National Security Agency

Illustration by Jason Reed

Microsoft condemns NSA weaponization of malware after WannaCry attacks

Microsoft's Brad Smith likened the scenario to the 'U.S. military having some of its Tomahawk missiles stolen.'


David Gilmour

Layer 8

Posted on May 15, 2017   Updated on May 24, 2021, 2:23 pm CDT

Microsoft confirmed in a blog published on Sunday that the devastating ransomware that infected around 200,000 computers across 150 countries late last week was “drawn from the exploits stolen from the National Security Agency, or NSA, in the United States.”

The aggressive malware, dubbed WannaCrypt, utilized a previously reported vulnerability found within the Windows operating system produced by Microsoft.

The ransomware had been leaked by a hacker group called Shadow Brokers in 2016 and although a patch was already available for the exploit, many systems had not been updated and were left crippled as the virus rolled out. In the U.K., the National Health Service’s systems across 48 localized trusts fell victim, for example, seriously impacting patient care.

Responding to the incident, the company’s president and chief legal officer, Brad Smith, criticized the U.S. government’s weaponizing of computer vulnerabilities, the leak of which enabled this attack, and the dangers of not informing tech companies about them.

“This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today—nation-state action and organized criminal action,” he wrote.

“Governments of the world should treat this attack as a wake-up call. … They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world,” Smith continued, adding: “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

Smith then likened the severity of the scenario to the “U.S. military having some of its Tomahawk missiles stolen.” He called, once again, for a Digital Geneva Convention that would require governments to “report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

Aside from taking a position on the wider consequence and implication of what will become a notorious cyberattack, Smith also took the time to underline Microsoft’s commitment to resolving the situation—beginning with a dedicated force of 3,500 security engineers currently working to help customers around the world recover their systems.

Share this article
*First Published: May 15, 2017, 12:55 pm CDT