I am a bit surprised at the lack of interest in this work. Beyond Greenberg being a shill for American/Israeli intelligence, just the time frame in which the work is set should get curious minds to take a deeper look. Let's get real folks and talk about the American involvement in the USSR's economic implosion. Very naive to think that there would never be any retaliation on Russia's part for Project Hammer.
Sandworm
A New Era of Cyberwar
by Andy Greenberg
15
WARNINGS
In late 2015, half a decade after Stuxnet opened a Pandora’s box of
digital threats to the physical world, the first monster had finally
emerged from it. That monster was Sandworm.
The Christmas blackout attack on Ukraine made clear that Russia’s
hackers were indeed waging cyber war—perhaps the first true, wide scale cyber war in history. They had crossed the same line as Stuxnet’s
creators, from digital hacking to tangible sabotage. And they had also
crossed a line from military to civilian, combining the unrestricted
hybrid-warfare tactics of Estonia and Georgia with vastly more
sophisticated and dangerous hacking techniques.
But even in late January 2016, only a handful of people in the world
were aware of that ongoing threat. Two of them were Mike Assante
and Rob Lee. When Assante had returned from the U.S. delegation’s
fact-finding trip to Ukraine, he couldn’t share what he’d learned with
Lee, since the agencies involved had put a firewall around the
information as “for official use only.” But Lee, working from the
network logs his Ukrainian contacts had shared with him and other
forensic evidence, had already pieced together the anatomy of an
extraordinary, multipart intrusion: BlackEnergy, KillDisk, rewritten
firmware to lock out defenders, the telephone DDoS attack, disabling
on-site electrical backups, and finally the phantom mouse attack that
had hijacked the controls of the utility operators.
There was nothing to stop Sandworm from attacking again. Lee and
Assante agreed they had played the government’s bureaucratic games
long enough. It was time to publish a full report and warn the world.
But as Lee and Assante assembled their findings, they learned that
the White House was still insisting on keeping the details of Ukraine’s
blackout out of the public eye until the Department of Homeland
Security’s Industrial Control Systems Cyber Emergency Readiness
Team, or ICS-CERT, could publish a warning to electric utilities. When
that report finally came in late February—two months after
Sandworm’s attack—it included a statement that left Lee furious:
“Public reports indicate that the BlackEnergy (BE) malware was
discovered on the companies’ computer networks, however it is
important to note that the role of BE in this event remains unknown
pending further technical analysis.”
Lee and Assante knew perfectly well how BlackEnergy had been
used in the attack: It was the remote-access Trojan planted on victim
machines that had begun the long, devious chain of intrusions, leading
up to the hackers opening the utilities’ circuit breakers.
Lee saw that ICS-CERT statement as practically a cover-up. By
questioning BlackEnergy’s role in the attack, or even its existence on
the utilities’ network, the DHS was obscuring a key fact: that the
hackers who’d planted that malware had used the same tool to target
American utilities just a year earlier—that Americans, too, were at risk.
“The message was: ‘This doesn’t map to us; this is a Ukrainian
thing,’ ” says Lee. “They misled the entire community.”
■
Over the next weeks, Lee says he protested in meetings and phone
calls with contacts in the Department of Homeland Security, the
Department of Energy, the NSA, and even the CIA, arguing that the
White House and CERT were downplaying a serious, unprecedented
new hacker threat that loomed over not just Ukraine but western
Europe and the United States. He went so far as to publish an angry
blog post on the SANS website. The gist of that entry, as Lee
summarizes it today, was this: “This is bullshit. People need to know.”
The actual text is lost to history; Assante asked Lee to delete the post
out of political discretion.
Meanwhile, Lee and Assante fought with the White House for weeks
over what they could publicly reveal about the blackout attacks as
White House officials insisted on one revision after another to remove
details they considered classified. After a month, the SANS researchers
resorted to publishing their report through the Electricity Information
Sharing and Analysis Center, or E-ISAC, a part of the North American
Electric Reliability Corporation that answered to Congress, not the
executive branch. The Obama administration had objected to the
release until the last minute.
Even then, through that spring, Lee says he found himself
combating misinformed or Pollyannaish government officials who had
told energy utilities the Ukrainian attacks couldn’t have occurred in
the United States. Representatives from the Department of Energy and
NERC had comforted grid operators that the Ukrainians had used
pirated software, had left their networks unsecured, and hadn’t even
run antivirus software. None of that was true, according to Lee and
Assante.
But above all, Lee argued that the U.S. government had made an
even greater, irreparable mistake: not simply being slow to warn the
public and potential targets about Sandworm, or downplaying its
dangers, but failing to send a message to Sandworm itself—or anyone
else who might follow its path.
For years, since the first warnings of cyberwar in the late 1990s,
hacker-induced blackouts had been the nightmare scenario that kept
generals, grid operators, and security wonks awake at night. They had
imagined and war-gamed military cyberattacks on the power grid for
decades. Even President Clinton had spoken about the need to be
prepared for that most fundamental form of digital sabotage, nearly
fifteen years before Ukraine’s blackout.
Now, as Lee saw it, the moment had finally come, and the U.S.
government had done little more than sweep the incident under the
rug. Perhaps most dangerous of all, it hadn’t issued a single public
statement condemning the attack. “We talk and talk and talk about
this red line for years, and then, when someone crosses it, we say
nothing,” Lee said. “Someone in government needed to stand up and
say a cyberattack on civilian infrastructure is something we won’t
stand for.”
In fact, just a year before, the federal government had offered
exactly the sort of response Lee had called for, though for a less novel
form of attack. In December 2014, North Korean hackers posing as a
hacktivist group known as the Guardians of Peace revealed they had
broken into the servers of Sony Pictures in retaliation for its comedy
film The Interview, which depicted the assassination of the North
Korean dictator Kim Jong Un. The intruders destroyed the contents of
thousands of computers and stole reams of confidential information
that they later leaked onto the web, trickling the files out for weeks,
including four unreleased feature films.
In the weeks following Sony’s breach, the FBI issued a public
statement swiftly identifying North Korea as the culprit, cutting
through its hacktivism false flag. The FBI director, James Comey, went
so far as to give a public speech laying out the evidence for North
Korea’s involvement, including how the hackers had failed on multiple
occasions to use proxy computers as they’d intended to, and thus
revealed IP addresses linked to their previous hacking operations—
bread crumbs that led back to the Kim regime. President Obama
himself spoke about the attack in a White House press conference,
warning the world that the United States wouldn’t tolerate North
Korea’s digital aggression.
