Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

by Andy Greenberg

A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about. The name comes from the fact that the company has had “zero days” to respond and push out a patch to protect users.

Sandworm, according to the ICS-CERT report, had built tools for hacking not only the GE Cimplicity human-machine interfaces Trend Micro had noted but also similar software sold by two other major vendors, Siemens and Advantech/Broadwin. The report stated that the intrusions of industrial control system targets had begun as early as 2011 and continued until as recently as September 2014, the month iSight detected Sandworm. And the hackers had successfully penetrated multiple critical infrastructure targets, though none were named in the document. As far as ICS-CERT could tell, the operations had only reached the stage of reconnaissance, not actual sabotage.

In the 1950s, through the last years of Stalin’s terror and the rise of Khrushchev to take his place, more Ukrainians were sent to the U.S.S.R.’s gulags than any other nationality.

Cyberattacks on nonmilitary, physical infrastructure, Lee believed, were a class of weapon that ought to be considered, along with cluster bombs and biological weapons, simply too dangerous and uncontrollable for any ethical nation to wield.

The NSA had teams tasked with finding and fixing vulnerabilities in industrial control system equipment. It had, as Stuxnet would expose, its own offensive teams that invented infrastructure exploitation techniques. It didn’t, however, have a team assigned exclusively to hunting the enemy’s infrastructure-focused hackers.

“We could manage it like a storm,” Assante remembers his colleagues saying. “The way it was

imagined, it would be like an outage and we’d recover from the outage, and that was the limit of thinking around the risk model.”

Even as the Russian hackers stole reams upon reams of data, they weren’t using their access to military networks to sabotage or corrupt those systems. There was no sign that they were seeking to disrupt or deceive U.S. command and control to gain the kind of tactical advantage Arquilla and Ronfeldt had described. And they certainly weren’t reaching out into the physical world to cause lethal mayhem and blackouts. But Moonlight Maze did demonstrate that state-sponsored hackers could gain far deeper and broader access than many in the U.S. government had thought possible. And next time, they might not use those abilities for mere spying.

“NATO has put its frontline forces on our borders,” Putin said in his Munich speech. The alliance’s expansion, he continued, represents “a serious provocation that reduces the level of mutual trust. And we have the right to ask: against whom is this expansion intended?” Putin’s unspoken answer to that question was, of course, Russia—and himself.

Still, NATO never treated the Estonian cyberattacks as an overt act of aggression by the Russian state against one of NATO’s own.

In the end, NATO did essentially nothing to confront Russia in response to the Estonian attacks. Putin, it seemed, had tested a new method to bloody the nose of a NATO country with plausible deniability, using tools that were virtually impossible to trace to the Kremlin. And he’d correctly judged the lack of political will to defend NATO’s eastern European members from an innovative new form of mass sabotage.

Russia’s gains from its brief war with Georgia, however, were tangible. It had consolidated pro-Russian separatist control of Abkhazia and South Ossetia, granting Russia a permanent foothold on roughly 20 percent of Georgia’s territory. Just as in Ukraine in 2014, Russia hadn’t sought to conquer or occupy its smaller neighbor, but instead to lock it into a “frozen conflict,” a permanent state of low-level war on its own soil. The dream of many Georgians, like Mshvidobadze, that their country would become part of NATO, and thus protected from Russian aggression, had been put on indefinite hold.

The Russians had sought to dominate their enemy in every domain of war: land, sea, air, and now the internet. Georgia was the first crude experiment in a new flavor of hybrid warfare that bridged the digital and the physical.

Stuxnet had propagated far beyond its Natanz target to infect computers in more than a hundred countries across the world. Other than in the centrifuge caverns of Natanz, those collateral infections hadn’t caused physical destruction. But they had blown the ultrasecret malware’s cover, along with an operation that had been millions of dollars and years in the making.

Even in spite of its confusion and mangled centrifuges, the facility actually increased its rate of uranium enrichment over the course of 2010, at times progressing toward bomb-worthy material at a rate 50 percent faster than it had in 2008. Stuxnet might have, if anything, only slowed the acceleration of Ahmadinejad’s program.

Lee saw that ICS-CERT statement as practically a cover-up. By questioning BlackEnergy’s role in the attack, or even its existence on the utilities’ network, the DHS was obscuring a key fact: that the hackers who’d planted that malware had used the same tool to target American utilities just a year earlier—that Americans, too, were at risk.

The 2016 presidential race wasn’t Fancy Bear’s first time using its skills to influence elections. In May 2017, a group of security researchers at the University of Toronto called the Citizen Lab would find forensic evidence that the group was also behind CyberBerkut, the pro-Putin hacktivist group that had in 2014 hacked Ukraine’s Central Election Commission. Like Guccifer 2.0 and DCLeaks, CyberBerkut was just another cover story.

