Special Editions 11.11.19
Ep 31 | 11.11.19

"Sandworm" author Andy Greenberg


Dave Bittner: [00:00:04] Hello, everyone. I'm Dave Bittner. In this CyberWire special edition - my conversation with Andy Greenberg, senior writer at WIRED and author of the new book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. It's a thrilling investigation of the Olympic Destroyer malware and an accounting of the new era in which we find ourselves, where nation states can target their adversaries' critical infrastructure and the unintended consequences that can follow.

Dave Bittner: [00:00:34]  But first, a word from our sponsors - McAfee. Ideas don't come for free. Budgets are begged for. Long hours are required. The months, maybe even years of research, the sheer human effort of it all, the changes, the revisions, the reworks, the results, the adaptation, the innovation, the collaboration all lead to the final moment when it pays off. And it's perfect - your company's work - as long as it's not compromised. From device to cloud, McAfee harnesses the power of 1 billion threat sensors to design security that moves beyond intelligence to insight so you can move beyond optimizing security products to optimizing your security posture and not just react to threats but remediate threats that matter. Intelligence lets you respond to your environment. Insights empower you to change it. McAfee - the device-to-cloud cybersecurity company. To learn more go to mcafee.com/insights. That's mcafee.com/insights. And we thank McAfee for sponsoring our show. 

Andy Greenberg: [00:01:51]  The story of Sandworm begins really in the fall of 2014, when iSight Partners, this little security company that would later be acquired by FireEye, spotted first a zero-day that was being used in the wild by some hackers. And their Ukrainian office sent it to them. And they quickly tied the zero-day to a lure document that was part of a campaign that - as they sort of sketched the full campaign, they could see it was targeting Eastern Europe and NATO. It appeared at first to be this kind of pretty wide-reaching espionage campaign. As they looked closer, they saw that the victims were each cataloged with these campaign codes in the malware. And each campaign code was a reference to the sci-fi novel "Dune." So they came up with the name Sandworm for this group because sandworms are these immense monsters in the "Dune" books. But when they released their initial report on Sandworm, it was actually Trend Micro that looked further and found that there was more than just espionage going on here. There seemed to be reconnaissance for attacks on industrial control systems. That report was followed by another from US Search that found that, in fact, Sandworm had successfully breached American utilities and planted its black energy malware. So this was no kind of traditional espionage. It was, in fact, preparation for disruptive attacks on industrial control systems. And that was, essentially, a kind of foreshadowing of what we would see the next year beginning to unfold in Ukraine and then eventually spreading to the rest of the world. 

Dave Bittner: [00:03:23]  And so in terms of the state of things in the global community of industrial control systems and people's perceptions about their vulnerability, where did we stand at that time? 

Andy Greenberg: [00:03:36]  So we had seen some intrusions on the electric grids publicly reported; some attributed to China, some to Russia. We had never seen a confirmed actual blackout caused by hackers. The best example we had, in fact, of hackers messing with physical systems was Stuxnet, which had occurred years earlier and had not really been replicated. It was a very, very targeted U.S. and Israeli engineered attack on the centrifuges in Iranian facilities. It was a kind of targeted military strike on physical equipments. And we wouldn't see that again until Sandworm in late 2015 turned out the lights in Ukraine for a quarter million civilians, which was really the first time that kind of cyber-physical attack had been applied to that scale, that kind of indiscriminate scale that doesn't differentiate between military and civilian targets. 

Dave Bittner: [00:04:30]  Let's walk through together the steps leading up to the actual blackout, to the turning out of the lights. What were they up to? And to what degree were outsiders aware of their actions? 

Andy Greenberg: [00:04:44]  So in early 2014, Ukraine had a pro-Western revolution. And Russia had responded almost immediately by invading the country physically in Crimea, in the south and in Donbass, this eastern region. But that physical invasion was accompanied by wave after wave of digital attacks as well. And they started in the fall of 2015. These data destructive attacks that used BlackEnergy, that Trojan, and then also a wiper tool called KillDisk. And they hit medium. They hit transportation. Ultimately, they planted this BlackEnergy Trojan in electric utilities as well - in fact, four of them across the country. 

