The Vergecast - Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
Episode Date: July 28, 2020Verge editor-in-chief talks with Wired senior editor Andy Greenberg, author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. Greenberg's book is all about a gr...oup of hackers inside the Russian government called Sandworm, who were responsible for damaging cyber warfare attacks in various countries over the past few years. Andy and Nilay discuss the origins of Sandworm, the intricacies of their attacks, and how they escalated what we think of as "cyber war." Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Support for the show comes from Retool.
Too many companies run critical operations on duct taped spreadsheets,
Slack workflows, and whatever else they could cobble together.
Not because they want to, but because building internal tools
means weeks of waiting on someone else's backlog.
That's where Retool comes in.
Build custom internal tools just by describing what you need.
Prompts something like,
Build Me a Revenue Dashboard on our Salesforce data.
And Retool actually builds it on your company's data,
in your cloud with enterprise security built in.
Go to retool.com slash Verchcast.
We all need to retool how we build software.
What's up, y'all. I'm Skylar Diggins, seven-time WMBA All-Star, Olympic gold medalist, and mom.
And I'm Cassidy Hubbard, host and reporter for nearly 20 years, covering the biggest names and stories in sports and mom.
And this is Am Mom, a community for athletes, game changers, and moms of all kinds.
dropping May 14th.
Tap in with us.
Hey everybody, it's now from the Vergecast.
On this week's interview episode,
I talked to Andy Greenberg.
He's a senior writer at Wired.
He just wrote a book called Sandworm,
a new era of cyber war
in the hunt for the Kremlin's
most dangerous hackers.
It is all about a hacking group
inside the Russian government
called Sandworm.
They were responsible for some
those damaging cyber warfare attacks
over the past year.
They were behind Not Petia,
the hack that took out
the mayor shipping line,
they took out hospitals across the UK.
Sandworm has totally.
totally escalated what we think of as cyber war. Andy's book gets all into how they were discovered,
how they were flushed out, the intricacies of these various hacks. This conversation was super
interesting. The book is like a thrill ride. If you're looking for something that isn't the virus,
this is like a thriller. I highly recommend it. It was really fun to talk to Andy Greenberg about
this stuff. One thing I want to note, we're all at home. So during this interview, you might hear
some kids in the background. I ask you, just be a little forgiving of that. We're all dealing
with it. Andy was a great interview. Check it out. This Andy Greenberg, author of Sandworm,
a new era of cyber war and the hunt for the Kremlin's most dangerous hackers.
Andy Greenberg, you're a senior writer at Wired. You're also the author of Sandworm,
the new era of cyber war and the hunt for the Kremlin's most dangerous hackers. Welcome.
Glad to be here. So you've been writing about cybersecurity for a long time. I think you just
said 2006 you've been writing about cybersecurity. But this book, Sandworm, as I was reading it,
it seems like, I mean, it's literally called the new era of cyber war. It seems like there's
been a huge turn in sort of state-sponsored, particularly Russian-sponsored cyber attacks. How did you
come on to that notion? How did you begin writing this book? I'm very curious how you see that turn
happening. Well, in late 2016, my former colleague at Wired Kim Zetter, she had been the one who
really covered state-sponsored hacking and cyber war stuff, but then she left Wired. And this was also
at the time when, you know, Russian hackers were meddling in the U.S. election. They'd hacked the Democratic
National Committee and the Democratic Congressional Campaign Committee and the Clinton campaign.
So my editors were really primed on state-sponsored hacking all of a sudden. But what they really,
what they told me they wanted was actually like a big takeover of the whole magazine all about
cyber war. But, you know, cyber war to me is different than those kinds of espionage and election
meddling tactics. So I went looking for, you know, a real cyber war story, which means to me,
like actual disruptive cyber attacks.
And as I looked around, it seemed like the place where that was really happening was in
Ukraine, not really in the U.S.
In fact, maybe what was happening in Ukraine seemed to me like it was in some ways the only
real, full-blown cyber war that was actually occurring where Russian hackers were not
just attacking the election, which they had done.
They tried to spoof the results of a presidential election.
But they had also, you know, attacked media and destroyed their computers.
they had attack government agencies and tried to destroy entire networks.
And then they had turned off the power for the first time in December of 2015,
the first actual blackout triggered by hackers.
And just as I was looking into this, it happened again.
In fact, the same hacker group caused a blackout this time in the capital of Kiev.
So I went looking in Ukraine for this cyber war story that turned into a cover story for Wired
that kind of gave my editors what they wanted,
but then also kept unfolding.
I mean, this cyber war kept growing in scope and scale.
And the original story I'd written for Wired
was kind of about the fact that you could look to Ukraine
to see the future of cyber war,
that what was happening there might soon spread to the rest of the world.
