CyberWire Daily - Andy Greenberg from WIRED on his book "Sandworm." [Special Editions]
Episode Date: November 11, 2019In this CyberWire special edition, a conversation with Andy Greenberg, senior writer at WIRED and author of the new book "Sandworm - A New Era of CyberWar and the Hunt for the Kremlin’s Most Danger...ous Hackers." It’s a thrilling investigation of the Olympic Destroyer malware, and an accounting of the new era in which we find ourselves, where nation states can target their adversaries critical infrastructure, and the often unintended consequences that follow. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Hello, everyone. I'm Dave Bittner. In this CyberWire special edition, my conversation with Andy Greenberg, senior writer at Wired and author of the new book, Sandworm, a new era of cyber war and the hunt for the Kremlin's most dangerous hackers.
and an accounting of the new era in which we find ourselves,
where nation-states can target their adversaries' critical infrastructure and the unintended consequences that can follow.
The story of Sandworm begins really in the fall of 2014,
when iSight Partners, this little security company that will later be acquired by FireEye,
spotted first a zero-day that was being used in the wild by some hackers,
and their Ukrainian office sent it to them. And they quickly tied the zero-day to a lure document
that was part of a campaign that, as they sort of sketched the full campaign, they could see
it was targeting Eastern Europe and NATO. It appeared at first to be this kind of pretty
wide-reaching espionage campaign.
As they looked closer, they saw that the victims were each cataloged with these campaign codes in the malware.
And each campaign code was a reference to the sci-fi novel Dune.
So they came up with the name Sandworm for this group because sandworms are these immense monsters in the Dune books.
But when they released their initial report on Sandworm,
it was actually Trend Micro that looked further and found that there was more than just espionage
going on here. There seemed to be reconnaissance for attacks on industrial control systems.
That report was followed by another from US CERT that found that in fact, Sandworm had successfully
breached American utilities and planted its black
energy malware. So this was no kind of traditional espionage. It was in fact preparation for
disruptive attacks on industrial control systems. And that was essentially a kind of foreshadowing
of what we would see the next year beginning to unfold in Ukraine and then eventually spreading to the rest of the world.
And so in terms of the state of things in the global community of industrial control systems
and people's perceptions about their vulnerability, where did we stand at that time?
So we had seen some intrusions on the electric grids publicly reported, some attributed to China, some to Russia. We had
never seen a confirmed actual blackout caused by hackers. The best example we had, in fact,
of hackers messing with physical systems was Stuxnet, which had occurred years earlier and
had not really been replicated. It was a very, very targeted US and Israeli engineered attack on the centrifuges in Iranian facilities.
It was a kind of targeted military strike on physical equipment. And we wouldn't see that
again until Sandworm in late 2015 turned out the lights in Ukraine for a quarter million civilians,
which was really the first time that kind of cyber physical attack had been applied to that scale,
that kind of indiscriminate scale that doesn't differentiate between military and civilian targets.
Let's walk through together the steps leading up to the actual blackout, the turning out of the lights.
What were they up to and to what degree were outsiders aware of their actions?
So in early 2014, Ukraine had a pro-Western revolution,
and Russia had responded almost immediately by invading the country physically
in Crimea, in the south, and in Donbass, this eastern region.
But that physical invasion was accompanied by wave after wave of digital attacks as well.
And they started in the fall of 2015, these data-destructive attacks that used both black
energy, that Trojan, and then also a wiper tool called Killdisk.
And they hit media, they hit transportation.
Ultimately, they planted this black energy Trojan in electric utilities as well.
In fact, four of them across the country.