“They’re still playing with us,” Yasinsky said. Each time, the hackers retreated before accomplishing the maximum possible damage, as if reserving their true capabilities for some future operation. “We can only hope that they’re not done playing yet.”

“They’re testing out red lines, what they can get away with,” Rid told me. “You push and see if you’re pushed back. If not, you try the next step.”

The hackers had, in other words, created an automated cyberweapon that performed the same task they’d carried out the year before, but now with inhuman speed. Instead of manually clicking through circuit breakers with phantom hands, they’d created a piece of malware that carried out that attack with cruel, machine-quick efficiency.

Snowden posited that Russia was using its breach of the NSA to put a mirror up to American accusations of reckless hacking, to warn the United States that Russia, too, could call out its adversary’s intrusion operations.

EternalBlue was designed to exploit a

zero-day vulnerability in practically every version of Windows prior to Windows 8, a flaw in an old, obscure feature of Windows known as Server Message Block, or SMB. SMB allowed computers to share information, such as files and access to printers, directly from one to the next. And it contained multiple critical bugs that let anyone send SMB messages to a computer and gain full remote code execution on the target machine. With EternalBlue, the NSA’s hackers had coded that exploitation into a simple program capable of penetrating millions upon millions of computers around the world. Then they’d lost control of it.

a sixty-seven-year-old former NSA staffer and developer for the agency’s Tailored Access Operations hacking team named Nghia Hoang Pho pleaded guilty to violating his security clearances. He’d taken home enormous troves of classified materials.

Russian government hackers had used their access to the antivirus software of Moscow-based Kaspersky Labs to steal a vast collection of NSA files from the home computer of a contract employee of the agency.

In sum, by the end of June 27, NotPetya had struck at least four hospitals in Kyiv alone, along with six power companies, two airports, more than twenty-two Ukrainian banks, ATMs, and card payment systems, and practically the entire federal government. According to ISSP, at least three hundred companies were hit, and one senior Ukrainian government official would later estimate that a total of 10 percent of all computers in the country were wiped; the country’s internet was literally decimated.

All told, Snabe estimated in his Davos comments, NotPetya cost Maersk between $250 million and $300 million. Most of the staffers I spoke with privately suspected the company’s accountants had lowballed the figure.

In total, the result was more than $10 billion in damages, according to a White House assessment confirmed to me by the former homeland security adviser Tom Bossert, who at the time of the attack was President Trump’s most senior cybersecurity-focused official. Bossert emphasized, in fact, that this eleven-figure number represents a floor for their estimate, not a ceiling; it might well have been much higher. “While there was no loss of life, it was the equivalent of using a nuclear bomb to achieve a small tactical victory,” Bossert said. “That’s a degree of recklessness we can’t tolerate on the world stage.”

Americans ignored Ukraine’s escalating cyberwar in the face of repeated warnings that the attacks there would soon spread to the rest of the world. Then, very suddenly, exactly that scenario played out, at an immense cost.

That ID would allow the hackers to look up each legal entity that had registered with the Ukrainian government, creating an exact catalog of each potential victim before unleashing the worm into its system. If they’d wished to, they could have carefully avoided the vast majority of collateral damage, instead coordinating a campaign of precision-guided missile strikes.

Anyone who thinks this was accidental is engaged in wishful thinking,” Williams said. “This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.”

For the rest of the summer, the fall, and into the winter of 2017, no victim of NotPetya outside Ukraine would name Russia as the perpetrator of the attack. Nor did any government other than Ukraine’s speak out to name the Kremlin. Russia seemed to have launched a cyberwar weapon that had crossed countless borders, violated practically every norm of state-sponsored hacking imaginable, and yet earned not a single reproach from the West.

The GRU was created by Lenin in 1918—and initially called the Registration Directorate, or RU—both to serve as the eyes and ears of the Red Army and to balance the power of the dreaded KGB, then known as the Cheka. The military spy agency’s mission, unlike the KGB’s, was assigned to foreign operations and didn’t share in the surveillance

and elimination of domestic enemies that gave the KGB its terrifying reputation. That foreign focus meant that the GRU never needed to instill fear in Soviet subjects, as the KGB did.