And that is actually what happens to,
like just after we published that cover story,
the same hackers released this climactic, terrible cyber attack in Ukraine,
this worm called Natpetia that spread beyond Ukraine and became the worst cyber attack in history
cost $10 billion.
So when that happened, that was when I saw that there was the potential to do a book about
this, that it was not just a kind of case study about Ukraine or even a kind of predictive story,
but an actual full story arc about this one hacker group that had carried out what I would say
was not only the first real cyber war, but the worst cyber attack in history.
and I wanted to capture the arc of that story and the effects and the real experience of cyber war.
Yeah.
So the group is called Sandworm, and this is just one of the sort of opening arcs of the book,
is how they come to be named this because of references in the code.
Walk people through that.
It's just like it's so relatable that even these hackers are using this language that leads them to be called sandworm.
Tell people about it.
Yeah.
So when I started to look into the origins of this group,
After that second blackout attack, I found that this company called Eyesight Partners, which
have been acquired by Fire Eye, eyesight partners, was the first to find these hackers in 2014,
basically using fishing and kind of typical espionage tactics to plant malware in the networks of
very typical Russian hacking targets, like groups across Eastern Europe and NATO.
And it looked like what they were doing was just kind of typical espionage.
They were planting this spyware called Black Energy.
But, well, first of all, they could see that they were Russian because they had this server that they were using to administer some of these attacks.
And they had left the server open so anybody could look at it.
And there was a kind of Russian language how to file for how to use black energy on the server.
So these guys seemed like they were Russian.
But even more interesting in some ways was that they, to track each victim, each instance of black energy, this malware, had a little campaign code in it.
And each campaign code was a reference to the science fiction.
novel, Dune. And so, like, one of them was something about Iraqis. And then one of them is about
the Suttercars, these like imperial soldiers in that sci-fi universe. So I said partners named this
group Sandworm because, well, just because it was a cool, like, name associated with Dune. But it
turned out, to me, it became this very powerful name because the sandworm is this monster that
lies beneath the surface and occasionally, you know, rises from underground.
to do terribly destructive things.
And although I said partners didn't know that at the time,
they soon afterward realized that what Sandworm was doing was not just espionage,
but they were actually doing reconnaissance for disruptive cyber attacks.
They were also hacking power grids.
They were planting black energy,
not only in these European and Eastern European targets,
but in the U.S. power grid networks as well.
And then ultimately, Sandworm was the first in 2015 to cross that line.
use black energy as the first step in a multi-step attack that led to a blackout. So this was not
just espionage. It really was a kind of like, you know, this monster that rises from under the
ground to do terrible acts of like mass disruption that came to pass. So one of the things that
comes up over and over in the book is this growing sense of dread from security researchers and
analysts, oh, this is an imminent threat to the United States. It's not just Ukraine, but like this
happening here. And then there's a sense that the United States actually opened the door to this
kind of warfare with Stuxnet, which was an attack on Iran. How did those connect for you? It seemed
like there's a new rule of engagement, a new set of rules of engagement for cyber warfare that actually
the United States sort of implicitly created with Stuxnet by attacking Iran.
Yeah. I mean, I tried to highlight clearly Sandworm are the real bad guys in this story. They are
the actual hacker group that did these terribly reckless and destructive attacks that actually in some
cases put people's lives at risk. I mean, in some parts of this story, they actually shut down
medical record systems and I think, you know, may have cost people's lives with these cyber attacks.
So they are the actual antagonist here. But I did also want to highlight the ways that the U.S.
government is partially responsible for the state of cyber war. And there are a few ways that that's
true. I mean, first, the U.S. opened the Pandora's box of cyber war with Stuxnet, this piece of malware
that was used to destroy Iranian nuclear enrichment centrifuges. That was the first piece of malware
that actually kind of caused that physical disruption and destruction. And we now see sandworm doing the same
thing in Ukraine. And in fact, in some ways around the world. Also, you know, the U.S. hordes
these kind of zero-day secret hacking techniques, some of which were stolen and leaked.
and used by Sandworm.
But then I think that in fact, the biggest way that I tried to highlight that the U.S.
is responsible or complicit or negligent here is that we did not call out what Sandworm
was doing in Ukraine and say to Russia, we know what you're doing.
This is unacceptable.
Nobody should be turning out the lights to civilians with cyber attacks.
There was no message like that.
I mean, the Obama White House sent a message to Russia over this kind of.
cyber hotline to say, your election hacking is not okay, and we see what you're doing,
and we want you to stop. But they said nothing about two blackout attacks in Ukraine. And that
was a kind of implicit signal to Russia that they could keep escalating. And even as all these
cybersecurity researchers and Ukrainians were warning that what was happening to Ukraine would soon
spread to the rest of the world, the U.S. government ignored this, both Obama and then the Trump
administration until that prediction came to pass and a sandworm cyber attack did spread to the rest
of the world and it was too late and we all suffered globally as a result.
