Sandworm Page 11

  In the months since Hultquist had joined State, he and Nazario had been cultivating a mutually beneficial friendship. Hultquist, eager for access to Arbor Networks’ attack data, had initially called Nazario to offer him a ride to the airport during one of Nazario’s sales visits to D.C. Nazario was equally interested to hear Hultquist’s views on the foreign policy context for the attacks Arbor tracked. Since then, the two men had developed a routine: Hultquist would pick Nazario up at the end of his D.C. trips, and they’d drive to dinner at Jaleo, a tapas restaurant in Crystal City. There they’d talk over the latest attacks waged against targets ranging from Estonia to Ingushetia to Chechnya and then rush to the airport for Nazario’s flight home.

  After Nazario discovered the attack on Georgia’s president’s website, he and Hultquist quickly pieced together the larger picture: Tensions between Russia and Georgia were approaching a breaking point. Much like Ukraine, Georgia’s newly re-elected, pro-Western president was pushing the country toward NATO. If the country joined that alliance, it would represent NATO’s farthest expansion yet into Russia’s sphere of influence. That very idea, of course, infuriated the Kremlin.

  In response, Russia was slowly ramping up its military presence in Abkhazia and South Ossetia as part of a so-called peacekeeping force. When Georgia protested to NATO that Russia was quietly threatening its sovereignty, it was mostly dismissed, warned not to provoke a conflict with its massive, powerful neighbor. In the meantime, skirmishes and flashes of violence were breaking out in Georgia’s Russia-backed separatist regions, with bombings and intermittent firefights killing or wounding handfuls of separatists, as well as Georgian police and soldiers.

  Now it seemed to Nazario and Hultquist that the Russian government—or at least patriotic Russian hackers aligned with its goals—was using new tools to tighten the screws against Georgia, the same ones it had experimented with in its fracas with Estonia. Only this time the cyberattacks might be a prelude to an actual shooting war.

  That war arrived on August 7. A day later, a nearly simultaneous wave of distributed denial-of-service attacks hit thirty-eight websites, including the Ministry of Foreign Affairs, Georgia’s National Bank, its parliament, its supreme court, the U.S. and U.K. embassies in Tbilisi, and again, President Saakashvili’s website. As in Estonia, hackers defaced some sites to post pictures of Saakashvili alongside pictures of Hitler. And the attacks appeared to be centrally coordinated: They began within half an hour of one another and would continue unabated until shortly after noon on August 11, just as Russia was beginning to negotiate a cease-fire.

  As in Estonia, the attacks were impossible to tie directly to Moscow. They came, as all botnet attacks do, from all directions at once. But the security firm Secureworks and researchers at the nonprofit Shadowserver Foundation were able to connect the attacks with the Russian Business Network, the same cybercriminals whose botnets had contributed to the Estonian attacks, as well as more grassroots hackers organized through sites like StopGeorgia.ru.

  In some cases, the digital and physical attacks seemed uncannily coordinated. The hackers hit official sites and news outlets in the city of Gori, for instance, just before Russian planes began bombing it.

  “How did they know that they were going to drop bombs on Gori and not the capital?” asked Secureworks researcher Don Jackson. “From what I’ve seen firsthand, there was at some level actual coordination and/or direction.”

  Khatuna Mshvidobadze, who after the Georgian war went on to get a doctorate in political science and cybersecurity policy and now works as a security researcher and consultant, argues that there can be little doubt today that the Kremlin had a direct hand in the cyberattacks. “How many signs do you need?” she asks, her voice tinged with anger. “This is how the Russian government behaves. They use proxies, oligarchs, criminals to make attribution harder, to give Russia deniability. This kind of game doesn’t work anymore. We know who you are and what you’re up to.”

  For John Hultquist, there was a detail of the attacks that stayed with him, a clue that he would file away in his memory, only to have it resurface six years later as he was tracking Sandworm. Many of the hackers bombarding Georgia were using a certain piece of malware to control and direct their digital armies, one that was still in an earlier incarnation but would develop over time into a far more sophisticated tool of cyberwar: BlackEnergy.

