BALTIMORE — A Maryland congressman said on Friday that the National Security Agency had denied that one of its hacking tools, stolen in 2017, was used in a ransomware attack on Baltimore’s government that had disrupted city services for more than three weeks.
The statement, made by Representative C.A. Dutch Ruppersberger, came in response to an article in The New York Times last weekend. The Times was told by people directly involved in the investigation in Baltimore that the N.S.A. tool, EternalBlue, was found in the city’s network by all four contractors hired to study the attack and restore computer services.
Investigators are still trying to determine the exact chronology of the attack. The leading theory is that hackers broke in through an open server in Baltimore’s network, installed a back door and then used EternalBlue to move across the city’s computers searching for valuable servers to infect, said the people involved in the investigation.
This week, the contractors discovered an additional software tool, called a web shell, on Baltimore’s networks. They believe the web shell may have been used in conjunction with EternalBlue and another hacking technique known as “pass-the-hash,” which uses stolen credentials, to spread the ransomware.
The people involved in the investigation spoke to The Times on the condition of anonymity because they were not authorized to discuss it on the record.
N.S.A. officials are naturally sensitive to reports of continuing damage done by their hacking tools, stolen and released on the internet in 2017 by a still-unidentified group calling itself the Shadow Brokers. EternalBlue and other N.S.A. tools were used in attacks by North Korea and Russia later that year that caused billions of dollars in damage to corporations and governments around the world.
More recently, according to cybersecurity experts, EternalBlue has turned up in attacks on local governments in the United States, which often used aging equipment and fail to keep their software up to date. A patch issued by Microsoft in 2017, but apparently never installed in Baltimore, should have made Windows secure against EternalBlue.
An N.S.A. spokesman declined to comment on the congressman’s statement or the Times article, which was published online on Saturday. A spokesman for Baltimore’s mayor’s office also said he could not comment on the continuing investigation.
Mr. Ruppersberger, a Democrat whose district includes the N.S.A.’s Fort Meade campus south of Baltimore, said in his statement that he had been briefed by “senior leaders” of the N.S.A. They told him that “there is no evidence at this time that EternalBlue played a role in the ransomware attack affecting Baltimore City.”
He added: “I’m told it was not used to gain access nor to propagate further activity within the network.”
The statement did not explain how N.S.A. learned the details of the forensic investigation in Baltimore, which is being carried out by the private contractors. The Federal Bureau of Investigation has also opened an inquiry but has not commented publicly on any findings.
The N.S.A. routinely hunts for security flaws in widely used software and uses them to penetrate foreign computer networks and gather intelligence. It used EternalBlue for such spying for at least five years before the Shadow Brokers stole the tool and posted it on the web to be grabbed and used by foreign states and criminal hackers.
“Our country needs cybertools to counter our enemies, including terrorists, but we also have to protect these tools from leaks,” Mr. Ruppersberger said. “We can’t ignore the damage that past breaches have done to American companies and, possibly, American cities. Now, our focus now should be on Baltimore’s recovery.”
Some former N.S.A. officials have suggested that Baltimore bears some responsibility for the attack, because it evidently had not installed updates to Windows that might have kept its system safe. But Mr. Ruppersberger said “the reality is that patching can be hard and requires resources that many municipalities don’t have.”
He said he thought the federal government “needs to do more to help municipalities better protect their networks.”