Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

by Andy Greenberg

Each of those Dune references was tied, like the first two he’d found, to a lure document that revealed something abo...

One was a diplomatic document discussing Europe’s “tug-of-war” with Russia over Ukraine as the country struggled between a popular movement pulling it toward...

Thanks to the hackers’ helpful Dune references, all of those disparate attacks could be definitively tied together.

the hackers’ broader attack campaign stretched back not just months but years. The earliest appearance of the Dune-linked hackers’ lures had come in 2009. Until Robinson had managed to piece together the bread crumbs of their operations, they’d been penetrating organizations in secret for half a decade.

After six weeks of analysis, iSight was ready to go public with its findings: It had discovered what appeared to be a vast, highly sophisticated espionage campaign with every indication of being a Russian government operation targeting NATO and Ukraine.

As Robinson had painstakingly unraveled that operation, his boss, John Hultquist, had become almost as fixated on the work of the Russian hackers as the malware analysts scrutinizing its code were.

For all the hackers’ clever tricks, Hultquist knew that getting any attention for their discovery would still require media savvy. At the time, Chinese cyberspies, not Russian ones, were public enemy number one for the American media and security industry.

Companies from Northrop Grumman to Dow Chemical to Google had all been breached by Chinese hackers in a series of shocking campaigns of data theft—mostly focused on intellectual property and trade secrets—that the then NSA director, Keith Alexander, called the “greatest transfer of wealth in history.”

Robinson, a Dune fan since he was a teenager, suggested they label the hacking operation “Bene Gesserit,” a reference to a mystical order of women in the book who possess near-magical powers of psychological manipulation. Hultquist, who had never actually read Frank Herbert’s book, vetoed the idea as too abstruse and difficult to pronounce.

Instead, Hultquist chose a more straightforward name, one he hoped would evoke a hidden monster, moving just beneath the surface, occasionally emerging to wield terrible power—a name more fitting than Hultquist himself could have known at the time. He called the group Sandworm.

When the company went public with its discovery of a five-years-running, zero-day-equipped, Dune-themed Russian espionage campaign, the news had rippled across the industry and the media,

Robinson remembers toasting Hultquist with a glass of vodka, in honor of the new species of Russian hacker they’d unearthed.

Wilhoit knew iSight by reputation and John Hultquist in particular and made a note to take a closer look at the end of the day. He sensed that discoveries as significant as iSight’s tended to cascade. Perhaps it would shake loose new findings for him and Trend Micro.

Among those bits of evidence, like the plastic-bagged exhibits from a crime scene, were the IP addresses of the command-and-control servers the BlackEnergy samples had communicated back to.

As the night wore on and the bar emptied out, Wilhoit and Gogolinski began to check those IP addresses against Trend Micro’s own archive of malware and VirusTotal, to see if they could find any new matches.

The file he’d found, config.bak, also connected to that Swedish machine. And while it would have looked entirely unremarkable to the average person in the security industry, it immediately snapped Wilhoit’s mind to attention.

industrial control systems, or ICS—also known in some cases as supervisory control and data acquisition, or SCADA, systems. That software doesn’t just push bits around, but instead sends commands to and takes in feedback from industrial equipment, a point where the digital and physical worlds meet.

ICS applications run factories, water plants, oil and gas refineries, and transportation systems—in other words, all of the gargantuan, highly complex machinery that forms the backbone of modern civilization and that most of us take for granted.

One common piece of ICS software sold by General Electric is Cimplicity, which includes a kind of application known as a human-machine interface, essentially the control panel for those digital-to-physical command systems.

This Cimplicity file didn’t do much of anything—except connect back to the Stockholm server iSight had identified as Sandworm’s. But for anyone who had dealt with industrial control systems, the notion of that connection alone was deeply troubling. The infrastructure that runs those sensitive systems is meant to be entirely cut off from the internet, to protect it from hackers who might sabotage it and carry out catastrophic attacks.

The companies that run such equipment, particularly the electric utilities that serve as the most fundamental layer on which the rest of the industrialized world is built, constantly offer the public assurances that they have a strict “air gap” between their normal IT network and their industrial control network.

fraction of cases, those industrial control systems still maintain thin connections to the rest of their systems—or even the public internet—allowing engineers to access them r...

The link between Sandworm and a Cimplicity file that phoned home to a server in Sweden was enough for Wilhoit to come to a startling conclusion: Sandworm wasn’t merely focused on espionage. Intelligence-gathering operations don’t break into industrial control systems. Sandworm seemed to be going further, trying to reach into victim...

“They’re gathering information in preparation to move to a second stage,” Wilhoit realized as he sat in the cool nigh...

“They’re possibly trying to bridge the gap between digital and kinetic.” The hackers’ goals seemed to extend beyo...