  * * *

  ■

  Russia and Georgia agreed to a cease-fire on August 12, 2008. In the days that followed, Russia’s tanks continued to advance into Georgian territory—a final provocation before they ultimately turned around and withdrew. They never entered the capital. The shelling ceased, and the Russian fleet dismantled its Black Sea blockade.

  Russia’s gains from its brief war with Georgia, however, were tangible. It had consolidated pro-Russian separatist control of Abkhazia and South Ossetia, granting Russia a permanent foothold on roughly 20 percent of Georgia’s territory. Just as in Ukraine in 2014, Russia hadn’t sought to conquer or occupy its smaller neighbor, but instead to lock it into a “frozen conflict,” a permanent state of low-level war on its own soil. The dream of many Georgians, like Mshvidobadze, that their country would become part of NATO, and thus protected from Russian aggression, had been put on indefinite hold.

  And what role did Russia’s cyberattacks play in that war? Practically none, Mshvidobadze says. “No one was even thinking about cyber back then, no one knew anything about it,” she says. At the time, after all, Georgia was hardly Estonia. Only seven in a hundred Georgians even used the internet. And they had much more immediate concerns than inaccessible websites—like the mortar shells exploding around their cities and villages and the tanks lumbering toward their homes.

  But the cyberattacks contributed to a broader confusion, both internally and internationally. They disabled a key avenue for Georgians to reach the West and share their own narrative about their war with Russia. Mshvidobadze still fumes at the commonly held idea, for instance, that the Georgian shelling of Tskhinvali sparked the war and not Russia’s quietly amassing troops and matériel inside Georgian territory for weeks prior.

  But perhaps more important than the cyberattacks’ practical effects were the historical precedent they set. No country had ever before so openly combined hacker disruption tactics with traditional warfare. The Russians had sought to dominate their enemy in every domain of war: land, sea, air, and now the internet. Georgia was the first crude experiment in a new flavor of hybrid warfare that bridged the digital and the physical.

  Reflecting on both the Georgian and the Estonian conflicts today, Hultquist sees primitive prototypes for what was to come. The Russian hackers behind them were nowhere near Sandworm in their skill or resources. But they hinted at an era of unrestricted, indiscriminate digital attacks, with little regard for the line between military and civilian.

  “Hackers turning off the power? We weren’t there yet,” says Hultquist. “But whatever cyberwar would become, there’s no doubt, this is where it began.”

  14

  FLASHBACK: STUXNET

  In January 2009, just days before Barack Obama would be inaugurated, he met with President George W. Bush to discuss a subject shrouded under the highest echelon of executive secrecy. On most matters of national security, even on topics as sensitive as the command sequence to initiate nuclear missile launches, Bush had let his subordinates brief the incoming president. But on this, he felt the need to speak with Obama himself. Bush wanted his successor’s commitment to continue an unprecedented project. It was an operation the Bush-era NSA had developed for years but that was only just beginning to come to fruition: the deployment of a piece of code that would come to be known as Stuxnet, the most sophisticated cyberweapon in history.

  Stuxnet’s conception, more than two years earlier, had been the result of a desperate dilemma. When Iran’s hard-liner president Mahmoud Ahmadinejad had taken pow
er in 2005, he’d publicly flaunted his intention to develop the country’s nuclear capabilities. That included enriching uranium to a grade that could be used for nuclear power. But international watchdog groups noted that Iran had only a single nuclear power plant, and it was already supplied with enriched uranium from Russia. They suspected a far less innocent motive: Ahmadinejad wanted nuclear weapons—a desire that Israel would likely consider an existential threat and a potential match that could ignite the entire Middle East.

  Iran’s government had sought to obtain nukes since as early as the 1980s, when it was locked in a brutal war with Iraq and suspected that the Iraqi leader, Saddam Hussein, was seeking to build nuclear bombs of his own. But neither country had actually succeeded in its atomic ambitions, and in the decades that followed, Iran had made only stuttering progress toward joining the world’s nuclear superpowers.