So let's talk about not Petya.
Not Petya was catastrophic in scope, right?
It took out the Maersk shipping line, which is a massive business.
It took out some hospitals in the UK.
It was huge in scope.
I don't think people really put it all together.
Talk about how it started and how big it grew.
Yeah.
So Nat Petio was the kind of like big apotheosis of Sandworm where all of these predictions of the terribly destructive things they were doing spreading to the rest of the world came to pass.
But it did.
So it started in Ukraine.
They hijacked this, the software updates of this accounting software called Medoc that is basically used by everybody in Ukraine, sort of like the quicken or turbotax of Ukraine.
If you do business in Ukraine, you have to have this installed.
So Sandworm hijacked the updates of that and used it to.
push out this worm to thousands of victims, mostly in Ukraine, but it was a worm. So it spread
immediately. And it very quickly kind of carpet bombed the entire Ukrainian internet. Every computer
it spread to, it would encrypt permanently. You could not recover the computer. So it very
quickly took down pretty much every Ukrainian government agency, 22 banks, multiple airports,
four hospitals in Ukraine that I could count. And in each of these cases, what I say,
took them down. I mean, it destroyed essentially all of their computers, which requires sometimes
weeks or months to recover from. But then, as, you know, this is a worm that does not respect national borders.
So even though it seemed to be an attack intended to disrupt Ukraine, it immediately spread beyond
Ukraine's borders to everybody who had this accounting software installed that was doing business in
Ukraine and some people who didn't. So that included Mersk, the world's larger shipping firm,
and FedEx and Mondales, which owns Cadbury and Nabisco, and Rankas, this manufacturing firm that makes, you know, Tylenol and Merck, the pharmaceutical company in New Jersey, each of these companies lost hundreds of millions of dollars.
The scale of this is kind of difficult to capture, but in the book I try to, I focus in part on Mersk because it is just a, you know, it's a good company to look at because you can, they have this gigantic,
global physical machine.
They have 76 ports around the world that they own,
as well as these massive ships that have tens of thousands of shipping containers on them.
And I tell the story of how on this day,
17 of their terminals were entirely paralyzed by this attack
with ships arriving with just gargantuan piles of containers on them
that nobody could unload.
Nobody knew what was inside of them.
Nobody knew how to load or unload them.
with around the world of these 17 terminals, thousands of trucks, semi-trailers carrying containers
were lining up and lines miles long because the gates that were kind of the checkpoints to
check in these trucks to drop something off or pick it up, they were paralyzed as well.
This was like a fiasco on a global scale.
Merck is responsible for a fifth of the world's global shipping capacity, and they were
truly just rendered brain dead by this.
attack. But yeah, this played out at all of these different victims. Merck had to borrow their own
HPV vaccine from the Center for Disease Control because their manufacturing was disrupted by this.
And it ultimately spread to a company called Nuance that makes speech to text software. They have a
service that does this for hospitals across the U.S. So dozens of, or possibly hundreds of
American hospitals had this backlog of transcriptions to medical records that were law.
because of this. And that resulted in patients being due for surgeries or transfers to other
hospitals and nobody knew if their medical records were updated. I mean, this was at a scale
where hundreds of hospitals, each of which has thousands of patients, missing changes to medical
records, we don't know of what the effects of that were, but it very well could have actually
harmed people's health or lives. I mean, the scale of Natapetia is very difficult to just get your
mind around. But we do know that, you know, monetarily, it cost $10 billion, which is by far the
biggest number we've ever seen. But it also had this, you know, this kind of harder to quantify
toll on people's lives. So it, you know, you obviously wrote about it at length and wired.
Obviously, these companies go down. It sort of ripples in the mainstream sort of general press.
But I don't feel like people really know, like, oh, this Russian group called Sandworm,
sponsored by the Russian government,
unleashed this attack,
and it caused this cascading effect of failure
and disaster and cost.
And that, because we know we can attribute it to the government,
our government should respond.
I don't feel like that connection got made for people.
What is the gap between, oh, there was a hack
and, oh, this is actually a type of warfare engagement?
Because that connection seems very tenuous, I think,
for a lot of people,
even as sort of the more general mainstream press covers the stuff.
Yeah, I don't think that that is just like the nature of cyber war.
I think that was a failing, that lack of connection is a failing on our government's part
and you could say even on the part of some of these victims, like these large companies.
I mean, at the time that Napeche happened, I was fully on the trail of sandworm.
And within days, I was talking to cybersecurity researchers who had pieced together some of the forensics
to show that Nat Patia was Sandworm,
that it was a Russian state-sponsored cyber attack.
And yet none of those companies that I mentioned,
like Merck or Mernl or FedEx or any of them,
wanted to say that Russia had done this to them.
And no governments were talking about it either.
