CSO Perspectives (Pro) 7.12.21
Ep 5555 | 7.12.21

Bonus: Cybersecurity Canon Hall of Fame interview with Andy Greenberg


Rick Howard: The CSO Perspectives podcast finished its fifth season a couple of weeks ago, and we are working hard on season six, which will begin next week. But don't feel sad for this week. We have a special treat for you instead.

Rick Howard: The Cybersecurity Canon Project announced the author selectees for the Hall of Fame Awards in 2021 back in May. And you all know that I'm a huge advocate for reading in general, but specifically we all need to read more good cybersecurity books. And I emphasize the "good" there because there are a lot of published, bad cybersecurity books out there.

Rick Howard: And I have been involved in the Cybersecurity Canon Project since the beginning in an attempt to find the books that all of us should have read by now. And the reason that I'm excited today is that I get to interview the author for one of the 2021 Hall of Fame awardees, Andy Greenberg, the author of "Sandworm: A New Era of Cyberwar." 

Rick Howard: My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.

Rick Howard: The Cybersecurity Canon Committee selected five books for inclusion into the hall of fame this year: "Transformational Security Awareness" by Perry Carpenter, "Code Girls" by Liza Mundy, "Zero Trust" by Doug Barth and Evan Gilman, "LikeWar" by Peter Singer and Emerson Brooking, and "Sandworm" by Andy Greenberg. Andy is a senior writer at WIRED Magazine, and I started out by asking Andy what it means to be inducted into the Cybersecurity Canon Hall of Fame.

Andy Greenberg: First of all, thank you, Rick, for the review that you so kindly wrote about "Sandworm" and for recommending that it be included in the Hall of Fame, and thank you to the Cybersecurity Canon panel that chose to include "Sandworm" on your recommendation, which is truly an honor. I followed the Cybersecurity Canon and the Hall of Fame for years. And I absolutely was thinking about it when I wrote "Sandworm," like maybe someday my book's title will be on that list. And it is really an honor for that to come true. To my colleagues at WIRED who really made this possible by giving me the time to write a book, to in some cases, editing excerpts of the book that then, made their way back into the text of the book, improved by their work. And by giving me the, the resources and the platform to write the news that would turn into this book. 

Andy Greenberg: But of course, anybody who writes a book like this, is most indebted to the sources, the subjects who let me tell their stories to the, in many cases, the victims of really catastrophic cyber attacks who shared every detail of their experience. And in many cases, those were not pleasant details to tell in the case of Sandworm's cyber attacks across Ukraine and the world, and especially the ones who did it anonymously and had nothing to gain except to record, an incredible moment in history. And who allowed me to tell those historical moments. I think that is what allowed me to create this artifact of a very, unique moment that remains unprecedented, that remains unique. This NotPetya, the cyber attack carried  out by Sandworm, remains the worst cyber attack in history, and it's only, that impulse to, to capture that and to record a story that you know, needs to be told, and hopefully there are lessons from it that drove them to talk to me. And I'm, I will always be grateful for that. 

Andy Greenberg: I want to acknowledge too that the war in Ukraine continues. That Russian aggression continues. That there is an actual kinetic war happening in Eastern Ukraine. And that Russia has, as we all know from recent headlines, threatens even an escalation and amplification of that invasion of Ukraine. All of that continues today. I hope that my telling of this story of the Ukrainian cyber war, doesn't distract from that, but rather it calls attention to it. And I also am very grateful to the Cybersecurity Canon and the Cybersecurity Hall of Fame for amplifying the message of my book, which I hope draws attention to the actual suffering and loss of life happening in Ukraine today.

Rick Howard: The key take away from Andy's book is that despite all the colorful adversary names that the commercial cybersecurity industry has used to describe Russian cyber adversaries for over a decade names like Sandworm, Cozy Bear, Fancy Bear, the Shadow Brokers, Cyber Bear Coot, Unit 26165, Unit 7455, and Gucifer 2.0. Greenberg has followed the trails from all of that collective activity back to one singular organization, the Russian GRU, or main intelligence directorate.

Andy Greenberg: Sandworm is a group of Russian hackers that since late 2015 or so have carried out what I think is the first full blown cyber war. Starting in Ukraine, they attacked pretty much every part of Ukrainian society with these data destructive attacks that hit media and the private sector and government agencies and ultimately, the electric utilities causing the first ever blackouts triggered by cyber attacks.

