Sandworm Read online

  Mimikatz had been a kind of hobby for Delpy. He worked as an IT manager at a French government institution—which one he declined to tell me—and had observed that Windows had a subtle flaw: Microsoft had created a feature called WDigest, designed to allow corporate and government Windows users to more conveniently prove their identity to different applications on their networks or on the web. WDigest would hold users’ authentication credentials like usernames and passwords in a computer’s memory so they would only have to be entered once and could then be effortlessly reused to unlock other sensitive programs.

  Delpy noticed that while Windows encrypted that copy of the user’s password in the computer’s memory, it kept a copy of the secret key to decrypt it handy in memory, too. “It’s like storing a password-protected secret in an email with the password in the same email,” Delpy explained to me.

  What if a hacker could get a foothold on that computer, pull the encrypted credentials out of memory along with the decryption key, decrypt them, and then run amok with the user’s stolen identity and password? Delpy pointed out that potential security lapse to Microsoft in a message submitted on the company’s support page in 2011. But the company brushed off his warning, responding that it wasn’t a real problem. After all, a hacker would already have to possess access to a victim’s computer in the first place before he or she could reach that password in memory. (When I asked Microsoft about the same issue, they said as much to me six years later. “It’s important to note that for this tool to be deployed it requires that a system already be compromised,” the company wrote in a statement. “To help stay protected, we recommend customers follow security best practices and apply the latest updates.”)

  But Delpy saw that in practice the Windows authentication system’s flaw would still provide a powerful stepping-stone for hackers trying to expand their infection from one machine to many on a network. If a hacker could manage to obtain deep enough access to a target machine—whether with a simple phishing scheme or a rare zero-day vulnerability—he or she could exploit Delpy’s trick to scoop those credentials out of memory and then use them to access other computers on the network. The danger was especially acute in networks with multiuser computers: If another user was logged in to the second machine the hacker accessed with a stolen password, he or she could run the same program on the second computer to steal that other user’s password, too—and on and on.

  So, with no real response from Microsoft, Delpy did what well-meaning hackers often do when faced with a company that’s skeptical of the security bug they’ve uncovered: He made a proof of concept. Delpy said he’d been meaning to learn the C programming language anyway. So he wrote an application in C to demonstrate the attack he’d warned Microsoft about. He called it Mimikatz—the name used the French slang prefix mimi, meaning “cute,” thus “cute cats”—and released it publicly in May 2011.

  “Because you don’t want to fix it, I’ll show it to the world to make people aware of it,” Delpy said of his attitude at the time. “It turns out it takes years to make changes at Microsoft. The bad guys didn’t wait.”

  Before long, Delpy saw Chinese users in hacker forums discussing Mimikatz and trying to reverse engineer it. Then, in mid-2011, he learned for the first time—he declines to say from whom—that Mimikatz had been used in an intrusion of a foreign government network. Delpy hadn’t released the tool’s source code, making it harder for anyone else to adapt or tweak the program, but some hackers had apparently been motivated enough to painstakingly disassemble it and create their own working version of Delpy’s tool. “The first time I felt very, very bad about it,” he said.

  Then, that September, Mimikatz was used again, in the landmark hack of the company DigiNotar. That firm was one of the so-called certificate authorities that assures that websites are who they claim to be when their address appears in a user’s browser. Certificate authorities serve as the ground truth of trust online, and DigiNotar’s compromise corrupted that trust to its core. The intrusion let the unidentified hackers—likely working for the Iranian government—issue fraudulent certificates so that they could perfectly spoof whatever website they chose. They ultimately used their DigiNotar takeover to spy on thousands of Iranians, according to security researchers at the firm Fox-IT, who analyzed the incident. DigiNotar was blacklisted by web browsers, and the company subsequently went bankrupt.

  DigiNotar’s demise was a telling demonstration of the lock-picking device Delpy had released to the world—more powerful than perhaps even he understood at the time. But Delpy said he also knew from the start that he was venturing into fraught territory with his creation; in his attempt to bring attention to a serious flaw in Windows’ security, he was bringing it to the attention of the internet’s most dangerous actors, too.

  “Mimikatz wasn’t at all designed for attackers. But it’s helped them,” Delpy acknowledged, with the understatement that sometimes results from a limited English vocabulary. “When you create something like this for good, you know it can be used by the bad side too.”

  * * *

  ■

  Microsoft had underestimated the severity of its security flaw. But Delpy had underestimated the danger of the tool he’d created to exploit it—even after he knew it was being used by foreign spies. He assumed that Mimikatz’s tricks must have already been known to most state-sponsored hackers; surely he couldn’t have been the only one to spot Microsoft’s mistake in leaving passwords so vulnerable.