Like the, well, the Ukrainian government was,
they're always willing to point the finger at Russia.
But the U.S. government was not.
And, you know, that to me seemed to be just kind of,
I mean, I felt like I was being gaslit at that point,
Like, I had watched Russia do this to Ukraine for a long time at that point.
And I sort of understood that NATO and the West, we had this kind of cruel logic that, you know, Ukraine is not us.
You know, Russia can do what it likes to Ukraine because they're not NATO, they're not EU.
They are Russia's sphere of influence or something.
I think that that's very wrongheaded, but at least it made sense, you know, to have that viewpoint.
But now this attack had spread from Ukraine to hit American.
soil, American companies in many cases, and yet still the U.S. government was saying nothing.
I just thought this was bizarre.
And, you know, so I, for months, I was like trying to get any of these companies to tell
the story of their experience of Natpecia.
I was trying to figure out why the U.S. government wasn't talking about the fact that
this was a Russian cyber attack.
And ultimately, I think it was, I think it was kind of, I don't know, partly disorganization
and negligence, I think it may have something to do with the fact that the Trump administration
doesn't like talking about Russian hackers for obvious reasons.
But eight months after, it took eight months ultimately for the U.S. government to finally say
Natya was Russia.
It was the worst cyber attack in history.
And then a month later, the White House imposed consequences and put new sanctions on Russia
in response.
But it took nine months.
And more importantly, it took, you know, multiple years.
that was the first time. This was February of 2018, and the Russian cyber war in Ukraine had started
around the fall of 2015. So that's just an incredible span of negligence when the U.S.
government said nothing about these escalating, unfolding acts of cyber war that should have been
unacceptable from the very beginning. I mean, these are the kind of quintessential acts of
state-sponsored cyber attacks on civilians, turning out the lights. That's the kind of thing that
I believe that the U.S. government should have called out and, you know, drawn a red line across at the very beginning.
And it took years. So I do think there was a big failing of diplomacy.
It just seemed like that part of the problem. And this is kind of my next question is it's so hard to describe.
Like if the Russian government sent fighter jets to America and blew up a Marisk port, okay, like everyone understands.
You can see it. You can understand what happened there in the,
You know, there's like however many decades of movies about how to fight that war.
This is a bunch of people in a room typing, right?
Like, there's just an element of this where the danger is so ephemeral, where the attack is
invisible.
And that while the effects might be very, very tangible, the causes are still sort of mysterious
to people.
So my question is like, who is Sandworm?
What do we know about them?
Where do they work?
What are they like?
Do we have a sense of how this operation actually?
operates. That was in some ways the biggest challenge of reporting this book, and I spent essentially
the third act of the book, the last third of the reporting of the book, trying to answer this
question of who is Sandworm, who are these people, where are they located, what motivates them?
And I guess to partially spoil the ending here, they are a unit of the GRU. They are part of
Russia's military intelligence agency, which is responsible for, you know, this is not
a coincidence. They are responsible for election meddling. They're responsible for the attempted
assassination of Sergei Skripal with chemical weapons in the United Kingdom. They're responsible
for the downing of MH17 as commercial passenger jet over Ukraine, where 300 innocent people
died. The GRU are this incredibly reckless, callous, military intelligence agency, but they
acts like kind of almost just cutthroat mercenaries around the world.
doing Russia's bidding in ways that are, I think, very scary.
So I threw essentially a combination of excellent work of a bunch of security researchers
who I was speaking to combined with some confirmation from U.S. intelligence agencies
and then ultimately some other clues from the investigation of Robert Mueller into election
meddling.
All of these things combined created a trail that led to one group within the GRU that
were, you know, I eventually had some names and faces and even an address of this group.
And all of that was actually only finally fully confirmed after the book came out just in recent
months when the White House finally actually was the State Department. And as well as the UK and
Australian and other governments together finally said, yes, sandworm is in fact this unit of the GRU.
So this theory that I developed and posited near the end of the book was finally basically confirmed by governments just in recent months.
So one thing that strikes me at that is I think of the Russian military.
I think the GRU is being foreboding, being obviously they're very, very good at this.
They're very buttoned up.
And then they have like an incredible social media presence that kind of pops up throughout the book that distracts from what they're doing.
They set up Goethofer 2.0 when they were doing the DNC hacks that fed to WikiLeaks.
That account insisted that it was just a guy.
They set up the shadow brokers, which was this.
I read it as just like, here are some goofballs.
Like they wanted to seem a lot dumber and a lot smaller than they were,
and they were very effective at it.
Have people, first of all, talk about those, that strategy.
And then I guess the question I have is, like, are we better at seeing that strategy for what it is?
Well, you make a really interesting point.
I mean, the GRU uses these false flags, like, throughout their recent history.
But I should say, we don't know that they were responsible for shadow brokers.
In fact, nobody knows who shadow brokers, the shadow brokers truly are.
