President Donald Trump's homeland security adviser has a message to those blaming U.S. intelligence agencies for the cyberattack encircling the globe: Don't point a finger at the National Security Agency. Blame the hackers.
Since Friday, malware has infected an estimated 300,000 computers in 150 countries. Users' files at hospitals, companies and government agencies have been held for ransom.
Cybersecurity experts say the unknown hackers used a hole in Microsoft software that was discovered by the National Security Agency. The hole was exposed when NSA documents were leaked online.
Brad Smith, general counsel and executive vice president of Microsoft, laid some of the blame with the U.S. government, criticizing U.S. intelligence agencies for "stockpiling" software code that can be used by hackers.
"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability, stolen from the NSA, has affected customers around the world," he said.
Tom Bossert, Trump's assistant for homeland security and counterterrorism, defended the NSA, the lead U.S. signals intelligence agency.
"This was not a tool developed by the NSA to hold ransom data," Bossert told reporters Monday. "This was a tool developed by culpable parties — potentially criminals or foreign nation-states."
Perpetrators put the malware together in a way to deliver it with phishing e-mails, put it into embedded documents and caused infection, encryption and locking, he said.
Cyber experts are telling government officials that the malware was built with parts and codes cobbled together from different places, a U.S. official said. The official was not authorized to publicly discuss the investigation and spoke only on condition of anonymity.
Cyber experts say the tools were stolen from the Equation Group, a powerful squad of hackers which some have ties to the NSA. The tools materialized as part of an internet electronic auction set up by a group calling itself "Shadow Brokers," which promised to leak more data into the public.
"I haven't found an analyst who doesn't say it doesn't come from the NSA cache," said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
"Think of it like a master key," Lewis said. "NSA identified a vulnerability in a Microsoft software that the Shadow Brokers, then released so anybody could use it."
The Shadow Brokers "shared that vulnerability with the world and then these criminals took advantage of it," he said.
V. Miller Newton, president of PKWARE, a data protection and encryption company based in Milwaukee, Wisconsin, said leaks of purported NSA hacking tools have been coming out in dribs and drabs since August.
"Criminals or terrorists are going to try to leverage these exploits," he said. "How damaging could it be? Extremely."
"The tools are useful and they are in the hands of criminals today," Newton said. "Holy cow! The government can't protect itself from insiders?"
Salim Neino, CEO of the Los Angeles-based Kryptos Logic, whose researcher foiled the latest global cyberextortion attack, says the leak of the NSA hacking tools have disrupted the status quo in which nations with high cyber capabilities "don't engage with others in a way that causes harm or disruption." He says the leaks have significantly narrowed the gap between nations and individuals or cyber gangs.
"The concern has always been, when are the real bad guys, the ones that don't care about rules of engagement, the ones who are really out to hurt us, will they become cyber-capable?" he said in an interview Monday night with The Associated Press. "I think today we found out that those who really want to hurt us have begun to, because they became cyber-capable the moment that the NSA cybertools were released."
The Department of Homeland Security is leading the investigation in the United States. American officials are working closely with their British counterparts.
Analysts at the Cyber Threat Intelligence Integration Center worked throughout the weekend to keep American officials informed about classified aspects of the investigation.
"Attribution can be difficult here," Bossert said. But he added: "I don't want to say we have no clues."
"While it would be satisfying to hold accountable those responsible for this hack — something that we are working on quite seriously — the worm is in the wild, so to speak at this point, and patching is the most important message as a result," he said.
"Despite appearing to be criminal activity intended to raise money, it appears that less than $70,000 has been paid in ransoms and we are not aware of payments that have led to any data recovery."
Neither the FBI nor NSA would comment Monday.
If Americans follow the patching information issued by the FBI, Microsoft and the Homeland Security Department, they will be protected from the malware and the variants, Bossert said.
Some U.S. companies, including FedEx, were affected. No federal systems have been victimized thus far, Bossert said.
Virginia Sen. Mark Warner, the Senate intelligence committee's top Democrat, wrote Homeland Security Secretary John Kelly and White House budget director Mick Mulvaney on Monday asking what steps the federal government has taken to ensure federal agencies and government contractors have installed critical security updates to defend against the attack.
A Government Accountability Office report in May 2016 said federal agencies consistently failed to apply security patches in a timely matter and sometimes didn't make them for years after a patch had been available, Warner said. The office, he said, also identified cases where agencies were using software no longer supported by its vendors.
Associated Press writer Sheila Norman-Culp in London contributed to this story.