NotPetya developers may have obtained NSA exploits weeks before their public leak [Updated]

Enlarge / A computer screen displaying Eternalromance, one of the NSA exploits used in Tuesday's NotPetya outbreak. (credit: Matthew Hickey)

Update:This post was revised throughout to reflect changes F-Secure made to Thursday's blog post. The company now says that the NotPetya component was probably completed in February and assuming that timeline is correct, it didn't have any definitive bearing on when the NSA exploits were obtained. F-Secure Security Advisor Sean Sullivan tells Ars that the component weaves in the NSA exploits so well that it's likely the developers had access to the NSA code. "It strongly hints at this possibility," he said. "We feel strongly that this is the best theory to debunk." This post is being revised to make clear the early access is currently an unproven theory.

The people behind Tuesday's massive malware outbreak might have had access to two National Security Agency-developed exploits several weeks before they were published on the Internet, according to clues researchers from antivirus F-Secure found in some of its code.

EternalBlue and EternalRomance, as the two exploits were codenamed, were two of more than a dozen hacking tools leaked on April 14 by an as-yet unknown group calling itself the Shadow Brokers. Almost immediately, blackhat and grayhat hackers used EternalBlue to compromise large numbers of computers running out-of-date versions of Microsoft Windows. Within a week or two, blackhats started using EternalBlue to install cryptomining malware. No one really noticed until the outbreak of the WCry ransomware worm on May 12, which infected an estimated 727,000 computers in 90 countries.

Read 10 remaining paragraphs | Comments