBlue flaw in March 2017.
Weeks later, a group calling itself the Shadow Brokers leaked the NSA’s related hacking tool online.
The NSA has never confirmed how it came to lose control of its code nor officially commented on the affair.
But the suggestion is that if it had shared its findings with Microsoft at an earlier stage, fewer PCs would have been exposed to subsequent attacks that made use of the vulnerability.
Email lock-out
Thousands of Baltimore’s city government computers were frozen on 7 May after their files became digitally scrambled.
The criminals responsible demanded 13 Bitcoin ($114,440; £6,940) to unlock them all, or three Bitcoin to release specific systems ahead of a deadline, which has now passed.
The authorities refused.