“They caused a lot of damage, and we will respond. We will respond
proportionally, and we’ll respond in a place and time and manner that
we choose,” President Obama said. (The exact nature of that response
has never been confirmed, but North Korea did experience a
nationwide internet outage just days later, and the administration
announced new financial sanctions against the Kim regime the next
month.)
“This points to the need for us to work with the international
community,” Obama continued, “to start setting up some very clear
rules of the road in terms of how the internet and cyber operates.”
And yet a year later, when Russian hackers had launched a far
broader and more dangerous attack deep inside civil infrastructure, no
government official offered statements about proportional responses
or international “rules of the road.” No U.S. agency even named Russia
as the offender, despite the numerous clues available to any researcher
who looked. The Obama administration was virtually silent.
America and the world had lost a once-in-history chance, Lee
argues, to definitively establish a set of norms to protect civilians in a
new age of cyberwar. “It was a missed opportunity,” he says. “If you
say you won’t allow something and then it happens and there’s
crickets, you’re effectively condoning it.”
■
In fact, Obama’s most senior cybersecurity-focused official never
doubted the gravity of Sandworm’s blackout attack. In late January,
not long after the delegation to Ukraine had flown back to
Washington, J. Michael Daniel sat in a highly secured situation room
in the Eisenhower Executive Office Building, just beyond the grounds
of the West Wing, receiving a briefing from Department of Homeland
Security officials on the results of that fact-finding trip. Daniel, a soft spoken career civil servant with a kind, nervous face and slightly
thinning hair, listened carefully. Then he walked back down the hall to
his office to meet with his own staff, who would assemble a report for
the national security advisor and, in turn, President Obama.
As he spoke with the White House aides about what the president
should know, Daniel found himself marveling aloud at the brazenness
of the attackers. “We’ve clearly crossed the Rubicon,” he remembers
saying, echoing Michael Hayden’s comments on Stuxnet three years
earlier. “This is something new.”
Daniel had prided himself on the Obama administration’s work to
set clear boundaries on state-sponsored hacker provocations. Working
together with Obama administration officials from the Department of
Justice to the Pentagon to the Departments of State and Commerce,
his team had answered misbehavior by foreign hackers with rigorous
retaliation. In 2014, for instance, after Chinese cyberspies had for
years pillaged American intellectual property, the Obama Justice
Department had identified and levied criminal charges against five
members of a Chinese People’s Liberation Army hacking unit by name.
The next year, the State Department threatened China with sanctions
if the economic espionage continued. China’s president, Xi Jinping,
more or less capitulated, signing an agreement that neither country
would hack the other’s private sector targets. Security companies such
as CrowdStrike and FireEye reported an almost immediate drop-off in
Chinese intrusions—90 percent according to CrowdStrike—an
unprecedented victory for cybersecurity diplomacy.
North Korea’s Sony attack had received almost as forceful a
response. And the administration would later indict a group of Iranian
state hackers, too, accusing them of DDoS attacks against American
banks and of probing the computer systems of a U.S. dam in upstate
New York. (The Bowman Avenue Dam they’d targeted was only about
twenty feet tall. The hackers might have intended to hit the far larger
and more critical Bowman Dam in Oregon.) The message of all those
hard-line disciplinary actions was this: No foreign state gets away with
hacking American companies or digitally disrupting U.S.
infrastructure.
Then came an actual, full-blown act of cyberwar against Ukraine,
and all the same diplomats and security officials went silent. Why?
Michael Daniel’s immediate train of thought when he first learned
of the blackout may offer an answer: When a phone call from the DHS
alerted him to Sandworm’s attack the day after Christmas, his first
reaction was alarm. “The thing we’ve been worried about has actually
happened,” he thought. But moments later, he remembers having a
very different feeling: “My second reaction was a little bit of relief that
it wasn’t domestic to the U.S.”
Daniel was deeply troubled by the notion that Russian hackers were
willing to attack civilian infrastructure. Worse, these seemed to be the
same hackers who’d been probing U.S. infrastructure only a year
earlier. He had no illusions that the techniques used in the blackout
attacks were limited to Ukrainian targets. “We have those systems in
the United States, and we can’t claim those systems to be any more
secure than what Ukraine is running,” he later told me. In fact, the
greater automation in the American grid might mean that it provided
even more points of attack. “We were equally if not more vulnerable.”
(By the time the U.S. delegation had returned from Ukraine, Daniel
also had few doubts that the Russian government was indeed behind
the attacks. “If it walks like a duck and quacks like a duck…,” he said.)
But even so, when Sandworm had finally pulled the trigger, it had
carried out its attack in Ukraine, four thousand miles away from U.S.
borders. This was the source of Daniel’s relief: Ukraine was not
America. It wasn’t even a member of NATO. As a result, for the U.S.
government, it was officially someone else’s problem.
16
FANCY BEAR
Perhaps the Obama administration, given enough time, would have
gotten around to calling out Sandworm acts of cyberwar and making
an example of the attackers with speeches, indictments, or sanctions.
But by June 2016, its attention had been entirely hijacked by another
hacker provocation—one that hit far closer to home.
On June 14, The Washington Post revealed that the Democratic
National Committee had been penetrated for months by not one but
two teams of state-sponsored Russian hackers. The security firm
CrowdStrike, which the DNC had brought in to analyze its breach two
months earlier, published a blog post identifying the pair of intrusion
crews inside the Democrats’ network as Cozy Bear and Fancy Bear,
teams it had watched carry out spying campaigns for years, hitting
everyone from the U.S. State Department and the White House to
aerospace and defense contractors.
Based on past years of detective work, Crowd Strike tied Fancy Bear
to the Russian military intelligence agency known as the GRU. Cozy
Bear, it would later be revealed, worked within Russia’s SVR foreign
intelligence agency. (The two “bear” names derived from
Crowd Strike’s system of labeling hacker teams with different animals
based on their country of origin—bears for Russia, pandas for China,
tigers for India, and so on.) “Both adversaries engage in extensive
political and economic espionage for the benefit of the government of
the Russian Federation and are believed to be closely linked to the
Russian government’s powerful and highly capable intelligence
services,” Crowd Strike’s analysis read.