And they are in some ways the biggest mystery in this whole story.
There's one group that hacked the NSA apparently and leaked a bunch of their zero-day hacking techniques,
or maybe they were even NSA insiders.
We still don't know the answer to that question.
But the other incidents you mentioned, the GRU are responsible for this Gujar, for a 2.0 fake hacktivist that leaked a bunch of the Clinton documents.
They're responsible for other false flags.
Like they at one point called themselves the cyber caliphate pretended to be ISIS.
They've pretended to be like patriotic pro-Russian Ukrainians at some points.
They're always like wearing different masks and they're very deceptive.
And then in the later chapter of the book, some of the biggest, one of the biggest attacks they did was this attack on the 2018 Olympics, where they not only wore a false mask, but they actually had layers of false flags where as cybersecurity researchers dug into this malware that was used to destroy the entire back end of the 2018 Winter Olympics, just as the opening ceremony began.
I mean, this was a catastrophic event.
the malware had all of these fake clues that made it look like it was Chinese or North Korean or maybe Russian, but nobody could tell.
And it was like it was this kind of confusion bomb, almost designed to just make researchers throw up their hands and give up on attributing the malware to any particular actor.
And it was only through some amazing detective work by some of the analysts that I spoke to that they were able to cut through those false flags and identify that Sandworm was behind this.
essentially. But yeah, it is one very real characteristic of the GRU that they are almost,
they seem to almost take pleasure or like be showing off their deception capabilities too.
And they're evolving those capabilities. I mean, they are getting more deceptive over time
as they gets more destructive and aggressive.
Support for this show comes from Shopify.
Every thriving, successful business has to start somewhere.
A good place to start is a real place to start.
relatively simple question. What if, given the right tools, I've really put my all into this.
One tool that can help grow your sprouting business to new heights is Shopify.
Millions of businesses around the world rely on Shopify for e-commerce. They offer a host of helpful
tools you can take advantage of, from payment processing to analytics to website design.
Their design studio includes hundreds of templates to help you create the exact website you've
been envisioning for your business. If you're wondering, what if I need help?
help, then no worries, because you're never left to fend for yourself. Shopify's award-winning
customer support is available 24-7. It's time to turn those what-ifs into a thriving business
with Shopify today. Sign up for your $1 per month trial today at Shopify.com slash
vergecast. Go to Shopify.com slash vergecast. That's Shopify.com slash vergecast.
Support for the show comes from Upwork.
The days of doing it all, all by yourself, are over.
There's no romance in burning out while you're trying to scale.
Instead, you can check out Upwork.
Upwork helps grow your business by giving you fast access
to specialize talent across more than 125 categories,
so you can fill skill gaps, launch projects faster,
and scale without committing to full-time headcount.
And finding the right talent is easy.
You can browse profiles, review past work, and get help scoping the role so you can get started quickly.
Seriously, you could connect with the right freelancer in just a few hours, especially when you sign up with Business Plus.
Their AI powered shortlisting pairs you with the top 1% of talent in under six hours.
No endless searcher required.
You can visit upwork.com right now to post your job for free.
That's Upwork.com to connect with top talent ready to help your business scratch.
That's UPWORK.com.
Upwork.com
You know, I love to play the game of like imagine the meeting.
And you imagine that the one set of meeting,
which is like the actual hackers,
finding the vulnerabilities,
figuring out how to jump from a Windows 8 computer
to some sort of physical hardware controller
that actually runs a turbo.
Like that's a very hard problem in and of itself.
And then there's like the other meeting
where they're like,
what we're going to do is claim to be a guy,
called Goethafer 2.0. And like those aren't, they're not connected, right? But the way they
throughout the book, the way they execute these campaigns, they're deeply connected. And that
seems like not only just a new kind of warfare, a new kind of craft, but something that just
consistently seems to work in like surprising ways. Like the tech press is going to be like,
Goethefer says this. And there's never that next step of, also we think it's the Russian
government. And that seems like, first of all, I'm dying to imagine the meeting. I would love to be a
fly on the wall of the meeting where they decide what their Twitter name is going to be today.
And then I'm very curious how they evolve those attacks in such a way that seems, it just seems to be
more and more effective over time. Yeah. I mean, I would also love to have been in those meetings.
And, you know, it's my one kind of regret in this book that I never actually got interviews.
I mean, it's almost an impossible thing to do.
They, like, find defectors from the GRU or something
who will tell those stories and then not get murdered.
I mean, it's just kind of impossible.
But, yeah, and in some cases, you know,
I think to your earlier point,
they almost seem kind of bumbling in these things.
Like, they do them in a very improvisational way.
And Guptufer 2.0 seemed almost like it was just this thing
they invented on the spot to try to cover up some of the accidental slip-ups
They had left Russian language formatting errors in the documents that they had leaked from the DNC.
