×

Cyberattacks in 12 nations said to use leaked NSA hacking tool

An extensive cyberattack struck computers across a wide swath of Europe and Asia on Friday, and strained the public health system in Britain, where doctors were blocked from patient files and emergency rooms were forced to divert patients.

The attack involved ransomware, a kind of malware that encrypts data and locks out the user. According to security experts, it exploited a vulnerability that was discovered and developed by the National Security Agency.

The hacking tool was leaked by a group calling itself the Shadow Brokers, which has been dumping stolen N.S.A. hacking tools online beginning last year. Microsoft rolled out a patch for the vulnerability last March, but hackers took advantage of the fact that vulnerable targets — particularly hospitals — had yet to update their systems.

The malware was circulated by email; targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.

Reuters reported that employees of Britain's National Health Service were warned about the ransomware threat earlier on Friday.

By then, it was already too late. As the disruptions rippled through hospitals, doctors' offices and ambulance companies across Britain on Friday, the health service declared the attack as a "major incident," a warning that local health services could be overwhelmed by patients.

Britain's health's secretary, Jeremy Hunt, was briefed by cybersecurity experts, while Prime Minister Theresa May's office said she was monitoring the situation.

Among the many other institutions that were affected were hospitals and telecommunications companies across Europe, Russia, Asia and beyond, according to MalwareHunterTeam, a security firm that tracks ransomware attacks. Spain's Telefónica and Russia's MegaFon were among the targets.

Attacks were being reported in Britain and 11 other countries, including Turkey, Vietnam, the Philippines, Japan, with the majority of affected computers in Russia. The computers all appeared to be hit with the same ransomware, and similar ransom messages demanding about $300 to unlock their data.

The attack on the National Health Service seemed perhaps the most audacious of the attacks, because it had life-or-death implications for hospitals and ambulance services.

Tom Donnelly, a spokesman for N.H.S. Digital, the arm of the health service that handles cybersecurity, said in a phone interview that 16 organizations, including "hospitals and other kinds of clinician services," had been hit by a cyberattack. Officials later updated that number to at least 25.

"It is still ongoing," he said. "We were made aware of it this afternoon."

The service's digital arm said in a statement that the attack involved a variant of ransomware known as Wanna Decryptor.

The user is asked to pay a ransom to unlock the computer. It has become an increasingly prevalent problem. Last year, a Los Angeles hospital paid $17,000 after such an attack; earlier this year, hackers shut down the electronic key system at a hotel in Austria.

On social media, several images circulated showing computer screens bearing a message that the user could not enter without first paying a $300 ransom in Bitcoin. Many doctors reported that they could not retrieve their patients' files.

N.H.S. Digital added, "At this stage we do not have any evidence that patient data has been accessed."

It said that the N.H.S. did not appear to have been the main target of the attack.

The National Cyber Security Center, an arm of the GCHQ, the British electronic surveillance agency, said it was investigating the attack. "We are aware of a cyber incident, and we are working with N.H.S. Digital and the National Crime Agency to investigate," it said in a statement.

As of 3:30 p.m., 16 organizations within N.H.S. England had reported being affected, the statement said. (It did not immediately appear that the N.H.S. systems in Scotland, Wales or Northern Ireland had been hit.)

According to the BBC, hospitals in London and Nottingham, the town of Blackburn and the counties of Cumbria and Hertfordshire had been affected.

In the northwestern seaside town of Blackpool, doctors had resorted to pen and paper, with phone and computer systems having shut down, according to the local newspaper, The Blackpool Gazette.

A bit to the south, in the seaside town of Southport, images on Twitter showed ambulances backed up outside the town's hospital.

In Stevenage, a town in Hertfordshire, north of London, the health service postponed all non-urgent activity and asked people not to come to the accident and emergency ward at the Lister Hospital.

Watch: Biosecurity warning, hackers targeting DNA?