Sandworm Read online

  Lee was immediately floored by the gravity of what he saw. The code before him crystallized everything he already believed about Sandworm’s escalating cyberwar tactics into a single, concrete piece of programming. “This was the first piece of malware to cause disruption to civilian infrastructure,” he marveled, pointing out that even Stuxnet limited itself to a military target. “It was a huge deal.”

  Lee asked for the complete code, but ESET refused. Unfortunately for ESET, they had underestimated Lee’s dogged curiosity and naked ambition, not to mention his willingness to piss off his security industry peers.

  So Lee tasked the staff at Dragos, his young industrial control system security start-up, with finding the malware on their own. The company began combing through its own sources of malware samples, using ESET’s code snippet as a fingerprint. Within hours, Lee says, they had found a match on a computer that had been turned into a so-called staging server for Sandworm’s operations.

  A staging server acts as a kind of field outpost for hackers, a hop point where they can store and then launch their hacking tools against a target without revealing their own point of origin. Somehow, Lee told me—and he refused to explain further—Dragos had accessed that server and pulled from it the same code that ESET had found.

  With less than seventy-two hours before ESET planned to release its findings, the researchers at Dragos began racing to produce their own report. The company’s six main reverse engineers, who all worked remotely, set up an open videoconference channel. From their home offices in six states across three time zones, they began to tear apart the payload code, working in tandem and barely sleeping. Lee himself, in his home office in suburban Maryland, powered through the entire seventy-two-hour sprint, drinking from a bottle of Nikka Coffey Grain Japanese whiskey and a twenty-four-pack of Red Bulls. Only when Dragos’s own report was complete on Monday morning at 6:00 did he allow himself a two-hour nap.

  Hours later, both companies published their reports. Dragos had taken the controversial step of giving the program its own name: Crash Override. That moniker combined the name of a launcher component of the malware called “crash.dll” that activated its malicious modules and the fact that it was designed to repeatedly open circuit breakers faster than an operator could close them, overriding those manual commands. It was also an allusion to the pseudonym of the protagonist of the 1995 film Hackers. (When Microsoft and US-CERT issued warnings that Monday about the code, they called it Crash Override, not Industroyer. Cherepanov and the shocked ESET team have yet to forgive Lee for the slight.)

  Industry backbiting aside, Dragos’s and ESET’s reports agreed on many of the most troubling findings about the blackout payload. Crash Override or Industroyer, whatever it was to be called, had no easy remedy. If hackers could plant this automated malware as deeply into a utility’s network as Sandworm had into Ukrenergo’s, it would exploit the intended features of industrial control systems, sending commands that were indistinguishable from the ones sent by legitimate operators. “There’s nothing to patch away, nothing to address,” Lee said. “It’s an unfixable attack.”

  Even worse, the automated nature of the disruption meant that the kind of blackout operation Sandworm had now performed twice in Ukraine could be scaled up to multiple simultaneous targets across a country or region. Lee estimated that the 2015 attack had required as many as twenty hackers manually hijacking computers and clicking through circuit breakers. Now, he pointed out, a team of that same size could plant their self-propelled malware on ten or fifteen utility targets simultaneously and set the code to activate at a certain time, like a ticking bomb. From the hacker’s point of view, he explained, “you can be confident it will cause disruption without your interaction.”

  Finally, the malware payload also included its own wiper tool labeled haslo.dat—Ukrainian for “torch”—designed to destroy all the data from target systems. Marina Krotofil, who would follow up with her own analysis of the code months later, described that function as both an attempt to prolong the blackout and a cleanup stage, intended to prevent forensic analysts from finding the malware afterward. In this case, by a fateful stroke of luck, that wiping functionality had somehow failed. “They didn’t mean to burn this tool,” she told me, using the hacker jargon “burn” to mean that the program was exposed, eliminating its element of surprise. “We were never meant to see it.”

  One of the most disturbing aspects of the malware had been just briefly mentioned in ESET’s report: Yes, it was designed to send commands in four different electrical transmission systems protocols, only one of which had actually been in use at Ukrenergo. But the code was also highly modular. The protocols could just as easily be swapped out for others—including those used in the United States. “I salute the author of this malware, because it will work anywhere,” as Krotofil would later put it. “The beauty of this is that you can launch it in any country, in any substation.”

  The notion that Sandworm was using Ukraine to test out techniques that it might someday repeat in western Europe or the United States was now more than an abstract theory: It had been borne out in the actual mechanics of the tool the researchers had uncovered. The malware seemed designed not as a onetime-use grenade but as a reusable and adaptable weapons system.

  No one would build such a unique piece of malicious software and spend a year burrowing into a victim’s network to plant it, only to inflict a one-off, one-hour blackout. “This is a piece of malware that looks like it’s built to target other sites,” Lee told me. “Nothing about this attack looks like it’s singular. The way it’s built and designed and run makes it look like it was meant to be used multiple times. And not just in Ukraine.”