So they invented this guy who appeared the next day and started talking about being a Romanian.
And then my friend at Motherboard, Lorenzo Franceschi Bikarai, he started this conversation online with Gutjafer 2.0
and basically proved that the guy could not actually properly speak Romanian and seemed to probably be a Russian speaker.
In fact, I mean, it was almost comical.
At the same time, they're using very sophisticated hacking techniques.
They're doing destructive attacks on a massive scale.
But they're also just, they seem like they're kind of making it up as they go along.
They do things that don't actually seem very kind of strategically smart.
They kind of seem like they're just trying to impress their boss for the day.
Sometimes with just like some, sometimes it just seems like the GRU wakes up and asks themselves, like, what can we blow up today?
rather than thinking, like, how can we accomplish the greater strategic objectives of the Russian
Federation?
You know, so they are fascinating in that way and a very strange and colorful group.
That's, I think, one of the biggest questions I have here is we spend a lot of time trying
to imagine what Vladimir Putin wants, you know, when he grows up.
But none of this seems targeted.
Like, what is the goal for Russia to disrupt the Winter Olympics, right?
Like, is there a purpose to that?
Is that just to strike fear?
Is it just to expand that sphere of influence?
Is it just to say we have the capability, fear us?
Has there ever really been the stated goal for this kind of cyber warfare?
That one is particularly mystifying.
I mean, you can imagine why Russia would want to attack the Olympics.
They were banned from the 2018 Olympics for doping.
But then you would think that they might want to attack the Olympics and send a message,
maybe like a deniable message, but a message that if you continue to
ban us, we're going to continue to attack you, like any terrorists would do. But instead,
they attacked the Winter Olympics in this way that really seemed like they were trying not to get
caught and to instead, like, make it look like it was Russia or North Korea. And then you have
to wonder, like, what is the point of that? Was it just that they could kind of, you know,
sit there and Moscow and kind of like rub their hands together and gleefully watch this chaos
unfold? It almost really does seem like it was this petty, vindictive thing that they just
for their own emotional needs,
wanted to make sure that nobody could enjoy the Olympics
if they were not going to enjoy them.
But that one is, I think, an outlier in some ways.
For the most part, you can kind of see that Russia is advancing,
that the GRU, that Sandworm is advancing,
something that does generally make sense,
which is that in Ukraine, for instance,
they're trying to make Ukraine look like a failed state.
They're trying to make Ukrainians lose faith
in their security services.
They're trying to prevent investors globally
from funneling money into Ukraine.
They're trying to create a kind of frozen conflict, as we say, in Ukraine,
where there's this constant perpetual state of degradation.
They're not trying to conquer the country,
but they're trying to create a kind of permanent war in Ukraine.
And with cyber war, you can do that beyond the traditional front.
And it is in some ways the same kind of tactic that they used in other places,
like the US, which, you know, here we saw it more as an influence operation that they were
hacking and leaking organizations like, you know, democratic campaign organizations and
anti-doping organizations to kind of so confusion to embarrass their targets. They're trying to
influence like the international audiences' opinion of these people. But in Ukraine, it is, in some
ways, just a different kind of influence operation where they're trying to influence the world's
view of Ukraine and influence Ukrainians' view of themselves and their governments to make them
feel like they are in a war zone, even when they're in Kiev, hundreds of miles from the actual
fighting that's happening on the eastern fronts in the eastern region of Ukraine.
So in a book, you go to Kiev, you spend time in Ukraine. Is there a sense in that country that,
well, you know, sometimes the light goes out. Sometimes our TV stations, their computers don't
boot anymore because they got rewritten, their hard drives got rewritten.
zeros. Like, is there a sense that this is happening? Is there a sense that they need to fight back?
Is there, does Microsoft deploy, you know, dozens of engineers to help fight back? How does that
play out on the ground there? Yeah, I mean, to be fair, Ukrainians are very stoic about these
things. And regular Ukrainian citizens were not bothered by, you know, a short blackout.
They didn't particularly care that, you know, this blackout was the first ever hacker-induced
blackout in history. But Ukrainian cybersecurity people were very unnerable.
by this and people in these actual utilities were, you know, traumatized. I mean, these attacks were
truly, like, relentless and very, you know, kind of scary for the actual operators at the controls.
I mean, in the first blackout attack, these poor operators in a Ukrainian control room in
Western Ukraine, they were locked out of their computers and they had to watch their own
mouse cursors click through circuit breakers turning off the power in front of them. I mean,
they watched it happen at these kind of phantom hands.
to control of their mouse movements.
So they took this very, very seriously.
But yeah, Ukrainians as a whole, I mean, they have seen a lot.
They are going through an actual physical war.
They've seen the seizure of Crimea and the invasion of the east of the country.
You know, the day that Natpetia hit, a Ukrainian general was assassinated with a car bomb in the middle of Kiev.