Andy Greenberg: [00:05:23]  At first, these were mysterious attacks. But as they kind of grew in number, it became clear that Russia was carrying out some sort of cyberwar in Ukraine. The full aggressive intentions of Sandworm only really came to light in December of 2015, just before Christmas, when they carried out this kind of relentless campaign of blackouts across the country that were kind of just brutal in their mechanics. Not only did they steal the credentials necessary to access the industrial control systems that these utilities, open the circuit breakers, using, in some cases, a phantom mouse attack that hijacked the actual mouse movements of the engineers - you know, they rewrote the serial to Ethernet converters firmware so that the operators were locked out - couldn't turn the power back on. They messed with the backup power supplies in the control rooms of these facilities so that they themselves were thrown into a blackout in the midst of this blackout. They used KillDisk to wipe all the computers. And they even bombarded the facilities with fake phone calls. It was just a kind of layer after layer of chaos seemingly trying to impress some audience or experiment with new techniques, even. When I read about that, I was immediately interested in myself delving into this ongoing cyberwar. And then, of course, it happened again a year later; the culmination of another wave of attacks that, again, hits, you know, every part of the Ukrainian economy and government that culminated in another blackout this time in the capital of Kyiv. 

Dave Bittner: [00:06:51]  There is a particularly chilling section of the book where you describe these engineers at the power plant watching their terminals, the mouse movements happening from some remote location, throwing switches throughout the plant - so some of the control systems - and feeling powerless to do anything about it. 

Andy Greenberg: [00:07:13]  It's almost like a Hollywood idea of what hacking looks like. The hackers took over their Citrix IT Remote Desktop tool and logged into their computers - this was only in some of the facilities - but used that tool to perform this kind of phantom mouse attack so that the engineers watched. And I have a video of this that one of them recorded with his iPhone. As no one is touching the mouse or the computer, the cursor moves across the screen, opening circuit breakers, each one of which turns off the power to a large swath of the country. It's kind of a industrial control system engineer's nightmare. 

Dave Bittner: [00:07:48]  To what degree have people concluded that these attacks were sort of demonstrations of showing what the Russians' capabilities were? 

Andy Greenberg: [00:07:58]  Well, that was the conclusion that I began to hear as I talked to Ukrainians and to, you know, analysts around the world about who were observing what was unfolding in Ukraine. That - this seemed to be, among other things - because I think it was, in part, almost like terrorism designed to send a message to the Ukrainian populace to show them, you know, your government cannot keep you safe, to make Ukraine look like a failed state. But I think that there was this third motive in those series of escalating attacks, which was to see what Russia could do to develop their capabilities. They basically already paid the price for their invasion of Ukraine. They had been sanctioned for their physical invasion, so everything else was kind of a freebie. They could do whatever they liked in Ukraine and attack Ukraine with whatever cyber means they wanted to try out because there was no further price to be paid. 

Andy Greenberg: [00:08:49]  And every one of these attacks, no matter how successful it was, there was nothing to be lost. And they could gain a little bit more terror instilled in the Ukrainian populace and confirmation of a capability. You know, you could see this happening. In 2015, the blackouts were manually reforms. They used that, in some cases, that phantom mouse attack I'd described. But then in late 2016, it was an automated attack and, you know, ESET and Dragos would analyze this piece of malware that was used in that second attack called Industroyer or Crash Override that was the first-ever blackout malware, essentially, that was designed to send commands directly to circuit breakers. And in this case, it kind of sent rapid-fire circuit breaker opening commands to a transmission station owned by Ukrenergo, the national utility of Ukraine, and caused a blackout for a significant fraction of the capital. But the significance of that, of course, was that this was the first piece of malware since Stuxnet that was designed to automatically interact with physical equipment like that. 

Andy Greenberg: [00:09:52]  That kind of experimentation was sort of mysterious at the time because it was a sophisticated-looking piece of malware and, you know, really unique and custom made. And yet it only caused a one-hour blackout. And there was this question of, why had the Russians done this just for a one-hour blackout in part of the capital? And Dragos and particularly Joe Slowik, an analyst there, has only, in recent months, come up with an answer for that, which was that, actually, there was this mysterious part of that attack that attacked protective relays, these safety systems that can monitor for overload of current on electrical grid equipments. It turns out that it looks like these hackers had actually intended to first turn off the power with this automated malware and then attack that protective relays, putting them to sleep, so that when the operators turn the power back on they might, in that action, destroy their own physical equipment in this truly insidious plan. 