In other words, these were teams that seemed to be focused on
silent cyberespionage of the kind Russia had carried out since the days
of Moonlight Maze, not the louder, more disruptive cyber war tactics
Sandworm had only just begun to demonstrate. (CrowdStrike had in
fact tracked Sandworms attacks too. Its own code name for the group
was Voodoo Bear.)
But while the DNC hack wasn’t an act of disruptive cyberwar,
neither would it prove to be an ordinary espionage operation. Just
twenty-four hours after news of the breach broke, a figure calling
himself Guccifer 2.0 appeared on Twitter, posting links to a blog that
introduced him to the world. The post was titled “DNC Servers Hacked
by a Lone Hacker.”
“Worldwide known cyber security company CrowdStrike
announced that the Democratic National Committee (DNC) servers
had been hacked by ‘sophisticated’ hacker groups,” Guccifer 2.0 wrote
glibly. “I’m very pleased the company appreciated my skills so
highly))) But in fact, it was easy, very easy.”
What came next in the post shocked the world: a sample of actual
stolen documents from the DNC’s servers. They included a file of
opposition research on the Republican presidential front-runner,
Donald Trump, policy documents, and a list of donors by name and
amount. “The main part of the papers, thousands of files and mails, I
gave to WikiLeaks. They will publish them soon,” Guccifer 2.0 wrote.
“Fuck the Illuminati and their conspiracies!!!!!!!!!”
That “Illuminati” reference and Guccifer 2.0’s name were meant to
convey a kind of rogue hacktivist, stealing and leaking the documents
of the powerful to upend the corrupt social order. The original
Guccifer had been a Romanian amateur hacker named Marcel Lehel
Lazăr who had broken into the email accounts of high-profile figures
like Colin Powell, the Rockefeller family, and the sister of former
president George W. Bush.
Guccifer 2.0 took on the persona of a cocky eastern European
cyberpunk who idolized figures like the original Guccifer, Edward
Snowden, and Julian Assange. “Personally I think that I’m among the
best hackers in the world,” he would write in a FAQ.
When CrowdStrike maintained that Guccifer 2.0 was a thin disguise
meant to obscure the Russian state hackers behind the DNC intrusion,
Guccifer 2.0 shot back with vague denials. “They just fucked up! They
can prove nothing!” he wrote. “All I hear is blah-blah-blah, unfounded
theories and somebody’s estimates.”
But in reality, the Russians’ mask almost immediately showed
cracks. A former staffer for the British intelligence service GCHQ, Matt
Tait, found that the very first document the Russians released, the
Trump opposition file, contained Russian-language formatting-error
messages. Moreover, the metadata from the file showed that it had
been opened on a computer with the username “Feliks Dzerzhinsky.”
That clue was almost comically revealing: Dzerzhinsky was the
founder of the Soviet secret police, whose bronze statue had once
stood in front of the KGB headquarters.
When the tech news site Motherboard reached out to Guccifer 2.0
via Twitter and the hacker agreed to an instant-message interview,
Motherboard’s reporter Lorenzo Franceschi-Bicchierai cleverly threw
him off guard with a series of questions in English, Romanian, and
Russian. Guccifer 2.0 answered those questions in broken English and
Romanian and protested that he couldn’t understand the Russian.
Franceschi-Bicchierai then showed the chat logs to Romanians and
language experts who pointed out small linguistic clues that Guccifer
wrote like a Russian and appeared to be pulling his Romanian answers
from Google Translate. The Russian hackers seemingly hadn’t even
bothered to recruit a real Romanian for their cover story.
■
The flimsiness of the Guccifer 2.0 lie hardly mattered. The hackers
sent the news site Gawker the Trump opposition research document,
and it published a story on the file that received half a million clicks,
robbing the Democrats of the ability to time the release of their Trump
dirt. Soon, as promised, WikiLeaks began to publish a steady trickle of
the hackers’ stolen data, too; after all, Julian Assange’s secret-spilling
group had never been very particular about whether its “leaks” came
from whistle-blowers or hackers.
The documents, now with WikiLeaks’ stamp of credibility, began to
be picked up by news outlets including The New York Times, The
Washington Post, The Guardian, Politico, BuzzFeed, and The
Intercept. The revelations were very real: It turned out the DNC had
secretly favored the candidate Hillary Clinton over her opponent
Bernie Sanders as the presumptive Democratic nominee for president,
despite the committee’s purported role as a neutral arbiter for the
party. DNC officials had furtively discussed how to discredit Sanders,
including staging public confrontations about his religious beliefs and
an incident in which his campaign’s staff allegedly accessed the
Clinton campaign’s voter data.
The DNC chairwoman, Debbie Wasserman Schultz, was hit the
hardest. The stolen emails revealed that she had privately written that
Sanders’s campaign manager was a “damn liar” and that Sanders “isn’t
going to be president.” A little over a month after the hacked emails
first began to appear, she resigned.
But the hackers weren’t content to rely on WikiLeaks, nor was the
DNC their only victim. Over the next several months, Guccifer 2.0’s
stolen DNC emails also began to appear on a new site called DCLeaks,
along with emails stolen from other targets ranging from Republican
and Democratic lawmakers to General Philip Breedlove, an air force
official who had pushed for a more aggressive response to Russia’s
invasion of Ukraine. Despite DCLeaks’ attempt to appear as another
whistle-blowing “leak” site, the security firm ThreatConnect quickly
identified it as a cover for Russia’s Fancy Bear hackers, based on
overlapping target data with known Fancy Bear intrusion operations
and clues in DCLeaks’ registration data.
If anyone still doubted that Fancy Bear was behind the serial data
dumps, that uncertainty lifted in September 2016, when the group
launched a new attack on the World Anti-Doping Agency. Putin’s
government had been furious at the agency’s recommendation that all
Russian athletes be banned from that year’s Summer Olympics after
multiple athletic teams from the country were found to be part of
widespread programs of performance-enhancing drug use. In
retaliation, Fancy Bear published the stolen medical records of the
tennis stars Venus and Serena Williams and the gymnast Simone
Biles, showing they too had used medications that could be interpreted
—at a stretch—as offering athletic advantages. This time, in a blatant
mockery of critics, the leaks were published on Fancy bears.net, a
website covered with clip art and animated GIFs of bears.
