Microsoft blames NSA's 'stockpiling of cyber weapons' for ransomware attack that hit UK hospitals
'We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits'
The president of Microsoft Brad Smith has laid some of the blame for last week's ransomware cyberttack at the feet of the NSA and called for "urgent collective action".
Smith criticised US intelligence agencies, including the CIA and National Security Agency, for "stockpiling" software code that can be used by hackers.
Cyber-security experts say the unknown hackers who launched the attacks used a vulnerability that was exposed in NSA documents leaked online.
Writing in a blog post, Mr Smith said: "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world."
He likened this to "the US military having some of its Tomahawk missiles stolen".
"They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world," Mr Smith said.
“We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” he said.
“We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now.”
Microsoft said it distributed a patch two months ago to help protect computers from some forms of attack but not all machines were updated.
NSA whistleblower Edward Snowden tweeted: "Microsoft officially confirms @NSAGov developed the flaw that brought down hospitals this weekend."
Tom Bossert, a homeland security adviser to President Donald Trump, said "criminals" were responsible, not the US government.
Mr Bossert said the US has not ruled out involvement by a foreign government, but that the recent ransom demands suggest a criminal network.
Mr Bossert told ABC's "Good Morning America" that the attack is something that "for right now, we've got under control" in the United States.
So far, not many people have paid the ransom demanded by the malware, Europol spokesman Jan Op Gen Oorth said.
Eiichi Moriya, a cybersecurity expert and professor at Meiji University, warned that paying the ransom would not guarantee a fix.
"You are dealing with a criminal," he said.
"It's like after a robber enters your home. You can change the locks but what has happened cannot be undone."
The worldwide "ransomware" cyber attack has spread to thousands more computers as people across Asia logged in at work, disrupting businesses, schools, hospitals and daily life.
But no new large-scale outbreaks have been reported, and British officials said a feared second wave of infections had not materialised.
The new infections were largely in Asia, which had been closed for business when the malware first struck.
In Britain, where the health service was among the first high-profile targets of the online extortion scheme, Health Secretary Jeremy Hunt said "we have not seen a second wave of attacks".
He said "the level of criminal activity is at the lower end of the range that we had anticipated".
The malware, known as "WannaCry," paralysed computers running factories, banks, government agencies and transport systems, hitting 200,000 victims in more than 150 countries.
Among those hit were Russia's Interior Ministry and companies including Spain's Telefonica and FedEx in the US.
If NSA builds a weapon to attack Windows XP—which Microsoft refuses to patches—and it falls into enemy hands, should NSA write a patch? https://t.co/TUTtmc2aU9— Edward Snowden (@Snowden) May 12, 2017
In light of today's attack, Congress needs to be asking @NSAgov if it knows of any other vulnerabilities in software used in our hospitals.— Edward Snowden (@Snowden) May 12, 2017
Though the spread of the ransomware slowed on Monday, many companies and government agencies were still struggling to recover from the first attack.
Carmaker Renault said one of its French plants, which employs 3,500 people, was not reopening Monday as a "preventative step".
Britain's National Health Service said about a fifth of NHS trusts were hit by the attack on Friday, leading to thousands of cancelled appointments and operations.
Seven of the 47 affected trusts were still having IT problems on Monday.
The British government denied allegations that lax cybersecurity in the financially stretched, state-funded health service had helped the attack spread.
Prime Minister Theresa May said "warnings were given to hospital trusts" about the Microsoft vulnerability exploited by the attackers.
NHS Digital, which oversees U.K. hospital cybersecurity, said it sent alerts about the problem - and a patch to fix it - to health service staff and IT professionals last month.
Tim Stevens, a lecturer in global security at King's College London, warned that the incident should be a wake-up call to both the public and private sectors to incorporate security into computer systems from the ground up, rather than as an afterthought.
"This thing cannot be brushed under the carpet," he said. "It is so visible and so global. There is going to have to be change at levels where change can be made."
In Asia, where Friday's attack occurred after business hours, thousands of new cases were reported on Monday as people came back to work.
The Japan Computer Emergency Response Team Coordination Centre, a non-profit group, said 2,000 computers at 600 locations in Japan were affected.
Companies including Hitachi and Nissan Motor Co reported problems but said they had not seriously affected their operations.
Chinese state media said 29,372 institutions there had been infected along with hundreds of thousands of devices.
Universities and other educational institutions in China were among the hardest hit, possibly because schools tend to have old computers and be slow to update operating systems and security, said Fang Xingdong, founder of ChinaLabs, an internet strategy think tank.
On social media, students complained about not being able to access their work, and people in various cities said they had not been able to take their driving tests over the weekend because some local traffic police systems were down.
Railway stations, mail delivery, petrol stations, hospitals, office buildings, shopping malls and government services also were affected, China's Xinhua News Agency said - citing the Threat Intelligence Centre of Qihoo 360, an internet security services company.
In Indonesia, the malware locked patient files on computers in two hospitals in the capital, Jakarta, causing delays.
Experts urged organisations and companies to immediately update older Microsoft operating systems, such as Windows XP, with a patch released by Microsoft to limit vulnerability to a more powerful version of the malware - or to future versions that cannot be stopped.
The attack held users hostage by freezing their computers, popping up a red screen with the words, "Oops, your files have been encrypted!" and demanding money through online bitcoin payment - 300 US dollars at first, rising to 600 US dollars before it destroys files hours later.
As cyber-security firms worked around the clock to monitor the situation and install a software patch, new variants of the rapidly replicating malware were discovered on Sunday.
One did not include the so-called kill switch that allowed researchers to interrupt the malware's spread on Friday by diverting it to a dead end on the internet.
Ryan Kalember, senior vice president at Proofpoint - which helped stop its spread, said the version without a kill switch could spread.
It was benign because it contained a flaw that prevented it from taking over computers and demanding ransom to unlock files but other more malicious ones will likely pop up.
"We haven't fully dodged this bullet at all until we're patched against the vulnerability itself," Mr Kalember said.