At first, these were mysterious attacks. But as they kind of grew in number, it became clear
that Russia was carrying out some sort of cyber war in Ukraine. The full aggressive intentions
of Sandworm only really came to light in December of 2015, just before Christmas,
when they carried out this kind of
relentless campaign of blackouts across the country that were kind of just brutal in their
mechanics. Not only did they steal the credentials necessary to access the industrial control systems
of these utilities, open the circuit breakers, using in some cases a phantom mouse attack that
hijacked the actual mouse movements of the engineers. They rewrote the serial to Ethernet converters firmware so that the operators were locked out,
couldn't turn the power back on. They messed with the backup power supplies in the control rooms of
these facilities so that they themselves were thrown into a blackout in the midst of this
blackout. They used kill disks to wipe all the computers, and they even bombarded the facilities
with fake phone calls. It was just a kind of layer after layer of chaos, seemingly trying to impress some audience
or experiment with new techniques even.
And when I read about that, I was immediately interested in myself delving into this ongoing
cyber war.
And then, of course, it happened again a year later, the culmin movements happening from some remote
location, throwing switches throughout the plants with some of the control systems and
feeling powerless to do anything about it.
It's almost like a Hollywood idea of what hacking looks like.
The hackers took over their Citrix IT remote desktop tool and logged into their computers.
This is only in some of the facilities, but used that tool to perform this kind of phantom mouse attack
so that the engineers watched.
And I have a video of this that one of them recorded with his iPhone.
As no one is touching the mouse or the computer, the cursor moves across the screen, opening circuit breakers,
each one of which turns off the power to a large swath of the country.
It's kind of a industrial control system
engineer's nightmare.
To what degree have people concluded
that these attacks were sort of demonstrations
of showing what the Russians' capabilities were?
Well, that was the conclusion that I began to hear
as I talked to Ukrainians and to, you know,
analysts around the world about who were observing what was unfolding in Ukraine, that this seemed to
be, among other things, because I think it was in part almost like terrorism designed to send a
message to the Ukrainian populace to show them, you know, your government cannot keep you safe,
to make Ukraine look like a failed state. But I think that there was this third motive in those series of escalating attacks, which was to see what Russia could do to develop their capabilities.
They basically already paid the price for their invasion of Ukraine.
They had been sanctioned for their physical invasion.
So everything else was kind of a freebie. They could do whatever they liked in Ukraine and attack Ukraine with whatever cyber means they wanted to try out because there was no further price to be paid. And every one of these attacks, no matter how successful it was, there was nothing to be lost and they could gain a little bit more terror and still the Ukrainian populace and confirmation of a capability. You could see this happening in 2015.
The blackouts were manually performed.
They used it in some cases, that phantom mouse attack I described.
But then in late 2016, it was an automated attack.
And ESETs and Dragos would analyze this piece of malware that was used in that second attack
called in destroyer or crash override that
was the first ever blackout malware essentially that was designed to send commands directly to
circuit breakers and in this case it kind of sent rapid fire circuit breaker opening commands to
a transmission station owned by ukrain ergo the national utility of ukraine and caused a blackout
for a significant
fraction of the capital. But the significance of that, of course, was that this was the first
piece of malware since Stuxnet that was designed to automatically interact with physical equipment
like that. That kind of experimentation was sort of mysterious at the time because it was a
sophisticated looking piece of malware and really unique and custom made. And yet it only caused a
one hour blackout. And there was this question of why had the Russians done this just for a one
hour blackout in part of the Capitol? And Dragos, and particularly Joe Slowik, an analyst there,
has only in recent months come up with an answer for that, which was that actually there was this
mysterious part of that attack that attacked protective relays, these safety
systems that can monitor for overload of currents on electrical grid equipment. It turns out that
it looks like these hackers had actually intended to first turn off the power with this automated
malware and then attack the protective relays, putting them to sleep so that when the operators
turn the power back on, they might, in that action,
destroy their own physical equipment in this truly insidious plan.
And that could have led to actual burned lines, harmed staff could have destroyed transformers,
and the results could easily have been a blackout that lasted weeks rather than hours.
And the only reason that that didn't work was because of a kind of configuration error
in their protective relay exploit.
So that part of it fails.
When you look at these things,
it's like Russia has no tactical reason
to want to turn off the power.
It's not like that was part of their military plan
to turn off the power in Kiev
and then invade or something.