Fancy Bear had emerged as brash practitioners of what intelligence
analysts call “influence operations.” More specifically, they were using
an old Russian intelligence practice known as kompromat: the
tradition, stretching back to Soviet times, of obtaining compromising
information about political opponents and using it to leverage public
opinion with tactical leaks and smears.
Sandworm’s hackers were stealthy, professional saboteurs. Fancy
Bear, by contrast, seemed to be shameless, profane propagandists.
And now, in the service of Vladimir Putin, they were tasked with
helping Donald Trump to win the presidency.
The 2016 presidential race wasn’t Fancy Bear’s first time using its
skills to influence elections. In May 2017, a group of security
researchers at the University of Toronto called the Citizen Lab would
find forensic evidence that the group was also behind CyberBerkut, the
pro-Putin hacktivist group that had in 2014 hacked Ukraine’s Central
Election Commission. Like Guccifer 2.0 and DCLeaks, CyberBerkut
was just another cover story.
Most of the group’s techniques were simple. Next to an operation
like Sandworm’s 2015 Christmas blackout, they were practically
primitive. But one of Fancy Bear’s crudest tactics turned out to be its
most effective of all: a rudimentary spoofed log-in page.
On October 7, WikiLeaks began publishing a new series of leaks,
this time stolen directly from the email account of Hillary Clinton’s
campaign chair, John Podesta. The previous March, Podesta had
fallen prey to a basic phishing email, directing him to a fake Gmail site
that asked for his username and password, which he handed over. The
site, of course, was a Fancy Bear trap.
WikiLeaks would trickle out its resulting stash of Clinton campaign
kompromat for weeks to come. The revelations included eighty pages
of closely guarded speeches Clinton had given to private Wall Street
audiences. One included a reference to politicians’ need to have
separate “public” and “private” positions, which her critics interpreted
as an admission of deception. Another seemed to call for “open
borders,” enraging immigration hard-liners. The daily media bombs
would keep the campaign off balance through its final days.*1
The Podesta hack also eradicated any last doubts about Fancy
Bear’s role: The security firm Secureworks found the link to the fake
Gmail site that had tricked Podesta was created with an account on the
URL-shortening service Bitly that had also been used to target
hundreds of other Fancy Bear victims, from Ukrainian officials to
Russia-focused academics and journalists.
Trump, of course, brushed aside the evidence of Russia’s
involvement and reveled in the flood of scandals. “I love WikiLeaks!”
he declared at one rally. At another point, he quipped that he hoped
the Russian hackers had also breached the controversial private email
server Clinton had set up in her home, and asked the hackers to
release thousands more of her emails. But for the most part, Trump
nihilistically denied that those leaks had been enabled by the Kremlin,
instead suggesting that the hackers might just as easily be Chinese or a
“400-pound” loner or that the Democrats had hacked themselves.
Trump’s obfuscation served Fancy Bear well: Even months later, in
December 2016, only about a third of Americans believed Russia had
meddled in the U.S. election, while 44 percent doubted it, and a
quarter were unsure.*2
Whether the Kremlin actually expected to swing the 2016 race with
its influence operation has never been clear. Putin, whose hatred of
Hillary Clinton since her days as secretary of state under Obama could
barely be concealed, might have simply wished to saddle her
presidency with crippling political baggage. Russian officials, of
course, repeatedly denied any hand in the attacks. But regardless of
what outcome they imagined, they had successfully thrown the core of
American democracy into chaos.
When I met up with Crowd Strike’s chief technology officer, Dmitri
Alperovitch, at a park in Manhattan’s financial district in October
2016, with the election just weeks away, he seemed to almost
grudgingly admire the effectiveness of the hackers whose operation his
firm had first uncovered four months earlier.
“I think they’ve gotten medals already,” he said ruefully. “They’ve
had success beyond their wildest dreams.”
In fact, Fancy Bear’s real moment of glory came three weeks later:
Donald Trump won the U.S. presidential election.
■
When J. Michael Daniel had become Obama’s most senior official
concerned solely with cybersecurity in 2012, one of his first big moves
had been to fly to Moscow in 2013 to finalize a “cyber hotline.” Using a
protocol first established to prevent nuclear Armageddon half a
century earlier, the hotline was intended to serve as an open channel
between the White House and the Kremlin for sending messages about
cyber attacks, a kind of safety valve to avoid misunderstandings that
might lead to unnecessary escalation and war. Daniel describes the
setup as a “glorified, dedicated email system.”
On October 7, 2016, Daniel used that hotline for the first and only
time in his tenure, to send a message to Putin in response to Russia’s
blatant election interference. He paraphrases the message: “We know
that you are carrying out these kinds of activities. And stop. Knock it
off.” The same day, the Department of Homeland Security and the
Office of the Director of National Intelligence released a public
statement that U.S. intelligence agencies had officially come to a
consensus that the Russian government was the source of the stolen
emails, as cybersecurity researchers had been pointing out for four
months.[Sorry Seth Rich is the correct answer dc ]
Eventually, in the waning days of Obama’s presidency, the
administration would escalate its response to include new economic
sanctions against Russian intelligence agencies as punishment for
their election hacking, effectively preventing them from doing any
business with American citizens and companies. The order would eject
thirty-five Russian diplomats from the United States and seize control
of two Russian government compounds on U.S. soil. James Lewis, a
cybersecurity-focused fellow at the Center for Strategic and
International Studies, would describe the reaction as “the biggest
retaliatory move against Russian espionage since the Cold War.”
But on the subject of Russia’s blackout attacks, the hotline from the
White House to the Kremlin remained silent. Sandworm had been sent
an implicit signal. It could now proceed with impunity.
*1 The most powerful effect of those leaks may have been to distract from a shocking video
released by The Washington Post on October 7, in which Trump bragged on the set of the TV
show Access Hollywood that he had grabbed women’s genitals without their consent.
WikiLeaks published the first Podesta leaks just hours after that tape surfaced.
*2 When this book went to press, the extent of Trump’s collaboration with the Russian
government in its election interference remained unclear. But the investigation of
independent counsel Robert Mueller had revealed that multiple members of Trump’s staff as
well as Donald Trump Jr. had met with Kremlin officials and other Russian nationals who
had offered compromising information on Clinton, which Trump Jr. was eager to accept. As a
candidate, Trump had also weakened the Republican Party position on defending Ukraine
from Russia, all while pursuing a billion-dollar deal to establish a Trump Tower in Moscow.
