More on this book
Community
Kindle Notes & Highlights
Read between
February 1 - February 5, 2023
The discovery of Stuxnet began the same way as the discovery of Sandworm would years later: a zero day.
that took advantage of the way Windows displays the contents of a USB drive.
twenty to fifty times as large as the typical malware they dealt with on a daily basis. And as the researchers reverse engineered that code’s contents, they found it contained three more zero days, allowing it to effortlessly spread among Windows machines—an entire built-in, automated arsenal of masterful hacker tricks.
Before Iran’s engineers had repaired their vulnerabilities, the malware destroyed nearly a thousand more of their centrifuges, offering one last master class in cybersabotage.
BlackEnergy, KillDisk, rewritten firmware to lock out defenders, the telephone DDoS attack, disabling on-site electrical backups, and finally the phantom mouse attack that had hijacked the controls of the utility operators.
Security companies such as CrowdStrike and FireEye reported an almost immediate drop-off in Chinese intrusions—90 percent according to CrowdStrike—an unprecedented victory for cybersecurity diplomacy.
The security firm CrowdStrike, which the DNC had brought in to analyze its breach two months earlier, published a blog post identifying the pair of intrusion crews inside the Democrats’ network as Cozy Bear and Fancy Bear,
The original Guccifer had been a Romanian amateur hacker named Marcel Lehel Lazăr who had broken into the email accounts of high-profile figures like Colin Powell, the Rockefeller family, and the sister of former president George W. Bush.
kompromat: the tradition, stretching back to Soviet times, of obtaining compromising information about political opponents and using it to leverage public opinion with tactical leaks and smears.
October 7, 2016, Daniel used that hotline for the first and only time in his tenure, to send a message to Putin in response to Russia’s blatant election interference.
Those victims would eventually include Ukraine’s pension fund, Treasury, seaport authority, and Ministries of Infrastructure, Defense, and Finance. In each case, as in the year before, the attacks culminated with a KillDisk-style detonation on the target’s hard drives.
dynamic-link library, or .dll files, essentially collections of instructions they could call upon.
the information he’d presented about Russian grid malware had made its way to Director of National Intelligence Dan Coats, who’d passed on a snippet to President Trump. And the answer, as Lee tells it, had been “We’re not interested in talking about that.”
The new collection of files was the mother lode of immensely powerful hacking tools that the Shadow Brokers had promised from the start. After eight months of taunts and games, they had finally dropped an assortment of the NSA’s crown jewels. Cybersecurity analysts who downloaded the files counted more than twenty distinct hacking tools, all polished, professional, and ready to cause mayhem in the hands of even unskilled hackers.
one program in particular, which the NSA had code-named EternalBlue, that sent the cybersecurity community into an immediate frenzy.
EternalBlue was designed to exploit a zero-day vulnerability in practically every version of Windows prior to Windows 8, a flaw in an old, obscure feature of Windows known as Server Message Block, or SMB. SMB allowed computers to share information, such as files and access to printers,
WannaCry—an evocative name based on the .wncry extension it added to the file names after encrypting them. And soon it became clear exactly why the code was so virulent: It was using EternalBlue to spread.
Namecheap and bought that unattractive web address for $10.69. Hutchins hoped that in doing so, he might be able to steal control of some part of WannaCry’s horde of victim computers away from the malware’s creators. At least he might gain a tool to monitor the number and location of infected machines, a move that malware analysts call “sinkholing.”
WannaCry overlapped with a favorite backdoor program of a group of North Korean government hackers known as Lazarus.
In December of that year, a sixty-seven-year-old former NSA staffer and developer for the agency’s Tailored Access Operations hacking team named Nghia Hoang Pho pleaded guilty to violating his security clearances. He’d taken home enormous troves of classified materials. He’d later tell a Maryland court that after bad performance reviews he’d merely sought to study the materials as a way to get ahead in his work. Pho was sentenced to sixty-six months in prison.
Moscow-based Kaspersky Labs to steal a vast collection of NSA files from the home computer of a contract employee of the agency. The contractor, the report stated, had been foolish enough to not only violate his clearances and bring the top secret material home but also to run Kaspersky’s software, which—like most antivirus programs—included a capability that allowed the program to upload files to the company’s remote servers for analysis.
About two weeks after the attack, Maersk’s network had finally reached a point where the company could begin reissuing personal computers to the majority of staff.