This was a kind of influence operation,
it seems like a terrorist attack
designed to scare people, to show Ukraine its capabilities, and to show, I think, for these hackers to show their superiors what they were capable of, probably to show the West as well and signal in some sense that we have this deterrent capability.
If you launch cyber attacks at us or attack our grid or prevent us from doing what we want to do, then we have this weapon in our arsenal.
Yeah, you mentioned that Russia was already under sanctions for their invasion of Crimea.
I mean, what was the global response to this?
How did the rest of the world react?
That's part of the story of the book is that the world did not really react to this series of attacks that just got more and more aggressive and indiscriminate.
The West, including the US, really just watched these attacks unfold in Ukraine and treated it as somebody else's problem.
This is Russia's sphere of influence.
We've sanctioned them for their illegal war.
We don't need to say anything.
It seemed to be the attitude about these
unprecedented attacks i mean you would think that the first time in history that hackers actually
turn off the power to civilians that the u.s government would want to say something about that
like hey uh that's a red line that maybe you shouldn't cross or you know this is a reckless
act of indiscriminate aggression against
civilians and will not be tolerated, no matter who the victim is. Ukraine is not a part of NATO.
But nonetheless, it seemed to me that this was the sort of red line that we want to establish
in cyber war. And yet nobody said anything, not after the first blackout and nor after the second.
And yet nobody said anything, not after the first blackout and nor after the second.
It seemed to me that this was what allowed these hackers, Sandworm, to escalate with impunity until they released what became the worst cyber attack in history.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot. Yeah, with pools could book a vacation. Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat. Travel moves us.
Conditions apply.
Air Transat. Travel moves us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker's interesting. You mentioned Dragos, and one of the
characters throughout your book is Rob Lee, who I've spoken to many times on the Cyber Wire.
And it's sort of a running theme through the book that Rob shares his frustration with our response, or I suppose you could say our lack of it.
Yeah, Rob was one of the kind of Cassandras, not quite a whistleblower, but some sort of like one of the researchers who spotted what was going on early and tried to sound the alarm. I think that John Hulquist at FireEye is another,
and then the Ukrainians, of course, were trying to tell the world too, that something
dangerous was happening here. And I think, you know, they did even say to me that what happened
in Ukraine seems to be bound to spill out to the rest of the world, that what Russia was doing to
them in Ukraine, Russia would sooner or later do to the West as well.
And there was a kind of precedent for that because Russia had hacked the Ukrainian election,
tried to spoof the results, actually, and just barely kind of failed. The Ukrainian
Central Election Commission caught the fake results just in time before they were posted
on their website. And then Russia meddled in the US presidential election. At this point,
And then Russia meddled in the U.S. presidential election.
At this point, we were seeing Russia mess with Ukraine's power grid.
And the kind of logical conclusion was that maybe they would try that against targets further abroad as well, just as they had kind of tested out election hacking in Ukraine.
I initially wrote a story for Wired that kind of made that prediction.
It came true far more quickly than I expected in the form of NotPetya.
We published this story, the cover story in Wired that essentially said that what happened
to Ukraine should not be ignored because it would eventually spill out to the rest of
the world.
And the day that it hit newsstands was the day that NotPetya hit, a Russian attack on
Ukraine that within hours spilled out to the rest of the world and became the worst most expensive devastating cyber attack ever well let's dig into not pet you
know you mentioned earlier that this notion that people were saying that
these attacks would spill out into the rest of the world and that is what
happened with not Petya that it was of course this this worm that looked like
ransomware but wasn't. It was
just a destructive wiper that seemed to be targeted at Ukraine, but was entirely reckless
in its scope. It spread initially by this Ukrainian accounting software, but that accounting
software, MEDOC, was used by really anybody who filed taxes or did business or had partnerships
in Ukraine. As I'm sure
everybody who listens to the show knows, it first hit Ukraine. It really carpet bombed the networks
there, but it immediately spread beyond Ukraine and hit a long list of multinational companies like
Merck and Maersk and FedEx and Mondelez. And these are massive multinationals. And in each case,
and Mondelez. And these are massive multinationals. And in each case, it did hundreds of millions of dollars in damage, kinds of numbers that we've never seen anywhere before, totaling to $10
billion in total damages, according to a White House assessment, which is more than we'd seen,
even in WannaCry the month before. And again, the global reaction in terms of
additional sanctions or punishment or any sorts of action against Russia were what?
