The U.S. National Security Agency alerted Microsoft of a critical vulnerability that was eventually used to carry out the massive WannaCry ransomware attack that hit more than 300,000 computers worldwide last week, the Washington Post reported.

The NSA went to Microsoft after it learned a hacking group known as the Shadow Brokers had stolen the hacking tool that took advantage of the exploit out of fear the tool might be used for a large-scale attack. Microsoft issued a patch for the vulnerability in March, but many machines were not updated at the time of the attack and were affected.

Read: Cryptocurrency Botnet Used Leaked NSA Exploits Before WannaCry Ransomware Attack

"NSA identified a risk and communicated it to Microsoft, who put out an immediate patch," Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project, told the Washington Post.

While the NSA did alert Microsoft in time for the company to make protection available to many machines — although not always taken advantage of — it failed to make clear to the public just how dangerous the vulnerability could be.

A month after Microsoft issued the security patch, the Shadow Brokers published the code for the NSA-crafted attack known as EternalBlue. A modified version of the exploit was used to carry out the ransomware attack that hit machines in more than 150 countries, including those at hospitals and major corporations.

The WannaCry attack was also not the first time the exploit had been used. The same vulnerability was used in a botnet hack in which compromised machines were used to mine for the cryptocurrency Monero. According to security firm Proofpoint, the exploit was used as early as April and may have been larger in scale than WannaCry.

Read: WannaCrypt Ransomware Windows Patch: Microsoft Tells Government To Stop Hoarding Security Vulnerabilities

Despite the NSA’s disclosure of the exploit to Microsoft, the computing giant still scolded the government agency for holding onto and making use of the vulnerability for so long in the first place — for more than five years, the Washington Post reported.

Microsoft President and chief legal officer Brad Smith said in a blog post the hoarding of exploits by government organizations puts users at risk when the vulnerabilities aren’t disclosed to the public — especially when that information is stolen or leaked and made available for hackers to use freely with no protections in place.

“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith said. “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”

Smith reiterated Microsoft’s belief that there needs to be a “Digital Geneva Convention” to regulate government agency actions in cyberspace. The company has argued in favor of a requirement for governments to disclose exploits so companies can protect users rather than allow the vulnerabilities to exist without a fix in place and putting more people at risk.

RELATED STORIES
Cybercrime Malware Ransomware Microsoft