Indeed, in the wake of NotPetya, IT staffers told me that practically every security feature they’ve asked for has been almost immediately approved.
NotPetya cost Maersk between $250 million and $300 million.
whoa!
the result was more than $10 billion in damages, according to a White House assessment confirmed to me by the former homeland security adviser Tom Bossert, who at the time of the attack was President Trump’s most senior cybersecurity-focused official. Bossert emphasized, in fact, that this eleven-figure number represents a floor for their estimate, not a ceiling; it might well have been much higher.
traffic delay of less than five minutes in an ambulance caused patients to die 4 percent more often in hospitals over the following thirty days.
the rack of M.E.Doc servers that had played the role of patient zero in the NotPetya pandemic. They confiscated the offending machines and put their hard drives in black plastic bags.
NotPetya’s lightly obfuscated code, he saw that the worm was being triggered by a file on victims’ machines called ezvit.exe—a component of the M.E.Doc accounting application.
They’d piggybacked on the software’s actual, legitimate update mechanism, akin to corrupting the entire tea supply of India.
Trump’s nihilistic denials had made Russia’s hacking of American election targets a subject for debate—in the face of mounting, incontrovertible evidence—leaving no space for even a discussion of the vastly more aggressive hacking of critical institutions in Ukraine. At the same time, Trump had overtly praised Putin, repeatedly calling him a “strong leader” in public comments and even complimenting his response to the Obama administration’s sanctions.
years of damage caused by this...
borders of Russia’s enemy. “Anyone who thinks this was accidental is engaged in wishful thinking,” Williams said. “This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.”
NotPetya reminds us, distance is no defense. Every barbarian is already at every gate.
President Trump’s unwillingness to acknowledge the Russian hacking that had aided his campaign now extending to all Russian hacking, no matter how destructive? Or was his administration simply incompetent or misinformed? “They’ve never even named the actor,”
Nakashima’s report didn’t merely suggest that the U.S. government strongly believed the Russian state was behind the attack. It also went on to name the exact organization NotPetya’s programmers worked for: the Main Center for Special Technology, or GTsST,
Sandworm focused on sophisticated infrastructure disruption while Fancy Bear practiced noisy, more basic hacking operations like political leaks and smear campaigns.
Sandworm and Fancy Bear were both hacker teams within the GRU.
organizational structure. For decades, it hid the very fact of its existence. The GRU was created by Lenin in 1918—and initially called the Registration Directorate, or RU—both to serve as the eyes and ears of the Red Army
The defeat of the enemy’s objectives is conducted throughout the entire depth of his territory.
“The use of asymmetric and indirect operations.” As the prime example of this new form of war, Gerasimov had pointed to the Arab Spring revolutions across North Africa, arguing they showed how external political factors could weaken or destroy a regime. That part of his analysis reflected the dubious conspiracy theory—no doubt commonly held within the Kremlin—that the uprisings in Tunisia, Egypt, and Libya had all somehow been secretly fomented by Western governments. But as Galeotti wrote in his commentary on the Gerasimov article, the Arab Spring comparisons seemed to be only a pretense to
...more
Galeotti and Giles emphasized to me that there is no distinction in common Russian vocabulary between “information war” and a concept of “cyberwar” that suggests disruptive or physical consequences of hacking. Both fall under the same term, informatsionnaya voyna.
consequences arrived: The U.S. Treasury announced new sanctions against nineteen people and five organizations. Most of the named individuals, however, seemed to have nothing to do with NotPetya.
so-called watering hole attack, the technique of hacking certain websites to infect those sites’ visitors.
Both APT3 and APT10 had been named by multiple cybersecurity companies as likely linked to the Chinese government.
“Russian Spies Hacked the Olympics and Tried to Make It Look Like North Korea Did It, U.S. Officials Say.”
“I think 7-4-4-5-5 is Sandworm,”
He meant that Sandworm was Unit 74455 of the GRU.
The document even named the specific GRU unit most of the hackers worked for—26165—and the address of its building in Moscow: 20 Komsomolsky Prospekt.
Unit 26165 was Fancy Bear. Unit 74455 was Sandworm.
the software, the servers, and the hands on the keyboard—might all be the work of different teams.
The animal was the GRU, working in the service of the Russian Federation and its president, Vladimir Putin.