Well, initially nothing. And that was so vexing to not just me, but I had been speaking to people like John Holquist and Rob Lee who had been warning about this group and the Ukrainians.
Ukrainians. Now, I felt like I was part of this weird club of Cassandras who were saying,
watch out, this group is dangerous and its attacks are escalating and will hit us sooner or later.
But then they did hit us in the West. I mean, Merck eventually lost $870 million to NonPetya and they're in New Jersey. This is an American company. And yet in the wake of NonPetya,
it took eight months for anyone to call out Russia
as the aggressor. That includes all of these companies who were simply totally unwilling to
name Russia as the source of this attack that had devastated their balance sheets.
I thought I was going crazy. I followed this group for a year at that point. I could understand
in this kind of cruel logic why the West would ignore these
attacks on Ukraine. You can make this kind of realist argument that that's Ukraine's problem,
it's not our problem. But once Napeka spilled out and it hit all of these Western targets as well,
that of course was our problem. And yet nobody was saying anything. The US government didn't
say anything until February of 2018, eight months later.
None of the companies said anything.
I just couldn't understand this silence around what was starting to become clear to be the biggest cyber attack in history.
So what are your conclusions there?
I mean, was the silence coordinated?
I mean, obviously, President Trump has a peculiar affection for Russian leaders.
Was it at all related to that?
I never really got to the bottom of why it took so long to attribute to NatPetya.
Because after all, ESET, the Slovakian cybersecurity firm, they found forensic connections between NatPetya and the black energy attacks, which they call telebots.
But, you know, everybody else calls sandworm.
Within days of Napetya, they could kind of show this sort of interlinked series of components used in those early attacks that evolved into Napetya.
It was very clear that this was Russia to me from the beginning.
And of course, it's like, who else is going to be targeting Ukraine?
I mean, it's confusing because Nap not just spilled out to Russia, too. And that, I think, speaks to the
fact that the damage done to the West was probably collateral damage, like the damage done to Russia.
But it was totally avoidable collateral damage, it would have been easy for not pet his creators to
filter its infections using the actual tax ID numbers that were
available in the MEDOC software that they hijacked.
They could have made sure that the attack only hit Ukraine, and they didn't.
But yeah, I don't know why the US government was so slow to do this.
I think maybe the attribution took a long time.
It could be also a factor that nobody wanted to go into the Oval Office and talk to
President Trump, of all people, about Russian hacking, that that was just a kind of uncomfortable
subject, and one that you were not rewarded for bringing up in an intelligence briefing.
I ultimately couldn't kind of get the palace intrigue in the White House to understand why
it took so long. But eventually,
I did hear the story from, you know, Tom Bossert of the decision to finally call out Russia eight months later. You know, I don't want to take credit away from the White House
for eventually acting and calling out Russia and posing sanctions. In fact, coordinating this
attribution that all five five eyes carried out together, Canada, Australia, the UK, New Zealand,
all together named non-Petya as a Russian act.
It took a long time to do it.
The real mistake, in my eyes, is that we waited until it hit us to make that call.
When everyone knew that this highly dangerous group of hackers
was escalating its attacks on Ukraine and doing things
that should not have been acceptable in the first place. We waited for it to bite us before we took
action. Was there any sort of disconnect in your mind between the sophistication of the attacks
against the power plants in Ukraine and then, as you sort of described, the unintended consequences of not Petya,
that perhaps there was some sloppiness there
that it got out of hand for them.
I think that this series of attacks
has always been kind of complicated
in its sophistication.
There have been parts of it
that seem to have taken incredible resources,
like the step-by-step mechanics of
that 2015 blackout in Destroyer or Crash Override, the tool used in 2016. When people initially found
it, they told me it was pretty sophisticated. It certainly was unprecedented. In more recent
analyses like Dragos has done, they've argued that it actually was kind of sloppy in its coding,
that parts of it were in fact broken. It did what it needed to do.