So they have a lot of problems, and I'm not sure that cyber war is the one at the top of their minds.
But Nopetia absolutely did actually reach Ukrainians, normal Ukrainian civilians too.
I mean, it shook them as well.
I talked to regular Ukrainians who found that they, you know, couldn't swipe into the Kia Metro.
They couldn't use their credit card at the grocery store.
All the ATMs were down.
The postal service was taken out for every computer that the postal service had was taken out for more than a month.
I mean, these things really did affect people's lives.
But it kind of took until that kind of climactic worm, not Petya, for, I think, for this to really reach home for Ukrainians who have just kind of seen so much.
So how do you fight back?
I mean, one of the things that struck me as I was reading the book is so many of the people you talked to, so many people who are identifying the threat, they're actually private companies.
You know, eyesight was the first to even detect it.
They are contractors to the intelligence agencies, the military in some cases, but they're not necessarily the government, right?
Like, it's not necessarily Microsoft to us to issue the patches for the software, not necessarily GE, which makes simplicity, which is the big industrial control software.
You talk about a lot.
How does all that come together into a defense?
Because that seems like a harder problem of coordination.
Yeah, yeah.
I mean, defense in cybersecurity is an eternal problem.
It's incredibly complicated.
And when you have a really sophisticated and determined adversary, they will win eventually.
And I think that there are absolutely lessons for defense in this book about maybe you need to really, really think about software updates, for instance, of the kind that were hijacked with this Medoc accounting software as a vector for terrible cyber attacks.
and imagine that any of your insecure apps that have these kinds of updates can become a piece of malware, essentially.
You need to segment your networks. You need to think about patching.
I mean, there are just an endless kind of checklist of things that every organization needs to do to protect themselves.
So in some ways, that's just like a Sisyphian task.
And I don't try to answer that question in the book because it's just too big.
and it's kind of boring as well. But what I do really hammer on is the thing that the governments
really could have done here, which is to try to establish norms, to try to control attackers
through diplomacy, through kind of disciplinary action, through things like a kind of Geneva
convention for cyber war. If you think about a kind of analogy to say like chemical weapons,
we could just try to give everyone in the world a gas mask that they have to carry around with
them at all times. Or we could create a Geneva Convention norm that chemical weapons should not be
used. And if they are, then it's a war crime and you get pulled in front of the Hague. And we've done the
latter, you know, and I think that that in some ways should be part of the answer to cyber war as well.
We need to establish norms and make countries like Russia or like, you know, organizations like
the GRU understand that there will be consequences for these kinds of attacks. Even
when the victim is not the U.S. or NATO or the EU. And I think we're only just starting to think about that.
One of the questions I had as I was reading it is it seems like a very clear red line for almost everyone you talk to is attacks on the power grid, right?
That is just unacceptable.
You should not do it.
If you do it, you've crossed a line and there should be some consequence.
Is that clear to governments?
Is that something that our government says?
It's something that the EU says.
Has that been established?
It seems like it's the conventional wisdom.
Everyone wants it to be established.
But I'm not unclear whether that is actually the line that it's.
It definitely has not been established. And when I kind of did these, you know, I managed to get sort of
of exit interviews with the top cybersecurity officials in the Obama and Trump administration.
Jay Michael Daniel was the cyber coordinator for the Obama administration. And then Tom Bossert was the
kind of cyber coordinator's boss in the Homeland Security Advisor for Trump. And both of them, when I
asked them about, like, why didn't, you know, to put it bluntly, like, why didn't you respond when
Russia cause blackouts in Ukraine. Both of them essentially said, well, you know, that's not actually
the rule that we want to set. We want to be able to cause blackouts in our adversaries' networks
and in their power grids when we are in a war situation or when we believe it's in our,
you know, national interest. So, you know, that's the thing about these cyber war capabilities.
this is part of the problem that every country and absolutely the U.S. among them isn't really
interested in controlling these weapons because we, in this kind of Lord of the Rings fashion,
we are drawn to them too.
We want to maintain the ability to use those weapons ourselves.
And nobody wants to throw this ring in the fires of Mount Doom.
We all want to maintain the ring and imagine that we can use it for good.
So that's why neither administration called out Russia for doing this.
because you want that power, too.
I hate to make the comparison to nuclear weapons, but sure, I'm going to do it.
We've negotiated drawdown treaties with Russia in the past.
We count warheads.
We're aware that the United States stockpiles can destroy the world 50 times over today and maybe tomorrow it's 100 times.
We have a sense of the measure of force that we can put on the world when it comes to nuclear weapons.
There's a sense that, oh, we should never use these, right?
We have them as a deterrent, but we've gamed out that actually what it leads to is mutually assured destruction.
Like there's an entire body of academics.
There's an entire body of research.
