In 2017, after Microsoft learned about a hack the U.S. government had secretly created using a flaw in Microsoft software, the company released a patch that customers could use to protect their computer systems.

But the warning went unheeded in many U.S. public school systems like Baltimore County’s and, it appears, local governments like Baltimore City, which has been crippled for nearly three weeks by ransomware spread using the hack.

According to a report by the New York Times, the EternalBlue “exploit,” which has been employed by hackers to spread destructive malware worldwide, was the key component of the ransomware attack that hit Baltimore on May 7.

The National Security Agency developed EternalBlue and was using it in intelligence-gathering and counterterrorism missions, but it eventually fell into the hands of state hackers in North Korea, Russia and China.

Citing “security experts briefed on the case,” the Times said the malware that struck Baltimore used EternalBlue, as have the hackers who are increasingly striking local governments, a trend that the Department of Homeland Security warned about a year ago.

The weaknesses that make these targets vulnerable are the same ones that Ars Technica’s Sean Gallagher pinpointed in The Brew last week – jumbled and outdated municipal IT.

“Hackers seem to have found a sweet spot in Baltimore; Allentown, Pa.; San Antonio and other local American governments where public employees oversee tangled networks that often use out-of-date software,” the Times’ Nicole Perlroth and Scott Shane wrote.

Emergency Declaration?

Responding to the Times report, two Maryland congressmen – Sen. Chris Van Hollen and Rep. C.A. Dutch Ruppersberger – are seeking a briefing from NSA officials.

Meanwhile, City Council President Brandon Scott has urged Maryland Gov. Larry Hogan to seek an emergency disaster declaration for Baltimore, the kind of designation that jurisdictions request to get federal aid when dealing with natural disasters like hurricanes and tornadoes.

“The fact that the root technology that enabled this attack came from our own federal government, just miles away, only adds insult to injury,” said Scott, who called for the creation of a special Council committee on cybersecurity and emergency preparedness last week.

Hogan’s office has said the governor will continue to work with city leaders to address the matter, including “leveraging state and federal resources.”

Institutional Incompetence?

In assessing responsibility for the Baltimore attack, many point not so much to NSA, but to targets who failed to protect themselves.

“The real story here is that so many big organizations, like the British Healthcare System, Fedex, Merck, the City of Baltimore, airlines, hotels, etc., etc., are not patching their vulnerable computer systems to prevent malware attacks,” wrote Newfie, commenting on the Times story. “That is institutional incompetence on a staggering scale.”

Defending NSA in public testimony quoted in the Times story, former director Admiral Michael S. Rogers used this analogy:

“If Toyota makes pickup trucks and someone takes a pickup truck, welds an explosive device onto the front, crashes it through a perimeter and into a crowd of people, is that Toyota’s responsibility?” he asked. “The NSA wrote an exploit that was never designed to do what was done.”

An expert in the article disagreed, saying EternalBlue was not an innocent bit of software, but a weapon designed specifically for espionage.

Other commenters have seized on the Toyota analogy, pointing the finger squarely at Baltimore government: