Sandworm Page 14

  *2 When this book went to press, the extent of Trump’s collaboration with the Russian government in its election interference remained unclear. But the investigation of independent counsel Robert Mueller had revealed that multiple members of Trump’s staff as well as Donald Trump Jr. had met with Kremlin officials and other Russian nationals who had offered compromising information on Clinton, which Trump Jr. was eager to accept. As a candidate, Trump had also weakened the Republican Party position on defending Ukraine from Russia, all while pursuing a billion-dollar deal to establish a Trump Tower in Moscow.

  17

  FSOCIETY

  On election night, Michael Matonis had gone to bed early. He’d seen the increasing likelihood of Trump’s win. But he’d chosen, rather than biting his nails all evening, to just assume Clinton would prevail as expected and sleep through the drama until then.

  At 5:00 a.m., he was woken up by the shortwave radio next to his bed, immediately heard the news, and emitted a long, heartfelt moan of profanity.

  Matonis, a twenty-seven-year-old security researcher with a mass of curly black hair, lived at the time in Albany, New York, but had been planning a party that night in his hometown of Brooklyn—not so much to celebrate Clinton’s victory as to herald an end to seeing Trump’s face on television every day. After learning the shocking election results, Matonis and his friends quickly reconceived the party as a kind of emotional support group. So he nonetheless boarded an Amtrak train south, then made his way from Penn Station through a New York City that was visibly grieving, with signs of protest and condolences posted on subway platforms and in shopwindows.

  When he arrived in the city, Matonis had planned to wander around Williamsburg and find some good Turkish or Brazilian food. But he soon found that he was too depressed to leave his Airbnb. So instead, despite officially being on vacation, he opened his laptop to distract himself with work.

  Matonis was a member of the team of researchers that reported to John Hultquist, who by then had become director of cyberespionage analysis at FireEye, the security firm that had acquired iSight earlier in 2016. As part of his daily hunting, Matonis had created his own software tools that automatically scanned malware feeds like VirusTotal for interesting tidbits that might serve as footprints of state-sponsored hackers—what he calls “cyber gold panning.”

  Early that morning, one of his filter tools had pinged him with results that he’d been too distracted to read. Now he dug into its origin: Someone had uploaded to VirusTotal a piece of malicious code that used a Microsoft Office script to install itself on the victim’s machine, just as BlackEnergy had done in the late 2015 attacks. The new malware appeared to be a fresh backdoor for remote access to victim machines, one that curiously used the encrypted instant-messaging software Telegram to communicate with its command-and-control servers. But Matonis had tracked the BlackEnergy attacks closely enough to see that they shared a similar encoding.

  The backdoor program was packaged in a Word document written in Cyrillic characters. When Matonis put the file through Google Translate, he found that it was a list of prices of storage hardware and servers written in Ukrainian, what appeared to be bait for Ukrainian IT systems administrators. “I could think of only one group that would do this thing, in this particular way,” he says.

  Since the Ukrainian blackouts nearly a year earlier, Sandworm had gone entirely silent. After its grid-hacking tour de force, it seemed as if the group might even have disappeared. Aside from a few die-hard obsessives including Matonis, his boss, Hultquist, and Rob Lee, much of the American security community’s attention to Russian hacking had shifted almost entirely to Fancy Bear’s election meddling.

  Now Matonis was seeing the first sign that Russia’s blackout hackers had surfaced again. “Holy shit,” Matonis thought to himself as he sat at the kitchen table of his Brooklyn rental. “I think I’ve found Sandworm version two.”

  * * *

  ■

  By August 2016, eight months after the first Christmas blackout, Yasinsky had left his job at StarLightMedia. It wasn’t enough, he decided, to defend a single company from an onslaught that seemed to be targeting every stratum of Ukrainian society. Despite Sandworm’s silence since the blackout, Yasinsky knew that the group spent long months advancing its intrusions and that the next wave of attacks was likely already in motion. He needed a more holistic view of the hackers’ work, and Ukraine needed a more coherent response to the brazen, callous organization of attackers that Sandworm was becoming. “The light side remains divided,” he told me of the balkanized reaction to the hackers among their victims. “The dark side is united.”

  So Yasinsky took a position as the head of research and forensics for a Kiev firm called Information Systems Security Partners, or ISSP. The company was hardly a big name in the security industry. But Yasinsky joined with the intention of using his position to make ISSP the go-to first responder for victims of Ukraine’s digital siege.

  Not long after he switched jobs, as if on cue, the country came under another, even broader, more punishing wave of attacks. Starting in December, a month after FireEye’s Michael Matonis and other researchers around the world were seeing the first signs of Sandworm’s reemergence, Yasinsky began to learn of other Ukrainian agencies and infrastructure companies targeted by the same destructive hackers as in 2015. Those victims would eventually include Ukraine’s pension fund, Treasury, seaport authority, and Ministries of Infrastructure, Defense, and Finance. In each case, as in the year before, the attacks culminated with a KillDisk-style detonation on the target’s hard drives.

  The hackers again hit Ukraine’s railway company, Ukrzaliznytsia, this time knocking out its online booking system for days, right in the midst of the holiday travel season. In the case of the Finance Ministry, the logic bomb deleted terabytes of data, destroying the contents of 80 percent of the agency’s computers, deleting its draft of the national budget for the next year, and leaving its network entirely off-line for the next two weeks.

  In other words, the hackers’ new winter onslaught matched and exceeded the previous year’s in both its scale and the calculated pain of its targeting. But as security researchers delved into the companies’ logs in those first weeks of December, they could see their tormentors were trying out new forms of deception, too. In one round of attacks, for instance, the hackers had altered their KillDisk code to not merely cripple victims’ machines but also to display a haunting image on their screens.

  The picture—first published by researchers at the Slovakian security firm ESET, who were also closely tracking the second wave of Ukrainian attacks—wasn’t merely a file planted on the victims’ computers. Instead, with a kind of hacker flourish, it had been painstakingly programmed into the malware to be drawn by Windows’s graphics interface every time the code ran. The resulting image was a neon-green and black low-resolution mustachioed mask, over a background of multicolored ones and zeros. Above and below the mask were the words “WE ARE FSOCIETY” and “JOIN US.”

  The hackers had co-opted the symbology of the fictional anarchist hackers in the television show Mr. Robot, perhaps to create a veneer of freewheeling, grassroots nihilism over what was clearly a well-organized, state-sponsored disruption campaign. (With the benefit of hindsight, they might have also been revealing something about their intentions: In Mr. Robot, FSociety’s hackers permanently destroy the records of a massive banking conglomerate, erasing the debt of thousands of people and throwing the world economy into chaos—a story line that, within a year, would feel prescient.)

  In the second round of attacks, the hackers switched up their ruse: Instead of a hacktivist front, they adopted a cybercriminal one, plastering victims’ corrupted machines with a ransom message demanding a Bitcoin payment: “We are sorry, but the encryption of your data has been successfully completed, so you can lose your data or pay 222 btc.”

  Sandworm seemed to have adapte
d its cover story to mimic an increasingly trendy tactic among hacker profiteers: Rather than try to steal credit cards or other data that had to be resold to be monetized, cybercriminals had discovered they could extort money directly from victims by encrypting their hard drives and demanding payment to unlock them. Only once the victims forked over the ransom—within a prescribed time limit—would the extortionists send a key to decrypt their data. Some ransomware schemes had become so professional that they even included live customer support, increasing the likelihood of payment by reassuring victims that they would actually receive their data back.

  But most of those moneymaking schemes, as cruel as they were, asked for just a few hundred or thousand dollars from victims. This one demanded, at late 2016 Bitcoin exchange rates, more than $150,000. No one, it seemed, was foolish enough to pay. And ESET’s researchers found that even if they had, there was no decryption mechanism in the malware. Instead, the ransom demand only added another layer of confusion to the same KillDisk-style data destruction that Sandworm had been carrying out since the year before.