They didn't actually succeed in, for instance,
that protective relay attack
that might have caused far more damage.
In general, I would say this about hackers
linked to the GRU,
Military Intelligence Agency in Russia,
which is ultimately who Sandworm would be linked with.
There are 10 out of 10 in their aggression and brazenness.
Maybe like a 5 to 7 out of 10 in their aggression and brazenness, maybe like a 5 to 7
out of 10 in their sophistication. They're not exactly on the NSA's level, for instance, in the
actual perfection of their tools, and they don't seem to care about stealth at all, and they
certainly don't seem to care about restraints limiting the blast radius of their attacks. So where do things stand now? To what degree did this serve as a global wake-up call to
the seriousness of these sorts of attacks? Have people stood up? Where do we stand?
I think that the story of NotPetya has not truly been recognized still by governments or companies around the world, the victims of the
attack have largely still not spoken about their experiences. I had to really bang my head against
the wall to get enough sources at Maersk, the world's largest shipping firm, to anonymously,
bravely tell me their personal experiences so that I could recreate what happened to Maersk.
And I don't think that recreation has actually even happened in the vast majority of NatPetya's global victims.
NatPetya was named as a Russian act and was punished with sanctions.
But even before that announcement, Russia, in fact, the GRU, had also launched an attack on the PyeongChang Olympic Games in February of 2018.
And that has still never been called out by the global community.
That was another disruptive attack.
The PyeongChang Olympic organizers had to frantically rebuild their entire IT network the night before the Olympics began.
This attack hit at the moment of the start of the opening ceremony and could have caused, you know, if not for this kind of like heroic 12-hour marathon, massive
chaos at this global event attended by heads of state and foreign dignitaries. And yet, like,
we have still never heard a kind of global condemnation of Russia's attack on the Olympics.
That's in part, of course, because that Olympic destroyer malware used
was this very deceptive piece of code
with layers of false flags in it.
But it's also just a kind of strange failure
of global diplomacy to recognize
the seriousness of these cyber attacks,
to call out Russia, to say, cut it out.
I think it has been a weak response.
Napete was, you know,
really pegged the meter. It was the worst thing we've ever seen. And that kind of only barely after eight months got a response. And yet there have been other attacks that never have. The full
scope of the cyber war that Russia has been carrying out in Ukraine, I think still hasn't
been fully recognized and reprimanded by the West.
Yeah, it's interesting.
I mean, you know, swinging back again to Rob Lee in the book, I believe he expresses frustrations that the U.S. is not leading the way, that the U.S. is not setting standards for what's
acceptable when it comes to these sorts of things around the world.
Yeah, I did interviews with both Tom Bossert and Michael Daniel,
who was a very senior cybersecurity official in the Obama administration.
And neither of them really was willing to say that we should,
well, first of all, neither of them actually did in their time in office,
actually call out Russia for its blackout attacks in Ukraine, for instance.
And when I asked them,
why not? They say, because that was essentially within the rules. We in the US, they say,
want to maintain the ability to do this ourselves in wartime. You know, if we are in what they
believe is a just war, we want to maintain this capability ourselves, use our cyber command to
turn out the lights if we want. I think that's
wrong. I think Rob Lee would argue that's wrong. It happens that in Ukraine, it was to begin with
an unjust illegal war. And that should have disallowed the use of these kinds of tools to
begin with. But I would say that we should go further and say that, you know, as Brad Smith
at Microsoft would say, we need a kind of Geneva Convention for the internet. And we should just never perform these kind of indiscriminate attacks
on the critical infrastructure of civilians. That doesn't seem like an unreasonable demand
of ourselves and the world.
Our thanks to Andy Greenberg for joining us. The book is Sandworm, a new era of cyber war
and the hunt for the Kremlin's
most dangerous hackers.
For everyone here at the Cyber Wire,
I'm Dave Bittner.
Thanks for listening.