17
FSOCIETY
On election night, Michael Matonis had gone to bed early. He’d seen the
increasing likelihood of Trump’s win. But he’d chosen, rather than
biting his nails all evening, to just assume Clinton would prevail as
expected and sleep through the drama until then.
At 5:00 a.m., he was woken up by the shortwave radio next to his
bed, immediately heard the news, and emitted a long, heartfelt moan
of profanity.
Matonis, a twenty-seven-year-old security researcher with a mass of
curly black hair, lived at the time in Albany, New York, but had been
planning a party that night in his hometown of Brooklyn—not so much
to celebrate Clinton’s victory as to herald an end to seeing Trump’s
face on television every day. After learning the shocking election
results, Matonis and his friends quickly reconceived the party as a
kind of emotional support group. So he nonetheless boarded an
Amtrak train south, then made his way from Penn Station through a
New York City that was visibly grieving, with signs of protest and
condolences posted on subway platforms and in shop windows.
When he arrived in the city, Matonis had planned to wander around
Williamsburg and find some good Turkish or Brazilian food. But he
soon found that he was too depressed to leave his Airbnb. So instead,
despite officially being on vacation, he opened his laptop to distract
himself with work.
Matonis was a member of the team of researchers that reported to
John Hultquist, who by then had become director of cyber espionage
analysis at FireEye, the security firm that had acquired iSight earlier in
2016. As part of his daily hunting, Matonis had created his own
software tools that automatically scanned malware feeds like
VirusTotal for interesting tidbits that might serve as footprints of
state-sponsored hackers—what he calls “cyber gold panning.”
Early that morning, one of his filter tools had pinged him with
results that he’d been too distracted to read. Now he dug into its
origin: Someone had uploaded to VirusTotal a piece of malicious code
that used a Microsoft Office script to install itself on the victim’s
machine, just as BlackEnergy had done in the late 2015 attacks. The
new malware appeared to be a fresh backdoor for remote access to
victim machines, one that curiously used the encrypted instant messaging software Telegram to communicate with its command-and control servers. But Matonis had tracked the BlackEnergy attacks
closely enough to see that they shared a similar encoding.
The backdoor program was packaged in a Word document written
in Cyrillic characters. When Matonis put the file through Google
Translate, he found that it was a list of prices of storage hardware and
servers written in Ukrainian, what appeared to be bait for Ukrainian
IT systems administrators. “I could think of only one group that would
do this thing, in this particular way,” he says.
Since the Ukrainian blackouts nearly a year earlier, Sandworm had
gone entirely silent. After its grid-hacking tour de force, it seemed as if
the group might even have disappeared. Aside from a few die-hard
obsessives including Matonis, his boss, Hultquist, and Rob Lee, much
of the American security community’s attention to Russian hacking
had shifted almost entirely to Fancy Bear’s election meddling.
Now Matonis was seeing the first sign that Russia’s blackout
hackers had surfaced again. “Holy shit,” Matonis thought to himself as
he sat at the kitchen table of his Brooklyn rental. “I think I’ve found
Sandworm version two.”
■
By August 2016, eight months after the first Christmas blackout,
Yasinsky had left his job at StarLightMedia. It wasn’t enough, he
decided, to defend a single company from an onslaught that seemed to
be targeting every stratum of Ukrainian society. Despite Sandworm’s
silence since the blackout, Yasinsky knew that the group spent long
months advancing its intrusions and that the next wave of attacks was
likely already in motion. He needed a more holistic view of the
hackers’ work, and Ukraine needed a more coherent response to the
brazen, callous organization of attackers that Sandworm was
becoming. “The light side remains divided,” he told me of the
balkanized reaction to the hackers among their victims. “The dark side
is united.”
So Yasinsky took a position as the head of research and forensics for
a Kiev firm called Information Systems Security Partners, or ISSP. The
company was hardly a big name in the security industry. But Yasinsky
joined with the intention of using his position to make ISSP the go-to
first responder for victims of Ukraine’s digital siege.
Not long after he switched jobs, as if on cue, the country came
under another, even broader, more punishing wave of attacks. Starting
in December, a month after FireEye’s Michael Matonis and other
researchers around the world were seeing the first signs of
Sandworm’s reemergence, Yasinsky began to learn of other Ukrainian
agencies and infrastructure companies targeted by the same
destructive hackers as in 2015. Those victims would eventually include
Ukraine’s pension fund, Treasury, seaport authority, and Ministries of
Infrastructure, Defense, and Finance. In each case, as in the year
before, the attacks culminated with a KillDisk-style detonation on the
target’s hard drives.
The hackers again hit Ukraine’s railway company, Ukrzaliznytsia,
this time knocking out its online booking system for days, right in the
midst of the holiday travel season. In the case of the Finance Ministry,
the logic bomb deleted terabytes of data, destroying the contents of
80 percent of the agency’s computers, deleting its draft of the national
budget for the next year, and leaving its network entirely off-line for
the next two weeks.
In other words, the hackers’ new winter onslaught matched and
exceeded the previous year’s in both its scale and the calculated pain of
its targeting. But as security researchers delved into the companies’
logs in those first weeks of December, they could see their tormentors
were trying out new forms of deception, too. In one round of attacks,
for instance, the hackers had altered their KillDisk code to not merely
cripple victims’ machines but also to display a haunting image on their
screens.
The picture—first published by researchers at the Slovakian security
firm ESET, who were also closely tracking the second wave of
Ukrainian attacks—wasn’t merely a file planted on the victims’
computers. Instead, with a kind of hacker flourish, it had been
painstakingly programmed into the malware to be drawn by
Windows’s graphics interface every time the code ran. The resulting
image was a neon-green and black low-resolution mustachioed mask,
over a background of multicolored ones and zeros. Above and below
the mask were the words “WE ARE FSOCIETY” and “JOIN US.”
The hackers had co-opted the symbology of the fictional anarchist
hackers in the television show Mr. Robot, perhaps to create a veneer of
freewheeling, grassroots nihilism over what was clearly a well organized, state-sponsored disruption campaign. (With the benefit of
hindsight, they might have also been revealing something about their
intentions: In Mr. Robot, FSociety’s hackers permanently destroy the
records of a massive banking conglomerate, erasing the debt of
thousands of people and throwing the world economy into chaos—a
story line that, within a year, would feel prescient.)
