Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

by Andy Greenberg

“The question is not for whom the bell tolls,” Yushchenko warned. “The bell tolls for us all. This is a threat to every country in the world.”

He gave the elevator-pitch version of Sandworm’s history: Russian fingerprints, dangerous sophistication, targets stretching from Poland to the United States but clustering in Ukraine, with a disturbing focus on critical infrastructure. He noted that Russia’s actual, ongoing war with Ukraine was heating up and that it had increasingly metastasized from physical invasion to disruptive digital attacks on everything from media firms to government agencies. Pro-Ukrainian activists had retaliated against Russia with a lower-tech form of sabotage, tearing down pylons

that supplied electricity to the Crimean peninsula, throwing the territory Russia had seized into a mass blackout. Putin, of course, blamed the Ukrainian government for the sabotage.

Lee saw how the intrusion had started. It began with a phishing email impersonating a message from the Ukrainian parliament. A malicious Word attachment had silently run a script known as a macro, a little program hidden inside the document, on the victims’ machines.

The Word script had planted an infection of BlackEnergy, the piece of malware that had by now become practically the official national disease of Ukrainian IT networks. From that foothold, it appeared, the hackers had spread through the power companies’ systems and eventually compromised a virtual private network, a tool the companies had used for remote access to their systems—including the highly specialized industrial control software that gives operators command over equipment like circuit breakers.

They’d overwritten the obscure code of the substations’ serial-to-ethernet converters, tiny boxes in the stations’ server closets that translated modern internet communications into a form that could be interpreted by older equipment.

What if attackers didn’t merely hijack the control systems of grid operators to flip switches and cause short-term blackouts, but instead reprogrammed the automated elements of the grid, components that made their own decisions about grid operations without checking with any human?

In particular, Assante had been thinking about a piece of equipment called a protective relay. Protective relays are designed to function as a safety mechanism to guard against dangerous physical conditions in electric systems. If lines overheat or a generator goes out of sync, it’s those protective

relays that detect the anomaly and open a circuit breaker, disconnecting the trouble spot, saving precious hardware, even preventing fires. A protective relay fu...

That option would be Stuxnet. It was a tantalizing notion: a piece of code designed to kneecap Iran’s nuclear program as effectively as an act of physical sabotage, carried out deep in the heart of Natanz, and without the risks or collateral damage of a full-blown military attack. Together with the NSA’s elite offensive hacking team, then known as Tailored Access Operations, or

TAO, and the Israeli cybersecurity team known as Unit 8200, the Pentagon’s Strategic Command began developing a piece of malware unlike any before. It would be capable of not simply disrupting critical equipment in Natanz but destroying it.

Fortunately for the continued existence of the human race, enriching uranium to the purity necessary to power the world’s most destructive weapon is an absurdly intricate process. Uranium ore, when it’s dug out of the earth, is mostly made up of an isotope called uranium-238. It contains less than 1 percent uranium-235, the slightly lighter form of the silvery metal that can be used for nuclear fission, unleashing the energy necessary to power or destroy entire cities. Nuclear power requires uranium that’s about 3 to 5 percent uranium-235, but nuclear weapons require a core of uranium that’s as much as 95 percent composed of that rarer isotope.

This is where centrifuges come in. To enrich uranium into bomb-worthy material,

it has to be turned into a gas and pumped into a centrifuge’s long, aluminum cylinder. A chamber inside the length of that cylinder is spun by a motor at one end, revolving at tens of thousands of rotations per minute, such that the outer edge of the chamber is moving beyond the speed of sound. The centrifugal force pushing from the center toward the walls of that spinning chamber reaches as much as a million times the force of gravity, separating out the heavier uranium-238 so that the uranium-235 can be siphoned off. To reach weapons-grade concentrations, the process has to be repeated again and again through a “cascade” of centrifuges. That’s why a nuclear enrichment facility such as the one hidden deep beneath Natanz requires a vast

forest of thousands of those tall, fragile, and highly engineered whirling machines. Stuxnet was designed to be the perfect, invi...

They would pull on it for months to come, a detective story detailed in Kim Zetter’s definitive book on Stuxnet, Countdown to Zero Day.

The malware’s size and complexity alone were remarkable: It consisted of five hundred kilobytes of code, twenty to fifty times as large as the typical malware they dealt with on a daily basis.

No one in the security community could remember seeing a piece of malware that used four zero days in a single attack. Stuxnet, as Microsoft eventually dubbed the malware based on file names in its code, was easily the most sophisticated cyberattack ever seen in the wild.

So, like a highly evolved parasite, the malware instead piggybacked on human connections, infecting and traveling on USB sticks. There it would lie dormant and unnoticed until one of the drives happened to be plugged into the enrichment facility’s isolated systems. (Siemens software engineers might have been the carriers for that malware, or the USB malware might have been more purposefully planted by a human spy working in Natanz.)

Stuxnet would change the way the world saw state-sponsored hacking forever.

“We have those systems in the United States, and we can’t claim those systems to be any more secure than what Ukraine is running,” he later told me. In fact, the greater automation in the American grid might mean that it provided even more points of attack. “We were equally if not more vulnerable.”

Fancy Bear had emerged as brash practitioners of what intelligence analysts call “influence operations.” More specifically, they were using an old Russian intelligence practice known as kompromat: the tradition, stretching back to Soviet times, of obtaining compromising information about political opponents and using it to leverage public opinion with tactical leaks and smears.

free from any personal psychology. Become too emotionally invested, he argued, let your thinking be corrupted by your own anger or obsession or self-interest, and you begin to make mistakes. “You need a cold, clear mind,” Yasinsky said. “If you want to play well, you can’t afford to hate your opponent.”

To move between computers within Ukrenergo’s network, they had deployed a common hacker tool called Mimikatz, designed to take advantage of a security oversight in older versions of Windows that leaves passwords accessible in a computer’s memory. Mimikatz plucks credentials out of that ephemeral murk so that hackers can use them to gain repeated access to a computer, or to any others that a victim’s account could access on the same network.

more obscure trick, one that allows them to dig through memory when an application unexpectedly crashed, with sensitive credentials lingering in the “crashdump” of data that borked programs leave behind—a bit like grabbing and instantly copying the keys from a stalled car.

American engineers, he argued, also have less experience with manual recovery from frequent blackouts than a country like Ukraine. Regional utilities in Ukraine, and even Ukrenergo in Kyiv, are all far more accustomed to blackouts from the usual equipment failures than American utilities. They have fleets of trucks ready to drive out to substations and manually switch the power back on, as Ukrainian utilities did in 2015 when the hackers first hit them. Not every hyper-automated American utility is prepared for that all-hands, on-the-ground manual override. “Taking down the American grid would be harder than Ukraine,” Lee said. “Keeping it down might be easier.”

For every publicly known target, there was at least one secret victim that hadn’t admitted to being breached, and still other targets that

hadn’t yet discovered the intruders in their systems.