Andrei Soldatov, one of the few Russian journalists and authors who has spent years investigating Russian intelligence agencies, told me that in the 1990s era of Russian cyberspying, Kremlin hacking and cybersecurity were dominated by an agency called FAPSI—the Federal Agency of Government Communications and Information—that acted as Russia’s equivalent of the NSA. In 2003, FAPSI was cannibalized by its intelligence siblings, with most of its key roles falling to the FSB, one of several agencies created from the remains of the KGB. The result, as Soldatov described it, was that the FSB took over most of the Kremlin’s state-sponsored hacking for the rest of that decade. “When FAPSI merged with the FSB, they were put in charge,” he told me when I interviewed him in a hotel bar before his talk at PutinCon, a New York conference devoted to hosting the Russian president’s most outspoken critics. “On all levels, they defined the rules.”

Korabelnikov was eventually replaced in 2011 by Igor Sergun, who had both a closer relationship to Putin and far more talent at navigating the Kremlin’s treacherous maze. Then came a new minister of defense in 2012, Sergey Shoygu, who supported the GRU’s reemerging role as the tip of the spear of the Russian armed forces.

“From 2008 to 2014, the GRU was trying to re-demonstrate its role and value to the Kremlin. One way was getting more serious about cyber.”

The “long-distance, contactless actions” against enemy targets “throughout the entire depth of his territory” that Gerasimov described matched Sandworm’s modus operandi perfectly, from blackouts to NotPetya. Sandworm was not some aberrant or rogue element in the Russian armed forces. It was a direct expression of the strategy of its most senior leaders.

GRU hackers were more likely to wear a uniform and to work in actual GRU buildings, compared with other Russian agencies’ hackers. But that soldier mentality also meant GRU hackers had fewer qualms about carrying out high-risk or even highly destructive campaigns, Galeotti said.

A new theory crystallized in Hultquist’s mind. Unit 26165 was Fancy Bear. Unit 74455 was Sandworm. The operations of those two teams were tightly intertwined, different sides of the same GRU coin. And the addresses where they worked were now on full public display.

Finally, one security researcher sat down with me and openly admitted that he and others he knew did sell hacking tools to the Russian government—if indirectly. In his case, he offered a subscription service for zero-day vulnerabilities and the tools to exploit them. The targets of his hacking wares, he said, were industrial control system software.

The problem with that malware analysis approach, Lee explained, was that highly sophisticated hacking operations aren’t typically carried out by a single team working alone. Instead, like in any well-developed industry, the hackers inside any competent intelligence agency specialize. One team might be assigned only to build tools. Another might focus on gaining initial access to target networks. A third might be assigned to take over that foothold, monitoring implanted spyware or carrying out the next stage of the intrusion, like penetrating from the IT network to the computers that connect to industrial control systems.

The statement was followed by two lists. One enumerated the aliases that the cybersecurity community had used for groups whose association with the GRU the British government could now confirm. Those names included practically every way of referring to all the known Russian players in the story of this book: “Fancy Bear,” “Black Energy

Actors,” “Cyber Berkut,” “Voodoo Bear,” and finally “Sandworm.”

The document went on to list a series of operations it tied to those actors: NotPetya. Bad Rabbit. The attacks on the Democratic National Committee. The intrusions of the World Anti-Doping Agency. The attempted breach of the Organisation for the Prohibition of Chemical Weapons that Matonis had tied to Olympic Destroyer. For each of those operations, the National Cyber Security Centre st...

Russia’s cyberwar in Ukraine hadn’t, in fact, resulted in any concrete military wins, Hultquist pointed out. No territorial gains, enemy casualties, or other tactical victories. Its entire purpose was psychological: to reduce the will of the Ukrainian people to fight. “It’s not about specific changes on the battlefield. It’s about making people feel they’re not safe anymore,” Hultquist insisted. “There was no military, long-term objective. It was about a psychological objective, taking that war out of the eastern front and bringing it right to Kyiv.”

Just as election hacking is meant to rattle the foundations of citizens’ trust that their democracy is functioning, infrastructure hacking is meant to shake their faith in the fundamental security of their society,

Russia sets off its IEDs—NotPetya, interference in the U.S. election, the attack on the Olympics—as cheap, asymmetrical tactics to destabilize a world order that’s long ago turned against it.

Putin’s invasion of Ukraine broke the rules. So did the sloppy, reckless destruction NotPetya inflicted as part of that invasion, but on different grounds. But those rules drew red lines that still preserved the ability to carry out all manner of cyberattacks on civilian critical infrastructure. If any nation were instead to aim its cyberattacks carefully and start a war for the right reasons, against the right country, those red lines would offer no impediment. In that future cyberwar, in other words, the ends would justify the means.

American utility operators, more than Ukrainians, have learned to manage the generation and flow of power primarily through their computers and automated systems. Without those modern tools, they’re blinded. Ukrainian operators, by contrast, are far more accustomed to those tools’ failures, and thus ready to fall back on an analog option.