In the second round of attacks, the hackers switched up their ruse:
Instead of a hacktivist front, they adopted a cybercriminal one,
plastering victims’ corrupted machines with a ransom message
demanding a Bitcoin payment: “We are sorry, but the encryption of
your data has been successfully completed, so you can lose your data
or pay 222 btc.”
Sandworm seemed to have adapted its cover story to mimic an
increasingly trendy tactic among hacker profiteers: Rather than try to
steal credit cards or other data that had to be resold to be monetized,
cybercriminals had discovered they could extort money directly from
victims by encrypting their hard drives and demanding payment to
unlock them. Only once the victims forked over the ransom—within a
prescribed time limit—would the extortionists send a key to decrypt
their data. Some ransomware schemes had become so professional
that they even included live customer support, increasing the
likelihood of payment by reassuring victims that they would actually
receive their data back.
But most of those moneymaking schemes, as cruel as they were,
asked for just a few hundred or thousand dollars from victims. This
one demanded, at late 2016 Bitcoin exchange rates, more than
$150,000. No one, it seemed, was foolish enough to pay. And ESET’s
researchers found that even if they had, there was no decryption
mechanism in the malware. Instead, the ransom demand only added
another layer of confusion to the same KillDisk-style data destruction
that Sandworm had been carrying out since the year before.
Yasinsky could see that the hackers were not only evolving but
experimenting. After a year underground, they had reemerged more
dangerous and deceptive than ever. Ukraine’s cyberwar was ramping
up. And then, on a Saturday night two weeks into that growing plague,
not long after Yasinsky sat down on the couch of his Kiev apartment to
watch the movie Snowden with his family, Sandworm put its full
capabilities on display.
■
On December 17, 2016, a young engineer named Oleg Zaychenko was
four hours into his twelve-hour night shift at Ukrenergo’s transmission
station just north of Kiev’s city limits. He sat in an old Soviet-era
control room, its walls covered in beige and red floor-to-ceiling analog
control panels. The station’s tabby cat, Aza, was out hunting; all that
kept Zaychenko company was a television in the corner playing pop
music videos.
He was filling out a paper-and-pencil log, documenting another
uneventful Saturday evening, when the station’s alarm suddenly
sounded, a deafening continuous ringing. To his right, Zaychenko saw
that two of the lights indicating the state of the transmission system’s
circuits had switched from red to green—in the counterintuitive,
universal language of electrical engineers, a sign that they had turned
off.
The technician picked up the black desk phone to his left and called
an operator at Ukrenergo’s headquarters to alert him to the routine
mishap. As he did, another light turned green. Then another.
Zaychenko’s adrenaline began to kick in. While he hurriedly explained
the situation to the remote operator, the lights kept flipping: red to
green, red to green. Eight, then ten, then twelve.
As the crisis escalated, the operator on the phone ordered
Zaychenko to run outside and check the equipment for physical
damage. At that moment, the twentieth and final circuit switched off,
and the lights in the control room went out, along with the computer
and TV. Zaychenko was already throwing a coat over his blue-and yellow uniform and sprinting for the door.
Ukrenergo’s northern Kiev transmission station is normally a vast,
buzzing jungle of electrical equipment stretching over twenty acres,
the size of more than a dozen football fields. But as Zaychenko came
out of the building into the freezing night air, the atmosphere was
eerier than ever before: The three tank-sized transformers arrayed
alongside the building, responsible for about a fifth of the capital’s
electrical capacity, had gone entirely silent.
Until then, Zaychenko had been mechanically ticking through an
emergency mental checklist. As he ran past the paralyzed machines,
the thought entered his mind for the first time: The blackout hackers
had struck again.
18
POLYGON
This time the attack had moved up the circulatory system of Ukraine’s
grid. Instead of taking down the distribution substations that branch
off into capillaries of power lines, the saboteurs had hit an artery. That
single northern Kiev transmission station carried two hundred
megawatts, more total electric load than all the fifty-plus distribution
stations knocked out in the 2015 attack combined.
Luckily, the system was down for just an hour—hardly long enough
for pipes to freeze or for locals to start panicking—before Ukrenergo’s
engineers began manually closing circuits and bringing everything
back online. Even so, when that hour-long midnight blackout
enveloped Yasinsky’s home in northern Kiev, it unnerved him like no
cyberattack he’d ever experienced in his years as a security
professional.
Yasinsky told me he’s always tried to maintain a dispassionate
perspective on the intruders who were ransacking his country. He
seeks to avoid entirely, for instance, the topic of the attackers’
identities, arguing that their names or nationalities don’t figure into
the analysis of their intrusions or strategies for defending against
them. (That refusal to wade into questions of attribution is common in
the cybersecurity industry. But Yasinsky takes it to an extreme, going
so far as to wag his finger with a mock-scolding grin when I refer to
the attackers as Russian.)
Yasinsky has always preferred to see his job as a game of chess,
logically analyzing the adversary’s moves on an abstract plane free
from any personal psychology. Become too emotionally invested, he
argued, let your thinking be corrupted by your own anger or obsession
or self-interest, and you begin to make mistakes. “You need a cold,
clear mind,” Yasinsky said. “If you want to play well, you can’t afford
to hate your opponent.”
But when the blackout extended to his own home, he admitted that
it crossed a new boundary. It was “like being robbed,” he told me. “It
was a kind of violation, a moment when you realize your own private
space is just an illusion.”
Within twenty-four hours of the blackout, Ukrenergo staffers had
publicly confirmed that it had indeed been caused by another
cyber attack, just as Yasinsky had immediately suspected. Ukrenergo
and the SBU—the Ukrainian security service that partly functions as
the country’s equivalent of the NSA—determined that Ukraine would
handle the response itself. This time, there would be no American
delegation. And so naturally, when ISSP called up Ukrenergo and
offered its services, the job was handed to Yasinsky.
■
In early 2017, at a meeting in Ukrenergo’s central Kiev headquarters,
the company gave ISSP a hard drive filled with the terabytes of log files
that Yasinsky would need to begin his forensic analysis. Just as he had
at StarLightMedia, he pored over the logs for weeks, combing them for
any anomaly that might reveal the traces of hackers who had sought at
every point in their intrusion to perfectly mimic the normal behavior
of the victims they had infiltrated—what Yasinsky calls “finding
needles among needles.”