  Within two months of Ahmadinejad’s election in the summer of 2005, however, he had thrown out an agreement Iran had made with the International Atomic Energy Agency, or IAEA, suspending the country’s nuclear evolution. The country had, for years prior to that agreement, been building two 270,000-square-foot, largely subterranean facilities, twenty-five feet beneath the desert surface in Natanz, a central Iranian city. The purpose of those vast bunkers had been to enrich uranium to a weapons-grade purity. Under Ahmadinejad, Natanz was pitched back into high gear.

  In 2005, U.S. intelligence agencies had estimated it would take six to ten years for Iran to develop a nuclear bomb. Israeli intelligence had put their estimate closer to five. But after Iran restarted its nuclear enrichment program at Natanz, Israeli intelligence shrank that estimate to as little as two years. Privately, the Israelis told U.S. officials a bomb might be ready in six months. A crisis was looming.

  As that deadline grew ever closer, Bush’s national security team had laid out two options, neither remotely appealing. Either the United States could allow Iran’s unpredictable and highly aggressive government to obtain a devastating weapon, or it could launch a missile strike on Natanz—an act of war. In fact, war seemed inevitable on either horn of the dilemma. If Iran ventured too close to the cusp of fulfilling its nuclear ambitions, Israel’s hard-line government was poised to launch its own strike against the country. “I need a third option,” Bush had repeatedly told his advisers.

  That option would be Stuxnet. It was a tantalizing notion: a piece of code designed to kneecap Iran’s nuclear program as effectively as an act of physical sabotage, carried out deep in the heart of Natanz, and without the risks or collateral damage of a full-blown military attack. Together with the NSA’s elite offensive hacking team, then known as Tailored Access Operations, or TAO, and the Israeli cybersecurity team known as Unit 8200, the Pentagon’s Strategic Command began developing a piece of malware unlike any before. It would be capable of not simply disrupting critical equipment in Natanz but destroying it.

  By 2007, a collection of Department of Energy national labs had obtained the same P1 centrifuges the Iranians were using, gleaming cylinders as thick as a telephone pole and nearly six and a half feet tall. For months, the labs would quietly test the physical properties of those machines, experimenting with how they might be destroyed purely via digital commands. (Some of those tests occurred at Idaho National Laboratory, during roughly the same period the lab’s researchers were working on the Aurora hacking demonstration that showed they could destroy a massive diesel generator with a few lines of code. Mike Assante, who masterminded the Aurora work, declined to answer any questions about Stuxnet.)

  Not long after the tests began, Bush’s intelligence advisers laid out for him on a table the metal detritus of a centrifuge destroyed by code alone. The president was impressed. He green-lighted a plan to deploy that brilliant, malicious piece of software, an operation code-named Olympic Games. It would prove to be a tool of cyberwar so sophisticated that it made the cyberattacks in Estonia and Georgia look like medieval catapults by comparison.

  Olympic Games was still in its early stages when the Bush presidency came to a close in early 2009. Stuxnet had only just begun to demonstrate its potential to infiltrate and degrade Iran’s enrichment processes. So Bush held an urgent transition meeting with Obama, where the outgoing president explained firsthand to his successor the geopolitical importance and delicacy of their cyberwarfare mission, the likes of which had never before been attempted.

  Obama was listening. He wouldn’t simply choose to continue the Stuxnet operation. He would vastly expand it.

  * * *

  ■

  Fortunately for the continued existence of the human race, enriching uranium to the purity necessary to power the world’s most destructive weapon is an absurdly intricate process. Uranium ore, when it’s dug out of the earth, is mostly made up of an isotope called uranium-238. It contains less than 1 percent uranium-235, the slightly lighter form of the silvery metal that can be used for nuclear fission, unleashing the energy necessary to power or destroy entire cities. Nuclear power requires uranium that’s about 3 to 5 percent uranium-235, but nuclear weapons require a core of uranium that’s as much as 95 percent composed of that rarer isotope.

