The N.S.A. has kept quiet, not acknowledging its role in developing the weapons. White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons, NYT reported.
But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands.
On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul. Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.
In an email on Wednesday evening, Michael Anton, a spokesman for the National Security Council at the White House, noted that the government "employs a disciplined, high-level interagency decision-making process for disclosure of known vulnerabilities" in software, "unlike any other country in the world."
Mr. Anton said the administration "is committed to responsibly balancing national security interests and public safety and security," but declined to comment "on the origin of any of the code making up this malware."
Beyond that, the government has blamed others. Two weeks ago, the United States — through the Department of Homeland Security — said it had evidence North Korea was responsible for a wave of attacks in May using ransomware called WannaCry that shut down hospitals, rail traffic and production lines. The attacks on Tuesday against targets in Ukraine, which spread worldwide, appeared more likely to be the work of Russian hackers, though no culprit has been formally identified.
In both cases, the attackers used hacking tools that exploited vulnerabilities in Microsoft software. The tools were stolen from the N.S.A., and a group called the Shadow Brokers made them public in April. The group first started offering N.S.A. weapons for sale in August, and recently even offered to provide N.S.A. exploits to paid monthly subscribers.
Though the identities of the Shadow Brokers remain a mystery, former intelligence officials say there is no question from where the weapons came: a unit deep within the agency that was until recently called "Tailored Access Operations."
Read alsoNATO warns cyber attacks 'could trigger Article 5' as world reels from Ukraine hack – mediaWhile the government has remained quiet, private industry has not. Brad Smith, the president of Microsoft, said outright that the National Security Agency was the source of the "vulnerabilities" now wreaking havoc and called on the agency to "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
Officials fret that the potential damage from the Shadow Brokers leaks could go much further, and the agency's own weaponry could be used to destroy critical infrastructure in allied nations or in the United States.
Using the remnants of American weapons is not entirely new. Elements of Stuxnet, the computer worm that disabled the centrifuges used in Iran's nuclear weapons program seven years ago, have been incorporated in some attacks.
In the past two months, attackers have retrofitted the agency's more recent weapons to steal credentials from American companies. Cybercriminals have used them to pilfer digital currency.
And on Tuesday, on the eve of Ukraine's Constitution Day — which commemorates the country's first constitution after breaking away from the Soviet Union — attackers used N.S.A.-developed techniques to freeze computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.
The so-called ransomware that gained the most attention in the Ukraine attack is believed to have been a smoke screen for a deeper assault aimed at destroying victims' computers entirely. And while WannaCry had a kill switch that was used to contain it, the attackers hitting Ukraine made sure there was no such mechanism. They also ensured that their code could infect computers that had received software patches intended to protect them.
So long as flaws in computer code exist to create openings for digital weapons and spy tools, security experts say, the N.S.A. is not likely to stop hoarding software vulnerabilities anytime soon.