Andy Greenberg: [00:10:47]  And that could have led to, you know, actual burn lines, harmed staff, could have destroyed transformers. And the results could easily have been a blackout that lasted weeks rather than hours. And the only reason that didn't work was because of a kind of configuration error in their protective relay exploit, so that part of it failed. You know, when you look at these things, it's like Russia has no tactical reason to want to turn off the power. It's not like that was part of their military plan to turn off power in Kyiv and then invade or something. This was a kind of influence operation, it seems; like a terrorist attack designed to scare people, to show Ukraine its capabilities and to show, I think, for these hackers to show their superiors what they were capable of - probably to show the West as well and, you know, signal in some sense that we have this deterring capability. If you launch cyberattacks on us or attack our grid or prevent us from doing what we want to do, then we have this weapon in our arsenal. 

Dave Bittner: [00:11:46]  Yeah. You mentioned that Russia was already under sanctions for their invasion of Crimea. I mean, what was the global response to this? How did the rest of the world react? 

Andy Greenberg: [00:11:57]  That's part of the story of the book is that the world did not really react to this series of attacks that just got more and more aggressive and indiscriminate. The West, including the U.S., really just watched these attacks unfold in Ukraine and treated it as somebody else's problem. You know, this is Russia's sphere of influence. We've sanctioned them for their illegal war. We don't need to say anything. That, you know, seemed to be the attitude about these unprecedented attacks. I mean, you would think that the first time in history that hackers actually turn off the power to civilians, that the U.S. government would want to say something about that, like, hey, that's a red line that maybe you shouldn't cross, or, you know, this is a reckless act of indiscriminate aggression against civilians and will not be tolerated no matter who the victim is. You know, Ukraine is not a part of NATO. But nonetheless, it seemed to me that this was the sort of red line that we want to establish in cyberwar. And yet nobody said anything, not after the first blackout, nor after the second. It seemed to me that this was what allowed these hackers - Sandworm - to escalate with impunity until they released what became the worst cyberattack in history. 

Dave Bittner: [00:13:12]  Yeah. You know, it's interesting that you mentioned Dragos. And one of the characters throughout your book is Rob Lee, who I've spoken to many times on the CyberWire - and sort of a running theme through the book, that Rob shares his frustration with our response or, I suppose you could say, our lack of it. 

Andy Greenberg: [00:13:36]  Yeah. Rob was one of the kind of Cassandras - not quite a whistleblower but some sort of, like - one of the researchers who spotted what was going on early and tried to sound the alarm. I think that John Hultquist at FireEye is another. And then the Ukrainians, of course, were trying to tell the world too that something dangerous was happening here. And I think - you know, they did even say to me that what happened in Ukraine seems to be bound to spill out to the rest of the world, that what Russia was doing to them in Ukraine would sooner or later do to the West as well. And there was a kind of precedent for that because Russia had hacked the Ukrainian election, tried to spoof the results actually and just barely kind of failed the Ukrainian Central Election Commission. They caught the fake results just in time before they were posted on their website. And then Russia meddled in the U.S. presidential election. At this point, we were seeing Russia mess with Ukraine's power grid, and the kind of logical conclusion was that maybe they would try that against targets further abroad as well, just as they had kind of tested out election-hacking in Ukraine. I initially wrote a story for Wired that kind of made that prediction. It came true far more quickly than I expected in the form of NotPetya. We published this story, the cover story, in Wired that essentially said that what happened to Ukraine should not be ignored because it would eventually spill out to the rest of the world. And the day that it hit newsstands was the day that NotPetya hit, a Russian attack on Ukraine that, within hours, spilled out to the rest of the world and became the worst, most expensive, devastating cyberattack ever. 

Dave Bittner: [00:15:14]  Well, let's dig into NotPetya. You know, you mentioned earlier that this notion that people were saying that these attacks would spill out into the rest of the world - and that is what happened with NotPetya. 

Andy Greenberg: [00:15:24]  NotPetya was, of course, this worm that looked like ransomware but wasn't. It was just the destructive wiper that seemed to be targeted at Ukraine but was entirely reckless in its scope. It spread initially via this Ukrainian accounting software. But that accounting software, M.E.Doc, was used by really anybody who filed taxes or did business or had partnerships in Ukraine. As I'm sure everybody listens to the show knows, it first hit Ukraine. It really carpet-bombed the networks there. But it immediately spread beyond Ukraine and had a long list of multinational companies like Merck and Maersk and FedEx and Mondelez. And, you know, these are massive multinationals. And in each case, it did hundreds of millions of dollars in damage, kinds of numbers that we never seen anywhere before, totaling to $10 billion in total damages according to a White House assessment, which is more than we'd seen even in WannaCry the month before. 

