CyberWire Daily - Andy Greenberg on the Sandworm Indictments. [Interview Selects]
Episode Date: January 1, 2021This interview from November 6th, 2020 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with Andy Greenberg on the Sandworm Indict...ments. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Andy Greenberg is a senior writer for Wired, responsible for security, privacy, and information freedom,
your writer for Wired, responsible for security, privacy, and information freedom, and author of the most excellent book, Sandworm, A New Era of Cyberwar, and the Hunt for the Kremlin's
Most Dangerous Hackers.
Welcome to the show, Andy.
Thank you, Rick.
I'm glad to be here.
Now, we asked you to join us today because just this past Monday, 19 October 2020, the
United States Department of Justice unsealed charges, including computer fraud and
conspiracy against six of the hackers who allegedly are part of the hacker crew behind the cyber
operations you so clearly articulated in your book. And we thought you might have some insight
about what all this means. So thank you for doing that, kind of giving us a guidebook for
how to understand all this stuff. Yeah, reading this indictment, to me, it's like very gratifying in a way. It's a kind of closure
on years of tracking this group that, you know, at times, it felt like I was in a pretty small
club of security researchers who even believed that this was one group that was carrying out all of these attacks.
And now seeing, you know, six names and six faces being held accountable for this,
it's like a nice coda to the story. All right, so let's talk about that. Can you,
maybe not everybody has read your book yet. And by the way, I highly recommend that they do.
But can you give us a thumbnail sketch of what the book was about? And then we can talk about what the indictments mean.
Sandworm is a group of Russian hackers that since late 2015 or so have carried out what I think is, you know, you could say is the first full-blown cyber war.
Starting in Ukraine, they attacked pretty much every part of Ukrainian society with these data destructive attacks that
hit media and the private sector and government agencies. And then ultimately,
the electric utilities causing the first ever blackouts triggered by cyber attacks.
Sandworm hit Ukraine's power grid not once but twice in late 2015 and then again in late 2016.
And then finally, this Ukrainian cyber war
that Sandworm was waging, essentially,
in the middle of 2017,
kind of exploded out to the rest of the world
with this cyber attack called NotPetya,
a piece of malware that, a worm,
a self-propagating piece of fake ransomware
that was actually just a destructive attack
that spread from Ukraine to the rest of the world and took down a whole bunch of multinational companies, medical
record systems and hospitals across the United States, and ultimately cost $10 billion in
global damages, the worst cyber attack in history by a good measure.
So the story of Sandworm is kind of a detective story about the security researchers
across the private sector. I focus on a few different people who were kind of trying to
track this group and figure out who they are and try to warn the world that this Ukrainian cyber
war was soon going to spill out and hit us too. And then that is exactly what happened. And
when that happens, the book kind of switches from a detective story to a disaster story. And I track
the effects of NatPetya across the world as it kind of causes this wave of devastation.
So I had a couple of big takeaways that I really enjoyed from the book. And the first one is that
for years, the last decade, we've had all these
colorful adversary names like, you know, Cozy Bear and Fancy Bear and Cyber Bear Coot and Guccifer.
And now even from the indictment, Telebots, Voodoo Bear and Hades or Hades. But your research and
other researchers around the world have put that all back on the Russian GRU as the one responsible for all of that.
I think that was fabulous.
The real kind of heroes of my story of this book are the cybersecurity researchers that in many cases contributed to that attribution work that tied not just Sandworm, but also these other teams like Fancy Bear or APT28 or Cyber Bear Coot.
There's so many different teams.
And it's been years of work to not only identify and distinguish those groups,
but to tie them back to Russia, to the GRU, this one military intelligence agency,
and then finally to different units in the GRU.
military intelligence agency, and then finally to different units in the GRU.
And even this week with the indictments, actual names, actual, you know, human beings.
You mentioned that it was the most damaging cyber attack, cyber warfare of all time.