They skipped all their meetings the next day, writing up their findings and posting them on Trend Micro’s blog. Wilhoit also shared them with a contact at the FBI who—in typically tight-lipped G-man fashion—accepted the information without offering any in return.

Suddenly those misfit infrastructure targets among Sandworm’s victims, like the Polish energy firm, made sense. Six weeks earlier, iSight had found the clues that shifted its mental model of the hackers’ mission from mere cybercrime to nation-state-level intelligence gathering.

Now Hultquist’s idea of the threat was shifting again: beyond cyberspying to cyberwar. “This didn’t look like classic espionage anymore,” Hultquist thought. “We were looking at reconnaissance for attack.”

Like many others in the cybersecurity industry, and particularly those with a military background, he’d been expecting cyberwar’s arrival: a new era that would finally apply hackers’ digital abilities to the older, more familiar worlds of war and terrorism.

Since his army days a decade and a half earlier, he’d learned to think of adversaries as ruthless people willing to blow things up, to disrupt infrastructure, and to kill him, his friends, and innocent civilians he’d been tasked to protect.

Their job was to roll around the countryside in a six-man team, meeting with the heads of local villages in an effort to win hearts and minds.

“It was high adventure.” He let his black beard grow wild and came to be known within the unit as Teen Wolf.

His Civil Affairs unit’s motto, printed across a badge on their uniforms’ shoulder, was vis amplificans vim, a phrase his superiors had told him roughly translated to “force multiplier.”

The idea was to build relationships with local civilians that would aid in and expand on the less subtle work of expelling and killing the Taliban; they were the car...

They’d have lunch with a group of village elders, ask them what they needed over a meal of goat and flatbread, and then, say, dig them a well. “Sometimes we’d come back a couple weeks later and they’d t...

In those early days of the war, the Taliban had already mostly fled the country, evaporating away from the initial U.S. invasion into the mountains of Pakistan. As they slowly began to slip back into Afghanistan in the m...

Just days later, those same bomb technicians were killed when explosives they were defusing in a hidden Taliban rocket cache suddenly detonated. Hultquist and his unit were the first to the scene and spent hours collecting their dismembered body parts.

In Iraq, the war quickly shifted to a hunt for a largely invisible force of saboteurs planting hidden makeshift bombs, a highly asymmetric guerrilla conflict. Hultquist learned how psychologically devastating those repeated, unpredictable, and lethal explosions could be.

The gunner on top of the vehicle, however, had died instantly in the blast. When the bomb had gone off, he’d had grenades strapped to his chest so that he could quickly feed them into the launcher. Hultquist still remembers the sound of those grenades exploding one by one as the man’s body burned.

He was assigned to focus on the problem of highway safety and later the security of water systems and railways, thinking up countermeasures to grim scenarios like attackers plowing large vehicles into crowds or planting bombs in vehicles’ cargo holds, as terrorists had done in Sri Lanka in cases he studied.

He was introduced to the digital side of those security threats only in 2006, when he joined the State Department as a junior intelligence analyst contractor, tasked mostly with helping to protect the agency’s own networks from hackers.

In the mid-2000s, a series of intrusions known as Titan Rain, believed to be carried out by cyberspies working for China’s People’s Liberation Army, had broken into Lockheed Martin, Sandia National Labs, and NASA.

By the time Hultquist started his job at State, reports were surfacing on an almost weekly basis of Chinese espionage that had breached the networks of targets from defense contractors to tech companies. “They were stealing all of our intellectual property, and all of our attention,” Hultquist says of the Chinese hackers.

In 2007, for instance, Estonia had come under a punishing, unprecedented barrage of DDoS attacks that all seemed to originate in Russia. When Estonian police cracked down on riots incited by the country’s Russian-speaking minority, targeted floods of junk traffic knocked Estonia’s government, media, and banking sites off-line for days in a networked blitzkrieg like nothing the world had ever seen before.

The next year, when war broke out between Russia and Georgia, another of its post-Soviet neighbors, crude cyberattacks pummeled that country’s government and media, too.

Russia, it seemed to Hultquist, was trying out basic methods of pairing traditional physical attacks with dig...

He’d studied the Estonian and Georgian attacks, met with researchers who tracked them, and briefed senior officials. But he’d rarely been able to pull their attention away from the massive siphoning of state secrets and intellectual property being carried out by China’s...

Now, years later, iSight’s Sandworm discovery had put Hultquist at the vanguard of what seemed to be a new, far more advanced form of Russian cyberwar. In the midst of Russia’s invasion into Ukraine, a team of Russian hackers was using sophisticated penetration tools to gain access to its adversaries...

He imagined sabotaged manufacturing, paralyzed transpor...

After he read Trend Micro’s report, Hultquist’s fascination grew: Sandworm had transformed in his mind from a vexing puzzle to a rare and dangerous geopolitical phenomenon.