Dave Bittner: [00:16:24]  And again, the global reaction in terms of additional sanctions or punishment or any sorts of actions against Russia were what? 

Andy Greenberg: [00:16:34]  Well, initially, nothing. And that was so vexing to not just me, but I had been speaking to people like John Hultquist and Rob Lee who had been warning about this group and the Ukrainians. Now I felt like I was part of this weird club of Cassandras who were saying, watch out. This group is dangerous, and its attacks are escalating and will hit us sooner or later. But then they did hit us in the West. I mean, Merck eventually lost $870 million to NotPetya. And they're in New Jersey. This is an American company. And yet, in the wake of NotPetya, it took eight months for anyone to call out Russia as the aggressor. And that includes, like, all of these companies who were simply totally unwilling to name Russia as the source of this attack that had devastated their balance sheets. I thought I was going crazy. I'd followed this group for a year at that point. I could understand, in this kind of cruel logic, why the West would ignore these attacks on Ukraine. You can make this kind of realist's argument that that's Ukraine's problem. It's not our problem. But once NotPetya spilled out and hit all of these Western targets as well, that of course was our problem, and yet nobody was saying anything. The U.S. government didn't say anything until February of 2018, eight months later. None of the companies said anything. I just couldn't understand this silence around what was starting to become clear to be the biggest cyberattack in history. 

Dave Bittner: [00:17:59]  So what are your conclusions there? I mean, why the - was the silence coordinated? I mean, obviously, our - President Trump has a peculiar affection for Russian leaders. Was it at all related to that? 

Andy Greenberg: [00:18:12]  I never really got to the bottom of why it took so long to attribute it to NotPetya because, after all, ESET, the Slovakian cybersecurity firm, they found forensic connections between NotPetya and the BlackEnergy attacks - which they call TeleBots, but, you know, everybody else calls Sandworm - within days of NotPetya. They could kind of show these sort of interlinked series of components used in those early attacks that evolved into NotPetya. It was very clear that this was Russia to me from the beginning. And of course, like, who else is going to be targeting Ukraine? I mean, it's confusing because NotPetya spilled out to Russia too. And that, I think, speaks to the fact that the damage done to the West was probably collateral damage, like the damage done to Russia. But it was totally avoidable collateral damage. It could - it would have been easy for NotPetya's creators to filter its infections using the actual tax ID numbers that were available on the M.E.Doc software that they hijacked. They could have made sure that the attack only hit Ukraine, and they didn't. But yeah, I don't know why the U.S. government was so slow to do this. I think maybe the attribution took a long time. 

Andy Greenberg: [00:19:25]  It could be also a factor that nobody wanted to go into the Oval Office and talk to President Trump, of all people, about Russian hacking, that that was just a kind of uncomfortable subject and one that you were not rewarded for bringing up in an intelligence briefing. I ultimately couldn't kind of get the palace intrigue in the White House to understand why it took so long. But eventually, I did hear the story from Tom Bossert of the decision to finally call out Russia eight months later. You know, I don't want to take credit away from the White House for eventually acting and calling out Russia, imposing sanctions. In fact, coordinating this attribution that all five Five Eyes carried out together - Canada, Australia, the U.K. and New Zealand all together named NotPetya as a Russian act. It took a long time to do it. The real mistake in my eyes is that we waited until it hit us to make that call. When everyone knew that this highly dangerous group of hackers was escalating its attacks on Ukraine and doing things that should not have been acceptable in the first place, we waited for it to bite us before we took action. 

Dave Bittner: [00:20:37]  Was there any sort of disconnect in your mind between the sophistication of the attacks against the power plants in Ukraine and then, as you sort of describe, the unintended consequences of NotPetya, that perhaps there was some sloppiness there that - it got out of hand for them? 