And you also cover in the book that all of that was kind of a logical progression of the russian philosophy here which is i never say it right but the garrison garrison how do you say it the grass
yeah that guy yeah the general garrison of his philosophy which is basically battle your enemies
on all fronts not only physical war but uh conventional with conventional attacks but terror
economic coercion propaganda and and
most recently in the last you know decade uh cyber um so i wonder if you can yeah well you know this
idea that one paper by garasimov um it's been kind of like seen as a doctrine i wouldn't like
i think that there's been a lot of criticism of of overstating the importance of that one paper, really. It was like
in some Russian
military journal.
But I do think that if you read that paper,
setting aside all
of the ways that the Gerasimov Doctrine has
become this kind of...
Setting aside all
of the ways that people have
tried to use the Gerasimov Doctrine to
explain everything that Russia does, I think it's kind of tried to use the Grasimov Doctrine to explain everything
that Russia does. I think it's almost impossible not to see the connections between what this
general is describing and what Sandworm has done. It's all about trying to kind of reach beyond the
front in a military conflict and attack the enemy in places where they feel that they would
otherwise be safe and to do so in a way that has psychological effects. And that is what Sandworm did here. I mean, Russia has been at war
in eastern Ukraine since 2014. And this one unit of the GRU, it seems like their MO has been to
reach into western Ukraine on the other side of the country and cause a blackout or the capital of Kyiv
and attempt to cause a blackout
that actually was intended to cause physical destruction
to great equipment in Kyiv.
And then to release NotPetya,
which was truly a kind of carpet bombing
of the entire Ukrainian internet
that destroyed the networks
of hundreds of Ukrainian companies.
So this is like
a, this is a very Gerasimov-like pattern of trying to destabilize and undermine parts of the enemy's
society that are, you know, that go beyond traditional warfare. Well, and it's one thing
to have some general write a paper and say, this is what I'm thinking. It's quite another to see the
Russians use Ukraine as their personal learning lab about how they might apply those tactics and
techniques, right, and see it come to fruition. And as they expand out to the rest of the Western
world, I think it's pretty obvious. When I wrote the first cover story that I did about Sandworm for Wired,
that was the kind of thesis that Russia is using Ukraine as a test laboratory for cyber war,
and that we should expect that the capabilities that they display there will be used against us
eventually, will be used against other targets around the world whenever it supports Russia's
strategic interests. I didn't expect that prediction to come true
immediately. Actually, the week that my cover story published is the week that NaPetya spread
from Ukraine and hit American companies and Western European companies and took down all
of these networks around the world. But I think even more directly, you can see the ways that Russia experimented in Ukraine
and then used those tactics when you look at the 2018 Olympics, where they created another piece
of malware called Olympic Destroyer that was designed to disrupt and sabotage the IT backend
of the Winter Olympics in Pyeongchang, Korea. That was really Russia, that was really sandworm, I should say.
Taking something that they had experimented with in Ukraine, a country where they could
kind of get away with whatever they wanted, and using it much further afield, you know,
against, you know, we talk about like Russia's near abroad, like that's their term for former
Soviet nations where they exercise a lot of influence or want to at least.
But this was in Korea and it was a global event and they still were willing to use these same tools to cause mayhem.
Yeah, because at that time, nobody had really called them out, right?
There was no government had said the Russians had done the not NotPetya, at least not really officially.
And so I guess they felt free to expand their attack surface.
I think that's right.
The Olympic destroyer attack on the Winter Olympics hit actually just six days before the White House called out NotPetya as a Russian military attack for the first time.
So I think that you can see how failing to call out Russia,
how failing to hold nations, this nation,
accountable for those kind of reckless attacks
just invites them to keep going.
And then even after that statement about NatPetya
and the sanctions for it that followed, which I think know, I think we have to give the U.S. government some credit for, there was no statements at all.
There was nothing said about Olympic Destroyer, about the sabotage of the Olympics for fully two years.
Every government around the world was absolutely silent about it, which is truly kind of crazy making.
Like, I still don't understand why that took so
long to call out. And as a result, we just learned, according to US and UK intelligence,
that Russian hackers were planning a repeat attack on the 2020 Tokyo Olympics that was only avoided,
perhaps because the Olympics were delayed because of COVID-19. So that is what happens when you don't try to create accountability or do deterrence
or even just like name the adversary or call them out.
It's like they can continue with impunity.