  * * *

  ■

  The same week that Lee and his Dragos researchers published their report on the Crash Override malware, Lee was invited to brief members of the White House’s National Security Council. Sitting in a large conference room with representatives of the Department of Homeland Security, Department of Energy, CIA, and NSA, he explained how the discovery of this code represented a unique, scalable, and versatile threat to power grids around the world.

  At first, Lee thought the Trump administration might be preparing to launch the sort of response to the second Ukraine blackout that had been so noticeably absent from the first. “Everyone got on the same page. No one was confused. Everyone knew it was important,” Lee said.

  But as the days and weeks after the briefing passed, Lee heard nothing more. Finally, when he got through to a White House staffer, he was told that the information he’d presented about Russian grid malware had made its way to Director of National Intelligence Dan Coats, who’d passed on a snippet to President Trump. And the answer, as Lee tells it, had been “We’re not interested in talking about that.”

  Trump, whose understanding of computers and digital security was notoriously thin, might have ignored the news simply because he tuned out all things “cyber.” But as Lee describes it, the message passed to him, filtered through several layers from the president, had been that the Crash Override news was “bad timing” and “too political.” In other words, as the controversy around Russia’s role in his election victory began to grow, it seemed that Trump had no interest in discussing any sentence that contained the words “Russian” and “hacker,” no matter the context. (The White House never answered my multiple requests for comment on Lee’s description of those events.)

  If Trump sensed the news could be used against him politically, he was right. In late June 2017, eighteen Democratic senators and Independent Bernie Sanders signed a letter to the president, citing Dragos’s work and demanding Trump direct the Department of Energy to conduct a new analysis of the Russian government’s capabilities to disrupt America’s power grid. They also asked for an exploration of any attempts the Kremlin had already made to compromise America’s electric utilities, pipelines, or other energy infrastructur
e.

  “We are deeply concerned that your administration has not backed up a verbal commitment prioritizing cybersecurity of energy networks and fighting cyber aggression with any meaningful action,” the legislators wrote. The White House never responded.

  Lee quickly regretted that the Crash Override news had become a partisan football. But he was far more frustrated still that history was replaying itself from a year before: Another White House seemed to be pushing another Ukrainian blackout under the rug. “When a cyberattack takes down electric power for the first time with a capability that’s scalable and impactful to people around the world, it doesn’t even get a sound bite,” Lee said. “And that’s ridiculous.”

  * * *

  ■

  In the Dragos researchers’ mad seventy-two-hour rush to dissect Crash Override, a.k.a. Industroyer, they had missed something. In fact, Rob Lee would tell me that one element of the code that ESET described in its report was lacking from the version of the malware Dragos found. It hadn’t, apparently, been used in the Ukrenergo attack. It’s not clear if it even worked. But it was, in some ways, the most foreboding clue of all.

  At one point as he was combing the Industroyer code, Cherepanov had spotted that it was programmed to send out a strange eighteen-byte string of numbers. When he googled that string, he found an advisory about a known vulnerability in Siemens Siprotec devices—protective relays designed to function as safety kill switches for electrical equipment. Send that one packet of eighteen bytes to a Siemens Siprotec box, and it would become unresponsive. Only manually rebooting it would wake it up again.

  When Mike Assante read ESET’s report on Industroyer at his home in Wyoming, that Siprotec trick immediately stuck out to him. Protective relays were, after all, the devices he’d always worried might be hacked to not simply disrupt but destroy physical equipment. It had been just over ten years since he’d led the Aurora demonstration, showcasing exactly the scale of disaster that might be possible when protective relays are maliciously altered.

  The vulnerability exploited by Sandworm’s malware, unlike his Aurora attack, didn’t actually change the logic of a protective relay to cause dangerous effects. It simply put the relay to sleep. But if that technique had been combined with other kinds of transmission station sabotage, it could still have caused far more permanent damage: Disable protective relays while messing with the electric load on certain components, and hackers might melt lines or burn transformers, outcomes that would make a one-hour blackout look like an innocent game of tag by comparison. “If you ever see a transformer fire, they’re massive,” Assante says. “Big black smoke that all of a sudden turns into a fireball.”

  In 2007, he had first warned the world about hackers unleashing physical destruction on power systems. Now someone seemed to be taking the first steps toward a very literal Aurora-style attack. As he looked out the windows of his second-story home office at the distant Teton mountain range, Assante felt a strange mix of pride and bitter dread. “There was the satisfaction of not having had a failure of imagination,” he says. “But also the fear: They’re developing these capabilities now.”

  His Aurora nightmare was now on the verge of coming true. “This is real,” he thought to himself. “It’s happening.” The future he’d glimpsed a full decade earlier had arrived.

  PART IV

  APOTHEOSIS

  Out of the sand haze came an orderly mass of flashing shapes—great rising curves with crystal spokes that resolved into the gaping mouths of sandworms, a massed wall of them, each with troops of Fremen riding to the attack. They came in a hissing wedge, robes whipping in the wind as they cut through the melee on the plain.

  20

  MAERSK

  It was a perfect, sunny summer afternoon in Copenhagen when the world’s largest shipping conglomerate began to lose its mind.