Andy Greenberg: [00:20:57]  I think this series of attacks has always been kind of complicated in its sophistication. There have been - parts of it seemed to have taken incredible resources, like the step-by-step mechanics of that 2015 blackout - Industroyer or Crash Override that we'll use in 2016. When people initially found it, they told me it was pretty sophisticated. It certainly was unprecedented. In more recent analyses, like Dragos has done, they've argued that it actually was kind of sloppy in its coding, that parts of it were, in fact, broken. It did what it needed to do. They didn't actually succeed in, for instance, that protective relay attack that might have caused far more damage. In general, I would say this about hackers linked to the GRU Military intelligence agency in Russia, which is ultimately who Sandworm would be linked with - they're a 10 out of 10 in their aggression and brazenness, maybe, like, five to seven out of 10 in their sophistication. They're not exactly on the NSA's level, for instance, in their actual perfection of their tools. And they don't seem to care about stealth at all. And they certainly don't seem to care about restraints - limiting the blast radius of their attacks. 

Dave Bittner: [00:22:07]  So where do things stand now? And to what degree did this serve as a global wake-up call to the seriousness of these sorts of attacks? Have people stood up? Where do we stand? 

Andy Greenberg: [00:22:22]  I think that the story of NotPetya has not truly been recognized still by governments or companies around the world. The victims of the attack have largely still not spoken about their experiences. I had to, you know, really bang my head against the wall to get enough sources at Maersk, the world's largest shipping firm, to anonymously, bravely tell me their personal experiences so that I could recreate what happened to Maersk. And I don't think that recreation has actually even happened in the vast majority of NotPetya's global victims. NotPetya was named as a Russian actor and was punished with sanctions. 

Andy Greenberg: [00:23:00]  But even before that announcement, Russia - in fact, the GRU had also launched an attack on the PyeongChang Olympic Games in February of 2018. And that has still never been called out by the global community. That was another disruptive attack. The PyeongChang Olympic organizers had to frantically rebuild their entire IT network the night before the Olympics began. This attack hit at the moment of the start of the opening ceremony and could have caused, if not for this kind of, like, heroic 12-hour marathon, massive chaos at this global event attended by heads of state and foreign dignitaries. And yet, like, we have still never heard a kind of global condemnation of Russia's attack on the Olympics. That's in part, of course, because that Olympic Destroyer malware used was this very deceptive piece of code with layers of false flags in it. But it's also just a kind of strange failure of global diplomacy to recognize the seriousness of these cyberattacks, to call out Russia, to say, cut it out. I think it has been a weak response. NotPetya was, you know - really pegged (ph) the meter. It was the worst thing we've ever seen. And that kind of only barely, after eight months, got a response, and yet there have been other attacks that never have. The full scope of the cyberwar that Russia has been carrying out in Ukraine, I think, still hasn't been fully recognized and reprimanded by the West. 

Dave Bittner: [00:24:30]  Yeah. It's interesting. I mean, you know, swinging back again to Rob Lee - in the book, I believe he expresses frustrations that the U.S. is not leading the way, that the U.S. is not setting standards for what's acceptable when it comes to these sorts of things around the world. 

Andy Greenberg: [00:24:48]  Yeah. I did interviews with both Tom Bossert and Michael Daniel, who was a very senior cybersecurity official in the Obama administration. And neither of them, really, was willing to say that we should - first of all, neither of them actually did in their time in office actually call out Russia for its blackout attacks in Ukraine, for instance. And when I asked them why not, they'd say because that was, essentially, within the rules. We, in the U.S., they say, want to maintain the ability to do this ourselves in wartime. You know, if we are in, what they believe, is a just war, we want to maintain this capability ourselves, use our Cyber Command to turn off the lights if we want. I think that's wrong. I think Rob Lee would argue that's wrong. It happens that in Ukraine, it was, to begin with, an unjust, illegal war. And that should have disallowed the use of these kinds of tools to begin with. But I would say that we should go further and say that, you know, as Brad Smith at Microsoft would say, we need a kind of Geneva Convention for the internet. And we should just never perform this kind of indiscriminate attacks on the critical infrastructure of civilians. That doesn't seem like an unreasonable demand of ourselves and the world. 

Dave Bittner: [00:26:03]  Our thanks to Andy Greenberg for joining us. The book is Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.

Dave Bittner: [00:26:13]  Our thanks to McAfee for sponsoring our program. Visit mcafee.com/insights and find out why McAfee is the device-to-cloud cybersecurity company. 

Dave Bittner: [00:26:24]  For everyone here at the CyberWire, I'm Dave Bittner. Thanks for listening.