Hackers unleashed an attack that disabled computers in dozens of nations Friday using a software flaw that once was part of the National Security Agency’s surveillance tool kit.
The resulting wave of online chaos affected tens of thousands of machines worldwide, snarling operations at the Russian Interior Ministry, Spanish telecommunications giant Telefónica and Britain’s National Health Service (NHS), where hospitals were hobbled and medical procedures interrupted.
Europe, Latin America and parts of Asia were hit particularly hard, although in the United States, FedEx also reported falling prey to the malware. The attack was the latest in a growing menace of “ransomware,” in which hackers deliver files to computers that automatically encrypt their data, making it unusable — until a ransom is paid.
“This is not targeted at the NHS,” British Prime Minister Theresa May told reporters. “It’s an international attack, and a number of countries and organizations have been affected.”
The hack renewed a long-running debate about the dangers of intelligence agencies such as the NSA collecting and using software flaws for espionage, rather than quickly alerting companies to vulnerabilities so they can fix them.
In this case, the NSA found a flaw in Microsoft software that made the hack possible. The agency reported the flaw to the company after a security breach was discovered in August, according to former U.S. officials speaking on the condition of anonymity because of the sensitivity of the topic.
Microsoft fixed the problem in a patch it released in March, before a group calling itself the “Shadow Brokers” publicly released it online in April.
But system administrators appear to have applied the patch inconsistently, leaving some computers vulnerable. The vulnerability gave the hackers what amounted to a lock pick to the Microsoft software on computers that did not receive the update from the company or that used outdated operating systems.
It was not clear who was behind the campaign, which, experts said, was the first known time a hacker group used the NSA tools released by the Shadow Brokers to conduct a large-scale hack.
“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies but by hackers and criminals around the world,” the American Civil Liberties Union, a frequent NSA critic, said in a statement.
The NSA did not respond to requests for comment, but some experts expressed sympathy for the agency because it had warned Microsoft about the problem.
Peter Eckersley, technology projects director for the Electronic Frontier Foundation, a San Francisco-based civil liberties group that has sharply criticized the NSA for its aggressive surveillance, said: “In this instance, it’s a little unfair to blame the NSA. They could have been following the best possible defensive practices, and this probably would have gone down the same way.”
But the speed and scale of the malware spread startled experts. “It’s one of the first times we’ve seen a large international global campaign,” said Chris Camacho, chief strategy officer for Flashpoint, a cyber-intelligence company. “It’s pretty shocking. This morning people woke up thinking it was only in Europe. Now it’s hitting countries around the world. It’s global.”
Cyber security experts said the malware arrived through “phishing” attacks in which recipients of emails were tricked into opening phony links. Once one computer in a system was infected, the malware spread to other machines on the same network. In some cases, the malware was delivered in spam emails.
The ransomware spread so quickly because it was delivered by a special digital code developed by the NSA to move from one unpatched computer to another, security experts said. They warned that the malware now could move from large networks to individual users.
“This could be the very first instance of the use of a ‘ransom worm,’ ” Camacho said, coining a term that refers to a ransomware file that spreads across networks.
The program is called “Wanna Decrypt0r 2.0” and appears to support 28 languages, underscoring the global ambitions of its creators, said cyber security experts.