Before the 2016 US presidential election, most Americans had very little sense of Russia’s hacking capabilities and the extent to which its operatives were causing havoc. But the country’s hackers had been quite active and well known in some communities well before, staging a series of increasingly brazen and destructive attacks against regional rivals, including Estonia, Georgia, and Ukraine. Even after 2016, most Americans are probably not aware of the extent to which such Russian operations remain a threat. A devastating cyber attack launched on Ukraine in 2017 ended up infecting business networks around the world and costing billions in damages, crippling hospitals—including in the US.
In his just-released book “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers,” Andy Greenberg of Wired walks readers through the discovery of Sandworm, the name given to the small group of Russian military hackers thought to be behind the high-profile attacks, explaining that they sometimes launched them for the pettiest of reasons. We caught up with Greenberg to talk about what makes Russian hackers distinct, his nightmare hypothetical attack, and how things are likely to get worse before they get better.
Why should people who don’t necessarily follow the tech world or cybersecurity pay attention to this book?
This is the first story of a real cyber war. I think people are familiar with this idea of cyber war as like this phenomenon where hackers could someday reach into the critical infrastructure of civilians’ lives and break the fundamental machines that we depend on. But those have always been hypothetical stories, like, ‘What if hackers could turn off the power? What if hackers could destroy hundreds of thousands of computers? Could they take down hospitals? Could they take down industrial control systems and manufacturing supply chains?’ This is the first story about what that actually looks like. It did happen and it has not gotten the attention that I think it deserves for something that’s such a real threat to the way that we live.
This is a story about threats to the technology that underpins our lives. But also, it’s a it’s a story about real victims of attacks that have already taken place. I feel like those victims deserve to have their stories told and the perpetrators deserve to be brought into the light.
Certain points in this book remind me of what it was like in Puerto Rico after Hurricane Maria, where the majority of civil infrastructure was down.
I would not argue that anything that Sandworm inflicted is as serious as what happened in Puerto Rico. We have not yet seen a cyber attack that has been confirmed to have taken a human life, not to mention thousands. But I mentioned Puerto Rico in the introduction of the book. We could see Puerto Rico-like situations that are actually purposefully caused by digital attackers. Imagine if combined with [the devastation and a downed power grid] there was also a malicious adversary working against your recovery. This is what it could look like in the future.
I tell the story near the end of the book of this “Black Start” exercise by DARPA. That was about trying to recover the power grid when you still have hackers infiltrating it. I found it very disturbing to hear the stories from those engineers of the days and days that they worked to bring this little, very simple test grid back online as unseen hands just pulled it down again and again.
It is not a hypothetical book, but there are still hypotheticals that you can chart out from what has already happened. And this case of a cyber-physical attack that is persistent and incurable, like a malevolent force, just sticks around and keeps tearing everything down again. That’s the nightmare that I think still remains a scary future hypothetical.
What do you think makes the Russian approach to hacking distinct from the Chinese approach or the Iranian approach or the Israeli approach to the American approach?
The US does very aggressive disruption operations by Cyber Command, but very rarely and with a lot of targeting. For the most part, what the US does is just vast espionage—very stealthy and kind of traditional. The Chinese similarly seem to be largely focused on espionage, which has included very traditional and sometimes nonetheless devastating spying on American government agencies, but also less traditional spying on commercial entities in the US and stealing IP, which is sort of outside of the rules. I should mention that they spy on their citizens, their own people, including the Uighurs and Tibetans, in terribly oppressive ways. But for the most part, that’s just spying. What distinguishes Russia among these great powers of hacking is that they are at that same level of sophistication and they’re willing to just be insanely reckless and aggressive.
I’m sure that the NSA and Cyber Command have built incredibly innovative ways to disrupt and destroy digital systems. They have been incredibly restrained and only attacked rare targets and usually ones associated with foreign militaries.
