Hackers have reportedly adapted a second cyber weapon stolen from US spies and released it on the internet to be picked up by criminals.
The new hacking tool also exploits weaknesses in older versions of Microsoft Windows software and was stolen from the US National Security Agency, like the stolen tool that formed the basis of last week’s WannaCry attack.
The tool, called EsteemAudit, has been adapted and is now available for criminal use, analysts told the Financial Times.
Britain’s cyber spies are calling on the skills of bedroom computer whiz kids to battle the ransomware threat which has struck more than 150 countries and crippled parts of the NHS.
Amateur cyber security experts and freelance enthusiasts such as the 22-year-old surfer credited with helping stop Friday’s attack are being courted by government intelligence agencies to work alongside their own in-house experts.
Security sources told the Telegraph they were working with Marcus Hutchins, who uses the name MalwareTech, and others to try to stop the spread of the WannaCry ransomware attack.
Spy agencies such as GCHQ and its offshoot, the National Cyber Security Centre, have a policy of reaching out to leaders in the cyber security field who may be working alone and not necessarily for large companies, or the Government.
One source said: “We work with a lot of different people. Some of those are people that you wouldn’t necessarily expect us, or large organisations, to work with.
“Because of the nature of our business, we need to reach out to these bright young things and get their expertise.
“We do it a lot because these people understand it more than perhaps some of the older generation. So that’s why we work with the likes of MalwareTech and these people have contacts with the National Cyber Security Centre.”
Conor McKenna, a computer security expert at the University of Birmingham, said that many of the most gifted people in the field preferred to work alone, or in the private sector, rather than for government.
Reaching out to them was “a fantastic way of getting these young individuals who understand the code probably better than most individuals”.
He said most computer “hackers” were wrongly portrayed as criminals, when in fact many of them wanted to test their skills against computer systems to expose flaws and weaknesses.
A security source said the hackers do not get paid and do not get access to classified information.
He said: “They do it for altruism and for the kudos of working with us.”
Mr Hutchins, from Devon, has been credited with stopping the WannaCry attack from spreading across the globe by accidentally triggering a “kill switch”.
The self-taught expert who has emerged as the accidental hero of the global cyber attack is understood to have stopped the incident escalating from a small bedroom in his parents’ house.
In a blog, he described how he stopped the spread of the virus by purchasing a web domain for £8 and by redirecting it elsewhere. He reportedly shouted “eureka” when he realised he had unintentionally halted to spread of the criminal software.
Last night, his mother said she was ”very proud” of her son and that he was in London “at a meeting”.
Meanwhile it emerged that new helicopters, stealth fighters and submarine-hunting patrol planes being purchased by the UK from America could all be vulnerable to cyber attack.
The latest report by a Pentagon equipment watchdog found that testing had found Apache helicopters being bought by the British Army have “potentially significant cybersecurity deficiencies”.
Boeing P8 maritime patrol planes being bought for the RAF to replace the axed Nimrod fleet, have “a collection of exploitable cybersecurity vulnerabilities”.
The Operational Test and Evaluation office of the Pentagon also said that the F-35 stealth fighter’s systems had not been properly tested for cyber attack.
A logistics system that automatically connects to the new aircraft to ensure new parts and fuel are ordered when needed, could be hacked, it said.
A Ministry of Defence spokeswoman said: “The MOD takes cyber security extremely seriously. All equipment and systems are rigorously tested before entering and throughout their service so that vulnerabilities are identified and eliminated.”