Cybersecurity experts told ABC News that the unidentified attackers exploited a vulnerability in Microsoft software that was identified by the U.S. National Security Agency (NSA) and leaked to the public by the hacker group The Shadow Brokers in April.
Microsoft released a patch to address the vulnerability, but networks that did not adopt it would have remained vulnerable. The tech company did not immediately respond to ABC News’ request for comment.
“This appears to be the first incidence of the use of an NSA exploit in a broad and far reaching cybercriminal campaign,” John Bambenek of Fidelis Cybersecurity said.
The first reports emerged from England, where hospitals across the country were hit by ransomware attacks, in which hackers infect computers with malicious software and demand ransoms to restore access, according to the National Health Service (NHS).
As of this afternoon, 16 facilities with the NHS, which is the publicly funded health care system for England, had reported that they were affected by what appeared to be a large-scale cyberattack.
“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” NHS Digital, the body of the Department of Health that uses information and technology to support the health care system, said in a statement.
The attack has locked computers and blocked access to patient files. But there’s no evidence so far that patient data has been accessed, NHS Digital said.
Chris Camacho, chief strategy officer at the cybersecurity firm Flashpoint, confirmed the use of NSA tools in the “clever” attack that used encrypted emails to work around security software and gain access to a networks ripe for exploitation.
“There’s nothing you can do but pay once you’re hit,” Camacho said. “If you need that data back, you’re going to pay.”
NHS Digital said it is working closely with the National Cyber Security Center, the Department of Health and NHS England “to support affected organizations and ensure patient safety is protected.”
“We’d like to reassure patients that if they need the NHS and it’s an emergency that they should visit [Accident & Emergency services] in the same way as they normally would and staff will ensure they get the care they need,” NHS incident director Anne Rainsberry said in a statement.
“More widely we ask people to use the NHS wisely while we deal with this major incident which is still ongoing. NHS Digital are investigating the incident and across the NHS we have tried and tested contingency plans to ensure we are able to keep the NHS open for business.”
The National Cyber Security Center said it is “aware of a cyberincident.”
FedEx appears to be the first U.S.-based target. A spokesperson for FedEx confirmed to ABC News that the company is among the victims of the ransomware attacks.
“Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” said a spokesperson in a statement. “We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers.”
Following the leak of NSA tools, Bambenek told ABC News that he had conversations with high-ranking U.S. national security officials in which he urged them to share information with private vendors so that they could develop countermeasures because the NSA had “lost control of its own weapons.”
“That did not progress rapidly enough, and here we are today,” Bambenek said. “The NSA can have very smart people finding these vulnerabilities, but not very smart people can start using them to very devastating effect.”