After tracking the same hackers for more than a year, Yasinsky
knew where to find their footprints. By the end of January, ISSP had
assembled nearly the entire anatomy of the intrusion. He presented it
in a briefing for Ukrenergo’s IT administrators, rolling out in front of
them a six-foot-long printed paper timeline of the hackers’ work.
Though the company had given him six months of logs, it appeared the
hackers had likely obtained their access far earlier: In January 2016,
nearly a year before the second blackout, Ukrenergo had discovered an
infection of the same BlackEnergy malware that had hit
StarLightMedia, TRK, and Boryspil airport. Yasinsky guessed that
despite the utility’s cleanup efforts the intruders had maintained a
stealthy foothold somewhere inside Ukrenergo’s systems, patiently
biding their time.
To move between computers within Ukrenergo’s network, they had
deployed a common hacker tool called Mimikatz, designed to take
advantage of a security oversight in older versions of Windows that
leaves passwords accessible in a computer’s memory. Mimikatz plucks
credentials out of that ephemeral murk so that hackers can use them
to gain repeated access to a computer, or to any others that a victim’s
account could access on the same network. The hackers had also
exploited a more obscure trick, one that allows them to dig through
memory when an application unexpectedly crashed, with sensitive
credentials lingering in the “crash dump” of data that borked programs
leave behind—a bit like grabbing and instantly copying the keys from a
stalled car.
With those stolen credentials, the hackers eventually gained access
to a kind of all-seeing database server in Ukrenergo’s network, what’s
sometimes known as a “historian.” That database acted as a record
keeper for the utility’s operations, collecting data from physical
equipment and making it available to the business network. For the
intruders, it offered a crucial bridge between the traditional IT side of
Ukrenergo’s network and the industrial control system side, including
workstations with access to circuit breakers.
That historian database didn’t merely collect data from the utility’s
computers. It also, more dangerously, had the ability to send certain
commands to them. As Yasinsky describes it, the hackers hijacked that
functionality to turn the database into a “Swiss Army knife,” capable of
running any code the hackers chose. Ultimately, that included planting
the payload of their attack at the doorstep of Ukrenergo’s actual
transmission station equipment and, as in 2015, callously flipping
those switches to cut power to hundreds of thousands of people.
The attackers seemed to have shifted their focus from the 2015
attack, when they had ransacked the three regional power utilities with
a broad arsenal of humiliations, attacking everything from the utilities’
own backup generators to their phone systems. Instead, this time they
had penetrated directly into the transmission systems with single minded professionalism. “In 2015, they were like a group of brutal
street fighters,” says Marina Krotofil, a Ukraine-born German
industrial control systems expert who then worked at Honeywell and
who advised Yasinsky during ISSP’s analysis. “In 2016, they were
ninjas.”
But the final payload those saboteurs had planted, to Yasinsky, was
a kind of black box. He could see that the hackers had, ahead of their
midnight strike, installed a collection of dynamic-link library, or .dll
files, essentially collections of instructions they could call upon. But
industrial control systems are their own arcane discipline within
cybersecurity, and Yasinsky, despite his knowledge of the forensics of
traditional IT systems, couldn’t interpret the .dll files himself. Krotofil,
his friend and go-to industrial control systems expert, had helped to
guide him through that side of the Ukrenergo investigation. But
thanks to the nondisclosure agreement he’d signed with the utility, he
couldn’t share the .dlls with her.
Yasinsky showed the files to Ukrenergo’s engineers, and they told
him that the code included commands written in a particular protocol
—a kind of computer vocabulary understood by their circuit breaker
equipment. Somehow, those files had triggered the final, disruptive
step of the hackers’ blackout operation. Exactly how would remain a
mystery for months to come.
■
In the United States, meanwhile, the second Ukrainian blackout
resonated momentarily through the cybersecurity community, stealing
back a modicum of attention from the frenzy around Russia’s election focused attacks. For the first time in history, as Lee described it to me,
a group of hackers had shown it was willing and able to repeatedly
attack critical infrastructure. They’d refined their techniques over
multiple, evolving assaults. And they’d planted their malware on the
U.S. grid once before.
All of that meant, Lee argued, that American utilities and
government officials needed to see Russia’s escalating cyberwar
operations not only as Ukraine’s problem but as their own. “The
people who understand the U.S. power grid know that it can happen
here,” he told me.
When I’d run that notion by NERC’s chief security officer, Marcus
Sachs, in a phone call, he’d downplayed the threat. American power
companies have already learned from Ukraine’s victimization, he
argued. Sachs pointed to the road show of briefings he and others had
performed for U.S. utilities to educate them about the attacks,
hammering into them that they need to shore up their basic
cybersecurity practices and turn off remote access to their critical
systems whenever possible. And for all the sophistication of the
Ukraine grid hacks, he pointed out, even they didn’t really constitute a
catastrophe; the lights did, after all, come back on.
“It would be hard to say we’re not vulnerable. Anything connected
to something else is vulnerable,” Sachs said. “To make the leap and
suggest that the grid is milliseconds away from collapse is
irresponsible.”
But to hackers like Sandworm, Lee countered, the United States
could present an even more convenient set of targets. U.S. power firms
are more attuned to cybersecurity, but they’re also more automated
and modern than those in Ukraine, with more computer-controlled
equipment. In other words, they present more of a digital “attack
surface” to hackers than some older systems.
American engineers, he argued, also have less experience with
manual recovery from frequent blackouts than a country like Ukraine.
Regional utilities in Ukraine, and even Ukrenergo in Kiev, are all far
more accustomed to blackouts from the usual equipment failures than
American utilities. They have fleets of trucks ready to drive out to
substations and manually switch the power back on, as Ukrainian
utilities did in 2015 when the hackers first hit them. Not every hyper automated American utility is prepared for that all-hands, on-the-ground manual override. “Taking down the American grid would be
harder than Ukraine,” Lee said. “Keeping it down might be easier.”
As Sandworm’s power and brashness grew, the question remained:
Would it ever dare hit the United States the way it had Ukraine? An
attack on American utilities, after all, would almost certainly result in
immediate, serious retaliation from the U.S. government, even if the
same attacks in a regional war of Russian aggression had barely
elicited a murmur from U.S. officials.