Andy Greenberg: Sandworm hit Ukraine's power grid, not once, but twice in late 2015. And then again, the late 2016. And then, finally this Ukrainian cyber war that Sandworm was waging essentially in the middle of 2017, exploded out to the rest of the world with this cyber attack called NotPetya. A worm, a self-propagating piece of fake ransomware, that was actually just a destructive attack that spread from Ukraine to the rest of the world and took down a whole bunch of multinational companies, medical record systems and hospitals across the United States. And ultimately cost $10 billion in global damages. The worst cyber attack in history by a good measure. Andy Greenberg: So the story of "Sandworm" is a detective story about the security researchers across the private sector trying to track this group and figure out who they are and try to warn the world that this Ukrainian cyber war was soon going to spill out and hit us too. And then that is exactly what happened. And when that happens, does the book kind of switches from a detective story to a disaster story, and I track the effects of NotPetyaacross the world, as it causes this wave of devastation.

Rick Howard: I've been including "Sandworm" into a triad of recent must-read Cybersecurity Canon Hall of Fame books that not only tells the history of the relatively new development of continuous low level cyber conflict between nation states from about 2010 until present, but also attempts to explain the current thinking of some of the key cyber power players like Russia, China, United States, Iran, and North Korea. David Sanger's Hall of Fame book "Perfect Weapon" covers the history and key thinking of all the power players. Richard Clarke and Robert Knake's Hall of Fame book "Fifth Domain" covers similar material, but leans towards the policy side of the discussion. And finally, Andy Greenberg's Hall of Fame book, "Sandworm" focuses specifically on Russia.

Andy Greenberg: That's very flattering. Thank you for putting me in that company. I think that David Sanger and Robert Knaake and Richard Clarke are all, they're heavyweights. They all actually I think, live in the DC area and I consider them much more plugged into the policy world. As great as those books are, and I've read them and learned an enormous amount from them, I wasn't really trying to tell a global, universal story here. I was trying to tell one thread of the cyber war world, and the books that like I, I read and was inspired by, and really wanted to capture the same feeling were like Kim Zetter is "Countdown to Zero Day," which is, I think a masterful incredible record of such an important moment in history and similarly, like a single story, that's just such a milestone. And then also something like, Cliff Stoll's "The Cuckoo's Egg," which is firsthand, but it's one very unified detective story that starts by pulling a tiny thread and then leads to this, to massive geopolitics. That's what I wanted to do with Sandworm and I hope I did it to some, it was some fraction of the success that they did.

Rick Howard: Andy mentioned the Canon Hall of Fame book "The Cuckoo's Egg" by Dr. Stoll, a rather old book at this point published in 1986, still one of my favorites, and it's still the book I recommend over any others for people just getting started in cybersecurity.

Rick Howard: And by the way, the Russians were also behind that first public cyber espionage attack chronicled by Dr. Stoll, but not by the GRU. It was the old KGB. Andy also mentioned the most excellent Hall of Fame book "Zero Day" by Kim Zetter who chronicled the cyber attacks against the Iranian nuclear power plant at Natanz in 2010, but this was a joint American Israeli operation, not a Russian one.

Rick Howard: The book's title, Sandworm," is a reference to a famous and beloved science fiction book entitled "Dune" written by Frank Herbert back in 1965. From 2009 to 2015, the early hacker tools like BlackEnergy built by the GRU came complete with "Dune" references, words buried deep in the malicious code, like Bashar of the Sardaukars. The Sardaukar is an elite military force in the books and Bashar was their Colonel. Salusa Secundus, a prison planet. Epsilon Eridani, a trinity star system. House Atreides, a major  family house in the galactic empire where the main hero Paul was from, and Arrakis, the planet name for the main "Dune" story. Clearly the GRU coding team were fans. 

Rick Howard: iSIGHT Partners, a commercial cyber intelligence company now owned by FireEye, gave the GRU hacking team the name of sandworm. A Sandworm in the "Dune" universe is a giant worm-like monster that can consume large volumes of critical infrastructure, like mining equipment, and people, like miners, very similar to the modern attack campaigns run by the GRU. And the GRU had the perfect training lab to try out this new lever of political power, Ukraine. 

Rick Howard: There has been a lot of talk from Russia watchers this past decade about the country's overall war fighting strategy. Many point to a speech given by General Valery Gerasimov, the chief of the general staff of the Russian Federation back in 2013, in that speech, he laid out three points. 

Rick Howard: Number one: reduction of the military economic potential of the state by the destruction of critically important facilities in the military and the civilian infrastructure in a short time, just like in Ukraine. Number two: warfare simultaneously in all physical environments and the information space, just like Ukraine and number three: the use of asymmetric and indirect operations like in Ukraine, but also in America with influence operations on the culture and the hacking campaign against the Democratic National Committee in 2016. 

Andy Greenberg: That one paper by Gerasimov I think that there's been a lot of criticism of over stating the importance of that one paper, really. It was like in some, Russian military journal. But I do think that if you read that paper, setting aside all of the ways that people have tried to use the Gerasimov Doctrine to explain everything that Russia does, I think it's almost impossible not to see the connections between what this general is describing and what Sandworm has done. It's all about trying to reach beyond the fronts and the military conflict and attack the enemy in places where they feel that they would otherwise be safe and to do so in a way that has psychological effects.