Nobody should be using cyber attacks to turn off the lights to civilians.
And yet nobody said anything. I mean, Ukrainian
officials were pointing the finger at Russia, but no Western government even put out a statement
about it. And it took two and a half years for the US and UK, the five eyes to kind of take notice
of Sandworm. And by then it was already too late. And this Ukrainian
cyber war had, you know, spread around the world and bitten us too. So why the indictments now?
I can't say that I have a definitive answer. I mean, I've asked Justice Department officials
if this is about the election and they say no, that, you know, this is just how long it takes
to really get the evidence of who was at the keyboard doing what and have the basis for an indictment that will hold up in court.
Although it will probably never really go to trial.
These guys will never actually see the inside of a courtroom.
But it's hard to imagine that there's not some sense of the election in the calculus here.
that there's not some sense of the election in the calculus here, because we know that the GRU,
another part of the GRU, at least APT28, Fancy Bear, Microsoft has already warned that they were targeting hundreds of organizations over the last year, trying to breach them, and that many of them
were political consultancies and political campaigns associated with the election,
and that they were probably trying to do a kind of hack and leak operation as they did in 2016.
So it seems to me like,
I mean, maybe it wasn't even intended to,
but I kind of guessed that it was,
that this indictment sends a message to the GRU
that cut it out.
Like if you were going to do something for this election,
just remember, we are going to catch you.
We're going to hold you responsible,
just as we did for these older attacks. I know there's all that calculus and it's easy for
armchair cyber warriors like you and me to, you know, take potshots at it. But
is there anything you could say about that? Is there, you could see reasons why governments
would be reluctant to call out the Russians on this? Well, I think you're right. Like it's, I am an armchair cyber warrior at best. And, you know,
I know that this stuff is hard. And I really, you know, as I was saying, like the criminal
indictment is a remarkable document. And I'm amazed at the amount of work that clearly went into it. But I do think that
we have to hold our public officials accountable, and we have to hold them accountable to holding
Russia accountable. It doesn't seem that hard to me to put together the forensic evidence that I
could see that these attacks were carried out by Russia and make a public statement about that.
In the book, I do these kind of exit interviews with the most senior cybersecurity officials
in the Obama and then the Trump administration, J. Michael Daniel and then Tom Bossert.
And they both, you know, they are smart guys and they have reasons for their decisions.
But J. Michael Daniel, you know, he sort sort of was talking about weighing all of these different
equities, as I think the Obama administration often, that's how they thought about things.
But he didn't really tell me what all of those different interests were. And both Daniel and
Bossert, one of the things that they both said was that we didn't call out those blackout attacks because we in the U.S. want to
be able to carry out those attacks ourselves when we feel like it's justified. We want to leave that
tool on the table. You know, so it's not like it was negligence or laziness or something that
resulted in that silence entirely. You know, it seems like it was a decision and it's one that I
have to say I disagree with because I don't think it's wise to decide not to constrain Russia's use of these cyber attacks, because we want to be able to do the same when Russia is doing these cyber attacks in a way that's 10 times, 100 times as reckless as what Cyber Command does, for instance.
instance. We in the United States, our hackers certainly have these same capabilities, but we restrain them out of, I don't know, like both legal concerns and ethical ones. And it doesn't
seem like Russia is doing the same. So we would gain a lot more by creating a kind of Geneva
Convention for Cyber War that we try to hold everybody to, then we would lose.
But I think that for both of these administrations and for governments around the world, the
attraction of this power, the ability to reach out and have effects in an enemy's country
is just too great. I often use this Lord of the Rings analogy. This ring is so powerful that
everybody wants it for themselves and nobody wants to do the hard work of, you know, carrying it to Mount Doom and destroying it.
Oh, man, that is the best analogy I have ever heard.
We've definitely seen the escalation of this idea of continuous low-level cyber conflict.
continuous low-level cyber conflict in the early part of the decade.
It was minor annoyances, but the NotPetya and everything else after seems to be more significant.
So, Andy Greenberg, thank you for being on the show.
Everybody go read his book. It's fantastic.
Thanks for taking the time with us.
Thank you, Rick. This was a fun conversation.