  The headquarters of A.P. Møller-Maersk sit beside the breezy, cobblestoned esplanade of Copenhagen’s harbor. A ship’s mast carrying the Danish flag is planted by the building’s northeastern corner, and six stories of blue-tinted windows look out over the water, facing a dock where the Danish royal family parks its yacht. In the building’s basement, employees can browse a corporate gift shop, stocked with Maersk-branded bags and ties, and even a rare Lego model of the company’s gargantuan Triple-E container ship, a vessel roughly as large as the Empire State Building laid on its side, capable of carrying another Empire State Building–sized load of cargo stacked on top of it.

  That gift shop also houses a technology help center, a single desk manned by IT troubleshooters next to the shop’s cashier. And on the afternoon of June 27, 2017, confused Maersk staffers began to gather at that help desk in twos and threes, almost all of them carrying laptops. On some of the machines’ screens were messages that read “repairing file system on C:” with a stark warning not to turn off the computer. Others, more surreally, read “oops, your important files are encrypted” and demanded a payment of $300 worth of bitcoin to decrypt them.

  Across the street, an IT administrator named Henrik Jensen was working in another part of the Maersk compound, an ornate white stone building that in previous centuries had served as the royal archive of maritime maps and charts.* Jensen was busy preparing a software update for Maersk’s nearly eighty thousand employees when his computer spontaneously restarted.

  He quietly swore under his breath. Jensen assumed the unplanned reboot was a typically brusque move by Maersk’s central IT department, a little-loved entity in England that oversaw most of the corporate empire, whose eight business units ranged from ports to logistics to oil drilling, in 574 offices in 130 countries around the globe.

  Jensen looked up to ask if anyone else in his open-plan office of IT staffers had been so rudely interrupted. And as he craned his neck, he watched every other computer screen around the room blink out in rapid succession.

  “I saw a wave of screens turning black. Black, black, black. Black black black black black,” he says. The PCs, Jensen and his neighbors quickly discovered, were irreversibly locked. Restarting them only caused them to display the Bitcoin ransom message other Maersk staffers had been seeing.

  All across Maersk headquarters, the full scale of the crisis was starting to become clear. Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk’s network before the malicious software could infect them as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and unplugged machines in the middle of meetings. Soon staffers were hurdling over locked key-card gates, which had been paralyzed by the still-mysterious malware, to spread the warning to other sections of the building.

  Disconnecting Maersk’s entire global network took the company’s IT staff more than two panicky hours. By the end of that process, all employees had been ordered to turn off their computers and leave them at their desks. The digital phones at every cubicle, too, had been rendered useless in the emergency network shutdown.

  Around 3:00 p.m., a Maersk executive walked into the room where Jensen and a dozen or so of his colleagues were anxiously awaiting news and told them to go home. Maersk’s network was so deeply corrupted that even IT staffers were helpless. A few of the company’s more old-school managers told their teams to remain at the office. But many employees—rendered entirely idle without computers, servers, routers, or desk phones—simply left.

  Jensen walked out of the building and into the warm air of a late June afternoon. Like the vast majority of Maersk staffers, he had no idea when he might return to work. The maritime giant that employed him, responsible for seventy-six ports on all sides of the earth and nearly eight hundred seafaring vessels, including container ships carrying tens of millions of tons of cargo, representing close to a fifth of the entire world’s shipping capacity, was dead in the water.

>   * Henrik Jensen is not his real name. Like almost every Maersk employee, customer, or partner I interviewed, Jensen feared the consequences of speaking publicly about this story.

  21

  SHADOW BROKERS

  The worst cyberattack in history, like any perfect storm, came together from a rare confluence of elements. One of the most powerful and volatile precursors was provided, indirectly, by none other than the U.S. government.

  For Jake Williams, the fiasco that served up the key element to Sandworm began on an early morning in August 2016—ten months before Maersk’s screens would go dark—in a conference room somewhere in Ohio. Williams, the thirty-nine-year-old founder of the security firm Rendition Infosec, was embedded with four of his staffers inside the offices of a corporate client whose computer network had been deeply violated by a team of cybercriminals. This was business as usual: Williams’s team had set up laptops and monitors to turn one of the customer’s meeting spaces into a war room. They’d worked late the night before, combing the victim’s network logs and talking endlessly with the company’s lawyers before catching a few hours of sleep and then diving back into the crime scene that morning before 7:00.

  On one of the screens Williams had set up in that war room, he’d opened Twitter and created a running feed of all messages that mentioned the client company. He was monitoring for any chatter that might mean news of the breach, which hadn’t yet been announced by the company or reported by the media, had leaked out to the public. That’s when he saw a trickle of tweets mentioning a different sort of leak, not from his client, but from one of the most secretive organizations on the planet: the NSA.

  The tweets linked back to a Twitter account called “@shadowbrokerss,” which in turn linked to a post on the website Pastebin, a favorite publishing tool of anonymous hackers. There Williams found a rant written in what appeared to be a kind of mock-broken English.