Criminal hacking groups have repurposed a second classified cyberweapon stolen from US spies and have made it available on the so-called dark web after the success of the WannaCry attack that swept across the globe on Friday.
The hacking tool, developed by the US National Security Agency and codenamed EsteeMaudit, has been adapted and is now available for criminal use, according to security analysts.
As with the NSA’s EternalBlue, the tool on which WannaCry was based, EsteeMaudit exploits a vulnerability in Microsoft’s Windows software in the way in which networked machines communicate with each other.
Intelligence and law enforcement officials said they feared WannaCry might foreshadow a wave of damaging attacks, as criminals and others race to make use of digital weapons that for years were available only to the most technologically sophisticated nation-states.
At least a dozen other NSA tools are currently being discussed and worked on as the basis of potential new cyberweapons on hacking forums on the dark web – parts of the internet not accessible via normal search engines.
The WannaCry attack, which hit 200,000 computers across 150 countries, appeared to slow yesterday. Europol, the European police agency, said the spread had stalled in Europe.
“We weren’t expecting to see it but there has been a slight decline in the number of computers affected in Europe,” Europol said. “We do not think this is the end of the crisis: the hackers have already evolved the malware, and will probably continue to do so.”
Six analysts and intelligence officials spoken to by the Financial Times said they were beginning to piece together the origins of the WannaCry attack, although the perpetrators were still unknown.
They identify three main sources: the NSA, which developed a number of digital espionage capabilities; a second cluster of unidentified hackers who are working to “weaponise” those tools; and a third group who added the ransomware that demands a fee for unlocking infected computers.
“We believe [WannaCry’s operators] are amateurs,” said Catalin Cosoi, chief security strategist at the cyber security firm Bitdefender. “They saw an opportunity and they took it.”
Last year, a group known as the Shadow Brokers, which western intelligence officials believe to be a proxy for Russian intelligence services, began to leak NSA cyber weapons online.
However, Russian president Vladimir Putin castigated US intelligence agencies for the WannaCry outbreak.
Speaking in Beijing, Mr Putin cited comments by a top Microsoft executive that criticised the US government’s “stockpiling” of cyberweapons.
“Microsoft said it directly: the initial source of this virus is the US’s security agencies. Russia has got absolutely nothing to do with it,” Mr Putin said.