  This is where centrifuges come in. To enrich uranium into bomb-worthy material, it has to be turned into a gas and pumped into a centrifuge’s long, aluminum cylinder. A chamber inside the length of that cylinder is spun by a motor at one end, revolving at tens of thousands of rotations per minute, such that the outer edge of the chamber is moving beyond the speed of sound. The centrifugal force pushing from the center toward the walls of that spinning chamber reaches as much as a million times the force of gravity, separating out the heavier uranium-238 so that the uranium-235 can be siphoned off. To reach weapons-grade concentrations, the process has to be repeated again and again through a “cascade” of centrifuges. That’s why a nuclear enrichment facility such as the one hidden deep beneath Natanz requires a vast forest of thousands of those tall, fragile, and highly engineered whirling machines.

  Stuxnet was designed to be the perfect, invisible wrench thrown into those works.

  Sometime in 2008, Natanz’s engineers began to face a mysterious problem: At seemingly random times, one of their centrifuges would begin to spin out of control, its internal chamber moving faster than even its carefully crafted bearings were designed to handle. In other cases, pressure inside the chamber would increase until it was pushed out of its orbit. The spinning cylinder would then crash into its housing at supersonic speed, tearing the machine apart from the inside—just as Idaho National Laboratory’s diesel generator had eviscerated itself in the Aurora test a year earlier.

  Natanz’s operators could see no sign or warning in their digital monitoring of the centrifuges to explain the machines’ sudden suicides. Yet they kept happening. Eventually, the plant’s administrators would assign staff to sit and physically watch the centrifuges for any indication that might explain the mystery. They resorted to decommissioning entire cascades of 164 centrifuges in an attempt to isolate the problem. Nothing worked.

  “The intent was that the failures should make them feel they were stupid, which is what happened,” one of the participants in the secret Olympic Games operation would later tell the New York Times reporter David Sanger. U.S. and Israeli intelligence saw signs of internal disputes among Iran’s scientists as they sought to place the blame for the repeated disasters. Some were fired.

  As time wore on—and as the Obama administration began to shepherd the operation—Natanz’s centrifuge problems only grew more acute. In late 2009 and early 2010, officials at the International Atomic Energy Agency who were tensely monitoring Iran’s nuclear progress saw evidence that the Iranians were carting decommissioned centrifuges out of their enrichment facility at a pace well beyond the usual failure rate. Out of the 8,700 centrifuges in Natanz at the time, as many as 2,000 were damaged, according to one IAEA official.

  Olympic Games, in other
words, was working. American and Israeli hackers had planted their digital sabotage code into the exact heart of the mechanical process that had brought the Middle East to the brink of war, and they were disrupting it with uncanny precision. Stuxnet had allowed them to pull off that coup without even tipping off their targets that they were under attack. Everything was going according to plan—until the summer of 2010, when the hackers behind Stuxnet would lose control of their creation, exposing it to the world.

  * * *

  ■

  The discovery of Stuxnet began the same way as the discovery of Sandworm would years later: a zero day.

  In June 2010, VirusBlokAda, an obscure antivirus firm based in Minsk, Belarus, found that a computer of one of its customers in Iran had been stuck in a loop of repeated crashes and restarts. The company’s researchers investigated the source of those crashes and found something far more sophisticated than they had imagined. An ultra-stealthy form of malware known as a “rootkit” had buried itself deep within the computer’s operating system. And as they analyzed that rootkit, they found something far more shocking: It had infected the machine via a powerful zero day that took advantage of the way Windows displays the contents of a USB drive. As soon as an infected USB stick was inserted into the computer’s port, the malware had sprung out to install itself on the machine with no indication to the user whatsoever.

  After VirusBlokAda published an announcement about the malware on a security forum, researchers at the security giant Symantec picked up the thread. They would pull on it for months to come, a detective story detailed in Kim Zetter’s definitive book on Stuxnet, Countdown to Zero Day. The malware’s size and complexity alone were remarkable: It consisted of five hundred kilobytes of code, twenty to fifty times as large as the typical malware they dealt with on a daily basis. And as the researchers reverse engineered that code’s contents, they found it contained three more zero days, allowing it to effortlessly spread among Windows machines—an entire built-in, automated arsenal of masterful hacker tricks.