Some cyber security analysts at the time of Sandworm’s second grid
attack argued that Russia’s goal was simply to hem in America’s own
cyberwar strategy: By turning the lights out in Kiev—and by showing
that it’s capable of penetrating the American grid—Moscow had sent a
message warning the United States not to try a Stuxnet-style attack on
Russia or its allies, such as the Syrian dictator, Bashar al-Assad, whose
revolutionary opponents the United States was supporting in the
Syrian civil war.
In that view, it was all a game of deterrence. As one influential
pseudonymous hacker and security analyst known as the Grugq had
written in a blog post after the second Ukraine blackout, “This
expensive light flicking makes more sense when viewed as an influence
operation to signal the West that Russia has what the West itself
believes are ‘real cyber war cyber weapons.’
“Russia has flicked Ukraine’s lights twice now,” he wrote. “There is
no reason to run two tests of an offensive operation if the first is
successful. They want to make sure the West gets the signal.”
But Lee, who was involved in plenty of war-game scenarios during
his time at the NSA, could imagine Russia striking American utilities
as a retaliatory measure if it ever saw itself as backed into a corner—if
the United States, say, threatened to interfere with Moscow’s military
interests in Ukraine or Syria. “When you deny a state’s ability to
project power,” he argued, “it has to lash out.”
Lee and his ilk, of course, had been war-gaming these nightmares
for well over a decade. And as yet, cyber doomsday had never come to
U.S. soil. But in the wake of Fancy Bear’s election interference, there
seemed to be no limits to Russia’s brazenness. The Kremlin had
meddled in the Ukrainian election and faced no real repercussions;
then it applied similar tactics to the United States. Russian hackers
turned off the power in Ukraine with impunity; the syllogism wasn’t
hard to complete.
For John Hultquist, who had now watched Sandworm’s attacks
escalate for more than two years, that next step was clear enough.
Three weeks after the 2016 Kiev attack, he wrote a prediction on
Twitter and pinned it to his profile for posterity: “I swear, when
Sandworm Team finally nails Western critical infrastructure, and folks
react like this was a huge surprise, I’m gonna lose it.”
■
On a gray day in March 2017, a taxi dropped me off in a parking lot in
front of the headquarters of ISSP in Kiev. The company at the time
occupied a low-lying building in an industrial neighborhood of the
Ukrainian capital, surrounded by muddy sports fields and crumbling
high-rises—a few of the country’s many lingering souvenirs from the
Soviet Union.
When I found Oleksii Yasinsky inside, we sat down in the
company’s “Cyber Lab,” a darkened room with a round table that’s
covered in the same sort of network maps he’d developed for the
Ukrenergo operation, long scrolls of paper showing nodes and
connections of Borgesian complexity. Each map represented the
timeline of an intrusion by Sandworm. By then, the hacker group had
been the consuming focus of Yasinsky’s work for nearly two years,
going back to its first attack on StarLightMedia. He told me there was
still no way to know exactly how many Ukrainian institutions had been
hit in the escalating campaign of cyberattacks; any count was liable to
be an underestimate. For every publicly known target, there was at
least one secret victim that hadn’t admitted to being breached, and
still other targets that hadn’t yet discovered the intruders in their
systems.
In fact, Yasinsky said, the next wave of the digital invasion might
have already been under way even then. Behind him, two younger,
bearded ISSP staffers were locked into their keyboards and screens,
pulling apart malware that the company had obtained just the day
before from a new round of phishing emails. The attacks, Yasinsky had
come to believe, took on a seasonal cycle: During the first months of
the year, the hackers laid their groundwork, silently penetrating
targets and spreading their presence. At the end of the year, they
unleashed their payload. Yasinsky suggested that even as he was
analyzing last year’s power grid attack, the seeds had already been
sown for 2017’s December surprises.
Bracing for the next round, Yasinsky told me, was like “studying for
an approaching final exam.” He maintained that what he and Ukraine
had faced so far was likely just a series of practice tests.
He summed up the attackers’ intentions in a single Russian word:
poligon. A training ground. Even in their most damaging attacks,
Yasinsky said, the hackers could have gone further. They could have
destroyed not just the Ministry of Finance’s stored data but its
backups too. They probably could have knocked out Ukrenergo’s
transmission station for longer or caused permanent, physical harm to
the grid—a restraint that American analysts like Assante and Lee had
also noted in my conversations with them. “They’re still playing with
us,” Yasinsky said. Each time, the hackers retreated before
accomplishing the maximum possible damage, as if reserving their
true capabilities for some future operation. “We can only hope that
they’re not done playing yet.”
Yasinsky wasn’t alone in forming that new, foreboding theory
around Ukraine’s cyberwar: International observers began to posit
that Russia was turning the country into a test lab, trying out digital
tactics that it might later unleash on the West. Where better to train an
army of Kremlin hackers than in the no-holds-barred atmosphere of a
hot war inside Putin’s own sphere of influence? “The gloves are off.
This is a place where you can do your worst without retaliation or
prosecution,” Kenneth Geers, the NATO ambassador, told me.
“Ukraine is not France or Germany. A lot of Americans can’t find it on
a map. So you can practice there.”
In that shadow of neglect, Russia wasn’t only pushing the limits of
its technical abilities, said Thomas Rid, a professor of strategic and
military studies at Johns Hopkins. It was also feeling out the edges of
what the international community would tolerate. “They’re testing out
red lines, what they can get away with,” Rid told me. “You push and
see if you’re pushed back. If not, you try the next step.”
And what would it look like when the hackers ceased to play those
exhibition games and unleashed their full powers? In the dim back
room at ISSP’s office in Kiev during my spring 2017 visit, Yasinsky
admitted to me that he didn’t know what form the next attack would
take. Perhaps another, more severe blackout. Or maybe a targeted
attack on a water facility. Regardless, he said, he believed it would
reach out, like the blackout that he felt in his own home, well beyond
the internet as we’ve long understood it, into the infrastructure of the
physical world.
Behind him, the fading afternoon light glowed through the blinds,
rendering his face a dark silhouette. “Cyberspace is not a target in
itself. It’s a medium,” Yasinsky said. “Use your imagination.”
next
INDUSTROYER/CRASH OVERRIDE
FAIR USE NOTICE
This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. As a journalist, I am making such material available in my efforts to advance understanding of artistic, cultural, historic, religious and political issues. I believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law.
In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. Copyrighted material can be removed on the request of the owner.