Andy Greenberg: And that is what Sandworm did here. I mean, Russia has been at war in Eastern Ukraine since 2014. And this one unit of the GRU, it seems like their M.O. has been to reach into Western Ukraine on the other side of the country and cause a blackout or the capital of Kiev and attempt to cause a blackout that actually was intended to cause physical destruction to great equipment in, in Kiev. And then to release NotPetya, which was truly a kind of carpet bombing of the entire Ukrainian internet that destroyed the networks of hundreds of Ukrainian companies. This is a very Gerasimov-like pattern of trying to destabilize and undermine parts of the enemy's society that go beyond traditional warfare.

Rick Howard: It's one thing to have some General write a paper and say, this is what I'm thinking. It's quite another to see the Russians use Ukraine as their personal learning lab to slowly mature their operational art of influence operations and see it come to fruition as they expanded out to the rest of the Western world. 

Andy Greenberg: When I wrote the first cover story that I did about Sandworm for WIRED that was the kind of thesis like Russia is using Ukraine as a test laboratory for cyber war, and that we should expect that the capabilities that they display there will be used against us eventually, will be used against other targets around the world whenever it supports Russia's strategic interests.

Andy Greenberg: I didn't expect that prediction to come true immediately. It actually like the week that my cover story published is the week that NotPetya spread from Ukraine and hit American companies and Western European companies and took down all of these networks around the world. But I think even more directly, you can see that the ways the Russia experimented in Ukraine and then use those tactics when you look at the 2018 Olympics where they created another piece of malware called OlympicDestroyer that was designed to disrupt and sabotage the IT backend of the Winter Olympics in Pyeongchang Korea. 

Andy Greenberg: That was really Sandworm taking something that they had experimented with in Ukraine, a country where they could get away with whatever they wanted and using it much further, afield. We talk about like Russia's near abroad, that's their term for former Soviet nations where they exercise a lot of influence, or want to at least. But this was in Korea and it was a global event and they still were willing to use these same tools to cause mayhem. 

Rick Howard: The GRU didn't adjust their kill chain attack sequence that much from 2014 until their attacks on the South Korea Winter Olympics in 2018. For delivery, they used phishing email sent to target victims with attached handcrafted and malicious Microsoft documents designed to entice, and they deposited the BlackEnergy toolkit to the victims' machines. For command and control, the GRU used a standard command and control server network distributed in Europe and elsewhere. For lateral movement, they reconned looking for key ICS systems from manufacturers like General Electric, Siemens and Avontech / Broadwin. They used Mimi Katz as the primary credential stealer tool, but later the GRU would leverage the stolen NSA exploit kits of ExternalBlue and EternalRomance. For destruction, the GRU used to Kill Disc tool to destroy the boot sector of victims' machines.

Rick Howard: And speaking of EternalBlue and EternalRomance, between August 2016 and April of 2017, the GRU Shadow Brokers began dumping large traunches, four in total, of classified NSA documents and hacker toolkits to the public sphere. They got some of that classified information from compromising home computers of NSA workers who broke the NSA rules and brought classified work home with them. But in the last dump in April 2017, the GRU released EternalBlue and then launched major attack campaigns against the U.S. election infrastructure, including the Democratic National Committee, the World Anti-Doping Agency, and they doubled down on Ukraine with NotPetya. The GRU's campaign innovation for NotPetya centered on how they delivered their malicious code. Instead of the traditional fishing lures, they infiltrated a common European supply chain mechanism called M.E.Doc made by Linkos. M.E.Doc is the European equivalent of TurboTax or Quicken in the States. If you own a European business, there's a good chance that you use M.E.Doc. The GRU NotPetya hackers penetrated the Linkos software updates system and used it to deliver the malicious package to its victims.

Rick Howard: The impact was that they compromised some 300 companies within seconds of delivery. And one Ukrainian ISP estimated that at least 30 of those companies were totally burned to the ground. And big companies were brought to their knees like Merck, about $870 million in recovery costs, FedEx TNT about $400 million, St. Gabane about $384 million and Maersk about $300 million. The White House low ball estimate of total damage was just over $10 billion. That's billion with a "B."

Rick Howard: Through all of that, no other governments, the United States included, officially called the Russians out on this bad behavior. Now I know that it's easy for armchair warriors like me to take pot shots at government policy, but is there any reason that the entire Western world should be silent about this? 

