NotPetya developers may have obtained NSA exploits weeks before their public leak [Updated]

Update: This post was revised throughout to reflect changes F-Secure made to Thursday’s blog post. The company now says that the NotPetya component was probably completed in February, and assuming that timeline is correct, it didn’t have any definitive bearing on when the NSA exploits were obtained. F-Secure Security Advisor Sean Sullivan tells Ars that the component weaves in the NSA exploits so well that it’s likely the developers had access to the NSA code. “It strongly hints at this possibility,” he said. “We feel strongly that this is the best theory to debunk.” This post has been revised to make clear that the early access is currently an unproven theory.

Original Story: The people behind Tuesday’s massive malware outbreak might have had access to two National Security Agency-developed exploits several weeks before they were published on the Internet, according to clues researchers from antivirus F-Secure found in some of its code.

EternalBlue and EternalRomance, as the two exploits were codenamed, were two of more than a dozen hacking tools leaked on April 14 by an as-yet unknown group calling itself the Shadow Brokers. Almost immediately, blackhat and grayhat hackers used EternalBlue to compromise large numbers of computers running out-of-date versions of Microsoft Windows. Within a week or two, blackhats started using EternalBlue to install cryptomining malware. No one really noticed until the outbreak of the WCry ransomware worm on May 12, which infected an estimated 727,000 computers in 90 countries.

On Thursday, F-Secure researchers said that unconfirmed timestamps left in some of the NotPetya malware code suggested that the developers may have had access to EternalBlue and EternalRomance as early as February, when they finished work on the malware component that interacted with the stolen NSA exploits. The potential timeline is all the more significant considering the quality of the component, which proved surprisingly adept in spreading the malware from computer to computer inside infected networks. The elegance lay in the way the component combined the NSA exploits with three off-the-shelf tools including Mimikatz, PSExec, and WMIC. The result: NotPetya could infect both patched and unpatched computers quickly. Code that complex and effective likely required weeks of development and testing prior to completion.

Fully baked

“February is many weeks before the exploits EternalBlue and EternalRomance (both of which this module utilizes) were released to the public (in April) by the Shadow Brokers,” F-Secure researcher Andy Patel wrote in a blog post. “And those exploits fit this component like a glove.”

Whereas the two other main components of NotPetya—an encryption component and a component for attacking a computer’s master boot record—were “pretty shoddy and seem kinda cobbled together,” Patel said the spreading component seems “very sophisticated and well-tested.” It remains possible that the February timestamps found in some of the code was falsified. Assuming the stamps are correct, they suggest that developers may have had access, or at least knowledge of, the NSA exploits by then. By contrast, Patel added:

WannaCry clearly picked [the NSA] exploits up after the Shadow Brokers dumped them into the public domain in April. Also WannaCry didn’t do the best job at implementing these exploits correctly.

By comparison, this “Petya” looks well-implemented, and seems to have seen plenty of testing. It’s fully-baked.

The weeks leading up to the possible February completion of the NotPetya spreader was a particularly critical time for computer security. A month earlier, the Shadow Brokers advertised an auction that revealed some of the names of the exploits they had, including EternalBlue. NSA officials responded by warning Microsoft of the theft so that the company could patch the underlying vulnerabilities. In February, Microsoft abruptly canceled that month’s Patch Tuesday. The unprecedented move was all the more odd because exploit code for an unpatched Windows 10 flaw was already in the wild, and Microsoft gave no explanation for the cancellation.

“Meanwhile, ‘friends of the Shadow Brokers’ were busy finishing up development of a rather nifty network propagation component, utilizing these exploits,” Patel wrote.

When Patch Tuesday resumed in March, Microsoft released a critical security update that fixed EternalBlue. As the WCry outbreak would later demonstrate, large numbers of computers—mainly running Windows 7—failed to install the updates, allowing the worm to spread widely.