  Yasinsky could see that the hackers were not only evolving but experimenting. After a year underground, they had reemerged more dangerous and deceptive than ever. Ukraine’s cyberwar was ramping up. And then, on a Saturday night two weeks into that growing plague, not long after Yasinsky sat down on the couch of his Kiev apartment to watch the movie Snowden with his family, Sandworm put its full capabilities on display.

  * * *

  ■

  On December 17, 2016, a young engineer named Oleg Zaychenko was four hours into his twelve-hour night shift at Ukrenergo’s transmission station just north of Kiev’s city limits. He sat in an old Soviet-era control room, its walls covered in beige and red floor-to-ceiling analog control panels. The station’s tabby cat, Aza, was out hunting; all that kept Zaychenko company was a television in the corner playing pop music videos.

  He was filling out a paper-and-pencil log, documenting another uneventful Saturday evening, when the station’s alarm suddenly sounded, a deafening continuous ringing. To his right, Zaychenko saw that two of the lights indicating the state of the transmission system’s circuits had switched from red to green—in the counterintuitive, universal language of electrical engineers, a sign that they had turned off.

  The technician picked up the black desk phone to his left and called an operator at Ukrenergo’s headquarters to alert him to the routine mishap. As he did, another light turned green. Then another. Zaychenko’s adrenaline began to kick in. While he hurriedly explained the situation to the remote operator, the lights kept flipping: red to green, red to green. Eight, then ten, then twelve.

  As the crisis escalated, the operator on the phone ordered Zaychenko to run outside and check the equipment for physical damage. At that moment, the twentieth and final circuit switched off, and the lights in the control room went out, along with the computer and TV. Zaychenko was already throwing a coat over his blue-and-yellow uniform and sprinting for the door.

  Ukrenergo’s northern Kiev transmission station is normally a vast, buzzing jungle of electrical equipment stretching over twenty acres, the size of more than a dozen football fields. But as Zaychenko came out of the building into the freezing night air, the atmosphere was eerier than ever before: The three tank-sized transformers arrayed alongside the building, responsible for about a fifth of the capital’s electrical capacity, had gone entirely silent.

  Until then, Zaychenko had been mechanically ticking through an emergency mental checklist. As he ran past the paralyzed machines, the thought entered his mind for the first time: The blackout hackers had struck again.

  18

  POLIGON

  This time the attack had moved up the circulatory system of Ukraine’s grid. Instead of taking down the distribution substations that branch off into capillaries of power lines, the saboteurs had hit an artery. That single northern Kiev transmission station carried two hundred megawatts, more total electric load than all the fifty-plus distribution stations knocked out in the 2015 attack combined.

  Luckily, the system was down for just an hour—hardly long enough for pipes to freeze or for locals to start panicking—before Ukrenergo’s engineers began manually closing circuits and bringing everything back online. Even so, when that hour-long midnight blackout enveloped Yasinsky’s home in northern Kiev, it unnerved him like no cyberattack he’d ever experienced in his years as a security professional.

  Yasinsky told me he’s always tried to maintain a dispassionate perspective on the intruders who were ransacking his country. He seeks to avoid entirely, for instance, the topic of the attackers’ identities, arguing that their names or nationalities don’t figure into the analysis of their intrusions or strategies for defending against them. (That refusal to wade into questions of attribution is common in the cybersecurity industry. But Yasinsky takes it to an extreme, going so far as to wag his finger with a mock-scolding grin when I refer to the attackers as Russian.)

  Yasinsky has always preferred to see his job as a game of chess, logically analyzing the adversary’s moves on an abstract plane free from any personal psychology. Become too emotionally invested, he argued, let your thinking be corrupted by your own anger or obsession or self-interest, and you begin to make mistakes. “You need a cold, clear mind,” Yasinsky said. “If you want to play well, you can’t afford to hate your opponent.”