Andy Greenberg: I think you're right. I am an armchair cyber warrior at best. And you know what, I know that this stuff is hard. And as I was saying, like the criminal indictment is a remarkable document and I'm amazed at the amount of work that clearly went into it. But I do think that like we have to hold our public officials accountable, and we have to hold them accountable to holding Russia accountable.

Andy Greenberg: It doesn't seem that hard to me to put together the forensic evidence that I could see that these attacks were carried out by Russia and make a public statement about that. In the book, I do these kinds of exit interviews with the most senior cybersecurity officials in the Obama and then the Trump administration, J. Michael Daniel, and then Tom Bossert, and they both are smart guys and they have reasons for their decisions. But J. Michael Daniel, was talking about weighing all of these difference equities as I think the Obama administration often thought about things. But he didn't really tell me what all of those different interests were, and both Daniel and Bossert, one of the things that they both said was that we didn't call out those blackout attacks because we in the U.S. want to be able to carry out those attacks ourselves. When we feel like it's justified, we want to leave that tool on the table, it's not like it was negligence or laziness or something that resulted in that silence entirely.

Andy Greenberg: It seems like it was a decision. And it's one that I have to say I disagree with because I don't think it's wise to decide not to constrain Russia's use of these cyber attacks, because we want to be able to do the same. When Russia is doing these cyber attacks in a way that's 10 times, a hundred times as reckless as what Cyber Command does for instance. 

Andy Greenberg: We in the United States, our hackers certainly have the same capabilities, but we restrain them out of, I don't know, like both legal concerns and ethical ones, and it doesn't seem like Russia is doing the same. So we would gain a lot more by creating a kind of Geneva Convention for cyber war that we try to hold everybody to then, we would lose. But I think that for both of these administrations and for governments around the world, like the attraction of this power, um, the ability to like reach out and have effects in an enemy's country is just too great. I often use this Lord of the Rings analogy, this ring is so powerful that everybody wants it for themselves and nobody wants to do the hard work of, carrying it to Mount Doom and destroying it. 

Andy Greenberg: The OlympicDestroyer attack on the Winter Olympics hit actually just six days before the White House called out NotPetya as a Russian military attack for the first time. So I think that you can see how failing to call out Russia, how failing to hold nations, this nation accountable for those kinds of reckless attacks, just invites them to keep going. And then even after that statement about NotPetya and the sanctions for it that followed which I think we have to give the U.S. Government some credit for, there was no statements at all. There was nothing said about OlympicDestroyer, about the sabotage of the Olympics for fully two years. Every government around the world was absolutely silent about it, which is truly kind of crazy making. I still don't understand why that took so long to call out.

Andy Greenberg: And as a result, we just learned according to U.S. and UK Intelligence that Russian hackers were planning a repeat attack on the 2020 Tokyo Olympics that was only avoided perhaps because the Olympics were delayed because of COVID-19. That is what happens when you don't try to create accountability or do deterrence, or even just like name the adversary or call them out. It's like they can continue with impunity. Nobody should be using cyber attacks to turn off the lights to civilians, and yet nobody said anything. 

Andy Greenberg: Ukrainian officials were pointing the finger at Russia, but no Western government even put out a statement about it. And that took two and a half years for the U.S. and UK, the Five Eyes, to take notice of Sandworm and by then it was already too late. Then this Ukrainian cyber war had, spread around the world and beaten us too.

Andy Greenberg: With all of that said, Greenberg's "Sandworm" is the perfect book to induct into the Cybersecurity Canon Hall of Fame. It's a comprehensive history and explanation of Russian cyber operations run by the GRU for the past decade and demonstrates an ever escalating cyber operational impact from turning out the lights in Ukraine for a couple of hours, to causing $10 billion worth of damage with NotPetya, to weakening the cultural and belief systems of the United States. 

Rick Howard: The book is called "Sandworm: A New Era of Cyber War" by Andy Greenberg. And he is the newest addition to the Cybersecurity Canon Hall of Fame. And if you are interested in the collection of Cybersecurity Canon Hall of Fame books, plus all the candidate books, and even the best novels with the cybersecurity theme, check out the Cybersecurity Canon website, sponsored by Ohio State University at ICDT dot OSU dot EDU slash cybercanon, all one word and with one "n" for canon of literature, not two "n's" for machines that blow things up, and if all that's too hard, go to your preferred search engine and type Cybersecurity Canon and Ohio State University, and congratulations to Andy for his induction into the Cybersecurity Canon Hall of Fame.

Rick Howard: That's a wrap. And that also concludes our interview is with all of the Cybersecurity Canon Hall of Fame author selectees for this year. I hope you all enjoyed that little interlude as we prepared for the next season. And speaking of that, the next season of the CSO Perspectives podcast begins next week. You don't want to miss that.

Rick Howard: The CyberWire's CSO Perspectives is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And I am Rick Howard. Thanks for listening.