This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

By some intelligence estimates, Russia never expected that Trump would actually win. Their main goal was to bruise Clinton and throw her victory into question. When Trump won that November, it was impossible to say, statistically, what impact Russian meddling had. Disinformation experts reported that the Russian kompromat had little effect. But I am not so sure. The numbers show that, in fact, Trump not only lost the popular vote by three million votes but received a smaller share of the vote than Al Gore, John Kerry, and Mitt Romney in their losing campaigns. It wasn’t so much that Trump won in 2016 as that Clinton lost. A number of longstanding voting trends either reversed or stalled in 2016. Black voter turnout—the very constituency Russian trolls aggressively targeted—declined sharply in 2016 for the first time in twenty years. And Trump’s 2016 victory margin in swing states was smaller than the total votes for Jill Stein, the Green Party candidate buoyed by Russian trolls. In Wisconsin, where Clinton lost by 23,000 votes, Stein won 31,000; in Michigan, where Clinton lost by 10,704 votes, Stein garnered 50,000.

The first sign that our cyberweapons were boomeranging back was the commotion outside London’s hospitals on May 12, 2017. Ambulances were getting diverted. Emergency rooms were turning people away. Patients were being rolled out of the operating room on gurneys, told their surgeries would have to be postponed to another day. Nearly fifty British hospitals had come under assault from the most vicious ransomware attack to hit the internet.

Russian railroads and banks, Germany’s railway, French automaker Renault, Indian airlines, four thousand universities in China, Spain’s largest telecom, Telefonica, Hitachi and Nissan in Japan, the Japanese police, a hospital in Taiwan, movie theater chains in South Korea, nearly every gas station run by PetroChina, China’s state owned oil company, and, in the United States, FedEx and small electrical utilities scattered around the country—were all held hostage by a red screen with a ticking countdown clock demanding $300 in ransom to decrypt their data. If they didn’t pay in three days, victims were told, the ransom would double. In seven days their data would be deleted for good. “Your important files are encrypted,” the ransom note read. “Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.”

As analysts started dissecting the ransomware code, they dubbed the attacks WannaCry—not because the word perfectly encapsulated the way so many victims felt—but because of a tiny snippet left in the code: “.wncry.” As they teased the code further still, they discovered why the attacks had spread so quickly. The attackers had used a powerful catalyst, the stolen NSA exploit EternalBlue. It was an inconvenient detail that Trump officials were careful to omit from their talking points over the next several days, as the tally of damages climbed.

Hutchins’ last-second heroics made him a target for U.S. feds, who picked him up a few months later at the Las Vegas airport, en route home from Def Con, and charged him with writing malware early on his career. The case was a reminder to hackers everywhere that no good deed goes unpunished.

James Bond film GoldenEye, in which top-secret Soviet satellites armed with nuclear warheads, one nicknamed Petya, the other Mischa, prepare to trigger a nuclear electromagnetic pulse to take out power worldwide. But it did not take long before researchers could see the attack was vastly more sophisticated than that of Petya. It used not one but two stolen NSA tools—EternalBlue and another called EternalRomance—to spread. And it had baked in yet another formidable exploit, MimiKatz, a password-stealing tool developed by a French researcher five years earlier as a proof-of-concept exploit, to crawl as deep into victims’ networks as it could. In their haste, researchers dubbed the attack NotPetya.

At Merck, the pharma giant, factory floors stopped. The multinational law firm DLA Piper could not access a single email. The British consumer goods company Reckitt Benckiser would be offline for weeks. So would subsidiaries of FedEx. Maersk, the world’s largest shipping operator, was paralyzed and would sustain hundreds of millions of dollars in damages. India’s largest container port was turning shipments away. In the United States, doctors at hospitals in rural Virginia and across Pennsylvania were locked out of patient records and prescription systems. NotPetya had even spread to the far reaches of Tasmania, where factory workers at the Cadbury’s chocolate factory in Hobart watched in horror as their machines froze up with the same ransom message flashing across computers all over the world. The attack even backfired on Moscow. Computers at Rosneft, the Russian oil giant, went down too.

At the White House, Tom Bossert penned another op-ed for the Wall Street Journal blasting Russia for the attack and outlining a new American strategy for cyber deterrence. But Bossert’s op-ed never saw the light of day. The president ultimately kiboshed it—out of fear it might anger Trump’s friend, Putin.

Under Trump, things unraveled much more quickly, in a dimension few Americans could truly grasp. The agreement Obama had reached with Xi Jinping to cease industrial espionage ended the day Trump kicked off his trade war with China. Trump’s abandonment of the Iran nuclear deal—the only thing keeping Iran’s hackers on good behavior—unleashed more Iranian cyberattacks on American interests than ever before. The Kremlin—which had yet to feel much of any pain for its 2016 election interference or its hacks on the Ukraine and U.S. grids—never stopped hacking our election systems, our discourse or our infrastructure. Our fickle allies in the Gulf—the Saudis and Emiratis—only became more brazen in their choice of targets. Having avoided so much as a slap on the wrist for their brutal murder of Saudi journalist Jamal Khashoggi, the Saudis blinked and kept going. And cybercriminals continued to ravage American towns and cities with attacks, steadily raising their ransom demands from a few hundred bucks to $14 million. And desperate local officials were paying.

Almost as soon as Trump nullified the Iran nuclear deal, sensors all over the world lit up with Iranian cyberattacks. Initially these were phishing attacks aimed at European diplomats, in an apparent effort to gauge how likely our allies were to follow Trump out the door. But by the end of 2018 Iran’s hackers were slamming into U.S. government agencies, telecoms, and critical infrastructure at a rate we had never seen. They were now the most active nation-state hackers in our digital orbit, more prolific even than China.

It was only a matter of time before a patient adversary exploited them against us. And now it was all happening, so frequently in fact that most attacks never even made the headlines. They were hitting our nuclear plants, our hospitals, nursing homes, our brightest research labs and companies, and somehow, no matter how much I wrote, this all seemed to escape the consciousness of the average American, of the people now plugging in their Nests, Alexas, thermostats, baby monitors, pacemakers, lightbulbs, cars, stoves, and insulin pumps to the internet.

Once everything was wired, they ordered up a round of beers and fired off the first email over the internet. Within milliseconds, it left Zott’s via the bread truck’s mobile radio unit and traveled to a second network—the Pentagon’s Advanced Research Projects Agency Network, ARPANET—and on to its final destination in Boston. The dispatch was the first time two distinct computer networks were linked. In another year, three networks would be “internetworked” and the web as we know it would be well on its way.