There's an entire body of scenario planning with that kind of weapon.
Does that same thing exist for cyber weapons?
Yeah, there are absolutely whole communities of academics and policymakers who are thinking about this stuff now.
But I don't think it's kind of gotten through to actually.
government decision makers that there needs to be a kind of cyber deterrence and how that would work.
And the comparison to nuclear weapons is like instructive but not exactly helpful. In fact,
it's kind of counterproductive because we cannot deter cyber attacks with other cyber attacks.
I don't think that's going to work in part because we haven't even tried to establish it yet.
There are no kind of rules or red lines. But then I think more importantly, everybody thinks that they can get away with cyber attacks,
that they can, they're going to create a false flag that's clever enough that when they, you know,
blow up a power grid, they can blame their neighbor instead. So they think they're going to get away
with it. And that causes them to do it anyway and not fear the kind of assured destruction.
So I think that the right response, the way to deter cyber attacks is not with the promise of a
cyber attack in return. It's with all the other, you know, kind of tools we have. And they've been used
sometimes, but they were not in the case of Sandworm. And those tools include, like, sanctions,
which came, you know, far too late in this story, indictments of hackers in some cases.
We still haven't really seen Sandworm hackers indicted for the things that they did in Ukraine or
even not Petia. And then ultimately, just kind of messaging, like calling out, naming and
shaming bad actors. And that has happened to some degree with Sandworm, but in some cases,
have still been massive failures there, there has still been no public attribution of the
sandworm attack on the 2018 Olympics. I mean, my book, you know, has been out for months. I think
I show pretty clear evidence that sandworm is responsible for this attack. The very least it was
Russia. And yet the U.S. and Korean, you know, where these Olympics took place, at the UK,
none of these governments have named Russia as having done that attack, which almost just invites
them to do it again whenever our next Olympics are going to be, I guess maybe not this year.
But if you don't send that message, then you're just essentially inviting Russia to try again.
So I think my big question is what happens now? I mean, right, you write about the NSA has
tailored access operations, which is their elite hacking group. We're obviously interested in maintaining
some of these capabilities. We've come to a place where, you know, people like you are writing books
about how it works. What is the next step? What is the next turn of the street? Does it just,
does it just keep getting worse? Or does this kind of diplomacy you're talking about, is that beginning
to happen? I think there are some little glimmers of hope about the diplomacy beginning to happen.
I mean, this year in February, I think it was, the State Department called out a sandworm attack
on Georgia, where the sandworms hackers basically took down a ton of Georgian websites by attacking
their hosting providers, as well as a couple of TV broadcasters.
And the U.S. State Department, with a few other governments, not only said this was Sandworm,
and they named the unit of the GRU that Sandworm is.
That was a confirmation that I've been looking for for a long time.
But they also made a point of saying that we're calling this out as unacceptable, even though
Georgia, the country of Georgia is not part of NATO or the EU.
So that's progress.
That's essentially creating a new kind of rule that states' sponsor.
hackers can't do certain things no matter who the victim is. And that's really important.
Also, it was kind of interesting because federal officials like gave me a heads up about that
announcement before it happened, which they very, very rarely do. And I think that they were trying
in some way to say, listen, we, we read your book and like we got the message. Okay, like stop
attacking us about this. Like, we're trying. We're doing something different here. I don't want to
flattered myself that I actually changed their policy, but it didn't seem interesting that they
wanted to tell me personally about this. So I think that like maybe our stance on this kind of
diplomacy is evolving and we're learning lessons. But at the same time, we also see the attacks
evolving too. And there are, you know, new innovations in these kinds of disruption happening.
We've seen since some of these terrible sandworm attacks, you know, other very scary things like
this piece of malware called Triton or Trisus that was used to disable safety systems in a,
oil refinery in Saudi Arabia that could have caused an actual physical explosion of a petrochemical
facility. The attacks are evolving too. Okay. Final last real question. Tell people where they can get
your book. Yeah. You can find all kinds of places to buy it on Andy Greenberg.net. Great. And you've
written another book as well previously, yes? Yeah, that's right. I wrote a book about WikiLeaks and
cypherpunks and things like that. That's great. Well, I'm a huge fan. It was an honor to talk to you.
Thank you so much for coming on.
I know it's a weird time to be talking about anything but the coronavirus,
but I was very happy to talk about something else,
which is, it seems a little bit more in our control, even if it is quite dangerous.
So thank you for the time.
I appreciate it.
Yeah, I'm glad to provide people with a different kind of apocalypse as a distraction.
All right, my thanks to Andy Greenberg.
You can check out his book, Sandworm.
It's out everywhere.
I really recommend it.
I had a great time reading it.
We'll be back on Friday with the chat show.
I'm going to keep going.
Please tweet me at Reckless.
hearing from you, who you want me to interview, what you want to talk about. I'll talk to you soon.