Eternally Blue: Baltimore City leaders blame NSA for ransomware attack
The mayor and city council president of Baltimore are pushing for the ransomware attack that brought Baltimore’s city government to a standstill to be designated a disaster, and officials are seeking federal aid to help pay for the cleanup from the RobbinHood malware’s damage. This call came after a New York Times report that the ransomware used the EternalBlue exploit developed by the National Security Agency to spread across the city’s network.
EternalBlue was part of a set of tools developed for the NSA’s Tailored Access Operations (TAO) group that were leaked by Shadow Brokers in 2017. The tool was then used two months later as part of WannaCry, the destructive cryptographic worm that affected thousands of computers worldwide. Shadow Brokers has been linked by some security experts to a Russian intelligence agency; WannaCry has been attributed to North Korea’s military.
After being alerted by the NSA. Microsoft issued a security patch for the vulnerability exploited by EternalBlue (among others) in March of 2017, even issuing patches for Windows Vista (which was at the time just about to be dropped from long-term paid support) and Windows XP (which had already dropped out of support).
The WannaCry malware attack arrived as many companies were still testing the patch for deployment. Now two years later, the protocol exploited by EternalBlue, WannaCry, and the NotPetya ransomware worm (Server Message Block version 1, or SMB v.1) is still visibly in use by more than 1 million Internet-connected computers worldwide, according to data from the security search engine Shodan. As Ars recently reported, thousands of those computers are part of the networks of US school districts; many more belong to local governments, law enforcement organizations, state universities, community colleges, and other public institutions. Even more of these vulnerable machines run inside similar organizations’ networks, concealed from scans by firewall filters but still vulnerable to the exploit if an attacker gains access through another means.
In Baltimore’s case, several sources have told Ars that the ransomware arrived via a phishing attack against a city employee. It is not clear if the phishing attack was targeted. Once the initial foothold was established by RobbinHood’s operators, the ransomware was spread across the network—at least in part by using code cut-and-pasted from the EternalBlue tool leaked by ShadowBrokers.
It’s a disaster, alright
Baltimore’s ongoing ransomware dilemma is in many ways a product of more than a decade of neglect of the city’s information technology infrastructure. Since 2012, four Baltimore City chief information officers have been fired or have resigned; two left while under investigation.
CIO Christopher Tonjes, who left in June of 2014, was forced to resign in the face of a Maryland attorney general’s investigation into claims his office had paid contractors for work they didn’t do. In 2017, CIO Jerome Mullen was fired in the midst of an investigation into alleged misconduct, including “inappropriate contact” with women in the mayor’s Office of Information Technology. He denied the accusations and cited “historic issues” with the city’s IT that had led to problems with the city’s 911 system (which was ceded back to the police andfFire departments’ control in 2015) and a host of other IT missteps.
In fact, the IT department languished following the departure of Mayor Martin O’Malley, who became Maryland’s governor in 2007. O’ Malley had instituted CitiStat, a data dashboard for monitoring things like police and city worker overtime pay, employee absenteeism, and (as it expanded) a host of service delivery and infrastructure issues. The system was immortalized in fictional form in the television series The Wire, and it relied on aggregated reports from city agencies, usually presented in PowerPoint format to the mayor in regular meetings. Little about the infrastructure used to create the data has changed in the last dozen years. An audit of the Baltimore Police Department last year found that precincts were still using IBM’s (Lotus) Notes databases developed by a consultant during the O’Malley administration to track data, and no standard reporting format was used. The versions of Notes used by the police department reached end-of-support in 2015.
In 2017, current CIO and Chief Digital Officer Frank Johnson—an electrical engineer who was previously the Washington, DC, regional sales vice president for Intel—stepped into the role after being hired by former Mayor Catherine Pugh. Johnson then hired Gartner Research to help develop a five-year plan to bring Baltimore’s technology infrastructure into the 21st century—a plan that has largely remained unimplemented. In his report presenting the plan, Johnson and the Office of Information Technology (OIT) team noted:
“Decades of decentralized information technology (IT) management and insufficient enterprise investment has led to a system that struggles to support city priorities and deliver service improvements for both residents and businesses. Furthermore, many of the city’s IT capabilities are outdated and lack the modern-day range of capabilities offered by comparable cities.”
Show me the money
Baltimore’s 2018 budget only allocated $65 million for city-wide information technology operations—2.5 percent of the city’s total budget. That’s less than half of the average for US cities. And most of that budget is controlled by the individual city departments—only $29,239,360 of the 2018 budget went directly to OIT, based on city data—with $7 million of that covering the department’s payroll for its 112 employees.
In order to overcome years of neglect, Baltimore would have to raise its IT spending to “the $128 million to $156 million range,” according to the OIT strategic plan. That has not happened so far. The city’s fiscal 2019 budget for IT was $31,133,582. It included:
- $4 million for storage hardware and firewall upgrades, and other IT infrastructure improvements.
- $217,000 for consulting services, including continued engagement with Gartner.
- $5.5 million to replace obsolete police, fire, and emergency services 800MHz radios, in addition to the costs to those departments.
- $3 million for a citywide Hardware and Software Refresh Program.
In the proposed budget, city officials noted that the OIT would:
“…continue working toward a shared service model which will help to reduce duplicative services, improve interoperability for enhanced interagency digital workflows, streamline data management for business intelligence and analytics, as well as improve the City’s overall cyber security posture. Moreover, shared services will result in greater access to information across agencies, resource savings as economies of scale are realized, and enhanced business continuity.”
The city’s legal department was the first to move to a cloud-based model. But the ransomware attack has accelerated OIT’s plans to push more services into the cloud; email services, which still have not been restored, have already been redirected to a Microsoft-hosted service.
Passing the buck
The changes Johnson and OIT have been pressing for require more than funding—they also require a major change in the city government’s culture. Fixing things requires that each of the city’s departments, each with their own particular information technology footprint and workplace culture, play along with OIT’s efforts to “reduce duplicative services, improve interoperability for enhanced interagency digital workflows, [and] streamline data management for business intelligence and analytics.” And given that there hasn’t been central budgeting for tasks like training city employees on security issues as basic as phishing, changing how city employees interact with technology will require a Herculean effort.
So far, Mayor Bernard “Jack” Young and City Council President Brandon Scott have not been quick to acknowledge these issues. Young (who in a press conference said that the ransomware was developed by NASA before correcting himself later) and Scott have instead pointed to the federal government’s culpability for the theft of the EternalBlue exploit, blaming the NSA for the ransomware attack. Ars has reached out to Johnson, Young, and Scott for comment, but we have yet to receive a response.