But Russia seems to carry out these kind of scorched earth cyber war actions that effect turning off the power to hundreds of thousands of civilians, or releasing a piece of malware like NotPetya that kind of carpet bombs a country and then spreads to a dozen major multinationals and it inflicts hundreds of millions of dollars in damages to each one of them, and even to Russian victims just as collateral damage. They seem to err on the side of just doing it whenever they think of some new malicious invention.
I don’t consider spying or even hacking and leaking operations as an “attack.” But Russia does attack and Sandworm, in particular, has carried out one unprecedented attack after another. And that’s what distinguishes them.
The bulk of this takes place during the Obama years, and into the Trump administration. How has the US government responded to Sandworm attacks?
Part of the story of the book is how both administrations failed, I believe, to appropriately respond and deter and restrain this group as its attacks escalated and escalated. The Obama administration did take a hard line against a lot of state sponsored hackers. It called out the Iranians who attacked US banks. It called out the North Koreans who attacked Sony and the Russians who attacked the US election, ultimately.
But it seemed to be reluctant to say anything about what was happening in Ukraine. Despite the fact that the Obama administration called out Russia for its physical invasion of Ukraine, once it had sanctioned Russia for that physical invasion it seemed to treat everything else that happens digitally in the country as a freebie, and never said anything about even the first ever blackouts that the hackers carried out.
Many of the researchers that follow this were hoping that the US government would after the first blackout in 2015, for instance, put out a statement or give some kind of speech that said, “Hey, even though Ukraine is not a NATO state, and even though there’s a physical war happening here, it’s just not okay to turn off the power to civilians. This has happened for the first time, and we don’t like it and cut it out.” Which is pretty much exactly the kind of language that Michael Daniel, the cyber coordinator for Obama, said that he’d sent to Russia about the election meddling. But they were never sent that message about blackout attacks. That was, I think, the Obama administration’s failure.
But the second blackout attack, although it occurred in last days of the Obama administration, it was really up to the Trump administration to respond to that. And they didn’t say anything, despite even more evidence that this was Russia carrying out a sustained campaign of critical infrastructure attacks against Ukraine.
Both administrations just allow this to unfold and allow Russia to attack Ukraine with impunity. We wrote a cover story about how what was happening to Ukraine would, sooner or later, spill out to the rest of the world. And then that happens.
The day that our story hit newsstands is when NotPetya hits, this malware released by Sandstorm that was intended to hit Ukraine. But it instantly spread to the rest of the world and costs $10 billion dollars of damage and took out American hospitals and cost Merck [hundreds of millions]. We waited until this series of attacks hit us to say anything, and even then it took eight months for the Trump administration to actually get out a statement even saying that Russia did this and that is not okay.
What does your reporting tell you about where we’re heading and what’s to come in the next few years?
Every trendline, for the most part, seems like it’s going in the wrong direction. We’ve seen one unprecedented thing after another, largely carried out by Russia and even more specifically by this one group of GRU [military intelligence] hackers. We’ve seen the first blackout and then the second more advanced one, we saw the kind of most concerted efforts at election interference. We have seen the worst disruptive cyber attack in history hit the entire global internet. And in 2018 we saw in some ways the most deceptive cyber attack hit the 2018 Winter Olympics, which was also tied back to the GRU. So it seems like this evolution of attacks is not stopping and that and you can see that just in the behavior of the GRU alone. So none of that looks good.
One more point is that we see an evolution of the GRU’s adventurism globally. The things that they once confined to Ukraine, like these targeted disruptive attacks, they used against the opening ceremony of the Olympics, which was a truly global event attended by all these heads of states. So it’s not like it this is all just collateral damage from their attempts to attack their direct neighbors. The GRU seems willing to use its disruptive acts of, in some ways, digital terrorism, against anyone in the world when they have some petty reason.
I don’t know what the GRU has been up to for the last year, but these things come to light long after the groundwork for them has been laid, and often we only understand the severity of these things, months or even years later. I would not want to make the prediction that we’ve seen the worst of it.