  But when the blackout extended to his own home, he admitted that it crossed a new boundary. It was “like being robbed,” he told me. “It was a kind of violation, a moment when you realize your own private space is just an illusion.”

  Within twenty-four hours of the blackout, Ukrenergo staffers had publicly confirmed that it had indeed been caused by another cyberattack, just as Yasinsky had immediately suspected. Ukrenergo and the SBU—the Ukrainian security service that partly functions as the country’s equivalent of the NSA—determined that Ukraine would handle the response itself. This time, there would be no American delegation. And so naturally, when ISSP called up Ukrenergo and offered its services, the job was handed to Yasinsky.

  * * *

  ■

  In early 2017, at a meeting in Ukrenergo’s central Kiev headquarters, the company gave ISSP a hard drive filled with the terabytes of log files that Yasinsky would need to begin his forensic analysis. Just as he had at StarLightMedia, he pored over the logs for weeks, combing them for any anomaly that might reveal the traces of hackers who had sought at every point in their intrusion to perfectly mimic the normal behavior of the victims they had infiltrated—what Yasinsky calls “finding needles among needles.”

  After tracking the same hackers for more than a year, Yasinsky knew where to find their footprints. By the end of January, ISSP had assembled nearly the entire anatomy of the intrusion. He presented it in a briefing for Ukrenergo’s IT administrators, rolling out in front of them a six-foot-long printed paper timeline of the hackers’ work. Though the company had given him six months of logs, it appeared the hackers had likely obtained their access far earlier: In January 2016, nearly a year before the second blackout, Ukrenergo had discovered an infection of the same BlackEnergy malware that had hit StarLightMedia, TRK, and Boryspil airport. Yasinsky guessed that despite the utility’s cleanup efforts the intruders had maintained a stealthy foothold somewhere inside Ukrenergo’s systems, patiently biding their time.

  To move between computers within Ukrenergo’s network, they had deployed a common hacker tool called Mimikatz, designed to take advantage of a security oversight in older versions of Windows that leaves passwords accessible in a computer’s memory. Mimikatz plucks credentials out of that ephemeral murk so that hackers can use them to gain repeated access to a computer, or to any others that a victim’s account could access on the same network. The hackers had also exploited a more obscure trick, one that allows them to dig through memory when an application unexpectedly crashed, with sen
sitive credentials lingering in the “crashdump” of data that borked programs leave behind—a bit like grabbing and instantly copying the keys from a stalled car.

  With those stolen credentials, the hackers eventually gained access to a kind of all-seeing database server in Ukrenergo’s network, what’s sometimes known as a “historian.” That database acted as a record keeper for the utility’s operations, collecting data from physical equipment and making it available to the business network. For the intruders, it offered a crucial bridge between the traditional IT side of Ukrenergo’s network and the industrial control system side, including workstations with access to circuit breakers.

  That historian database didn’t merely collect data from the utility’s computers. It also, more dangerously, had the ability to send certain commands to them. As Yasinsky describes it, the hackers hijacked that functionality to turn the database into a “Swiss Army knife,” capable of running any code the hackers chose. Ultimately, that included planting the payload of their attack at the doorstep of Ukrenergo’s actual transmission station equipment and, as in 2015, callously flipping those switches to cut power to hundreds of thousands of people.

  The attackers seemed to have shifted their focus from the 2015 attack, when they had ransacked the three regional power utilities with a broad arsenal of humiliations, attacking everything from the utilities’ own backup generators to their phone systems. Instead, this time they had penetrated directly into the transmission systems with single-minded professionalism. “In 2015, they were like a group of brutal street fighters,” says Marina Krotofil, a Ukraine-born German industrial control systems expert who then worked at Honeywell and who advised Yasinsky during ISSP’s analysis. “In 2016, they were ninjas.”