  So in early 2012, when Delpy was invited to speak about his Windows security work at the Moscow conference Positive Hack Days, he accepted. The result, almost immediately after his arrival in Moscow, was his unnerving run-in with a strange Russian man in his hotel room.

  That clumsy hands-on hacking apparently failed. Or so Delpy believes, because after that incident, the Russians tried a more straightforward approach. Two days later, after Delpy gave his conference talk to a crowd of hackers in the old Soviet chocolate factory where the conference was being held, another man in a dark suit approached him. He demanded Delpy put his conference slides and a copy of Mimikatz on a USB drive.

  Trying to avoid a dramatic confrontation, Delpy complied. Then, before he’d even left Russia, he publicly posted Mimikatz’s source code on the software repository GitHub, both fearing for his own physical safety if he kept the tool’s code secret and figuring that if hackers were going to use his creation, defenders should fully understand it too.

  Over the next years, Mimikatz became a nearly universal tool in the hacker tool kit, from benevolent penetration testers to cybercriminals to sophisticated cyberspies. It showed up in all manner of hacker breaches, from the break-ins of the notorious Carbanak crime gang to Fancy Bear’s espionage operation inside the German Bundestag. “It’s the AK-47 of cybersecurity,” as CrowdStrike CTO Dmitri Alperovitch at one point described it.

  Delpy, for reasons that are tough to explain outside the strange world of hacker culture, didn’t distance himself from his creation, even as it appeared in more and more crime scenes. Instead, he continued to advance it. If alerting Microsoft to Windows’ original passwords-in-memory problem had been worthwhile, why not demonstrate other vulnerabilities he’d turned up, too?

  So he piled new features into Mimikatz, from generating fraudulent “tickets” used by Microsoft’s Kerberos system that let computers prove their identities to each other over a network, to stealing passwords from the auto-populating features in Chrome and Edge browsers. He even threw in a tool that could allow anyone to cheat at the game Minesweeper, pulling out the location of every mine in the game from the computer’s memory. “It’s my toolbox, where I put all of my ideas,” Delpy told me.

  Before adding a potentially dangerous new hacking tool to that toolbox, Delpy said he would alert Microsoft, or whoever else might be able to fix the flaw he was exploiting. Sometimes they did, eventually, respond with new protections. In Windows 8
.1, for instance, Microsoft finally turned off WDigest by default, blocking Delpy’s original avenue for Mimikatz’s infections.

  But often the fix is incomplete. Jake Williams, no stranger to offensive hacking operations in his penetration testing business, told me that he frequently gains a foothold in a target network, only to find that systems administrators left WDigest on, letting Mimikatz rampage through their systems. Or in other cases, he can simply find a way to turn WDigest back on himself. “My total time on target to evade that fix is about thirty seconds,” Williams said.

  All of that might make Delpy seem like a naive or even reckless enabler. But Nick Weaver, a Berkeley computer science researcher whom I asked about Mimikatz, argued it’s not so simple. Yes, Mimikatz is “insanely powerful,” he said. But perhaps it’s just a representation of vulnerabilities that sophisticated hackers would have learned to exploit sooner or later, regardless—perhaps with less attention. “I think we must be honest: If it wasn’t Mimikatz, there would be some other tool,” said Weaver. “These are fundamental problems present in how people administer large groups of computers.”

  Sandworm, however, did not write its own Mimikatz. It simply took Delpy’s. Like any ravenous, omnivorous predator, it was as happy to scavenge low-hanging fruit as to hunt big game. Oleksii Yasinsky first detected Ukraine’s tormentors using Mimikatz in the 2015 penetration of StarLightMedia. It had appeared again in the logs of the long, patient operation leading up to the Ukrenergo blackout in late 2016.

  With the leak of EternalBlue and its integration into WannaCry, however, Sandworm’s programmers saw an opportunity to elevate Delpy’s tool from a simple, manual shim into something far more elegant and automated. The NSA’s code presented one half of a powerful, incendiary chemical reaction. Mimikatz offered the other.

  24

  NOTPETYA

  Early on the morning of June 27, 2017, Colonel Maksym Shapoval was driving his Mercedes-Benz in the quiet Solomyansky district of western Kiev. When he stopped at an intersection next to the leafy campus of the State University for Telecommunications, a lump of explosives tucked under the Ukrainian military officer’s car equivalent to about two pounds of TNT exploded. He was killed instantly in a ball of fire. Parts of his vehicle flew dozens of feet in every direction. Two pedestrians walking nearby were hit with shrapnel in the legs and neck. They would be the first collateral victims of the day, but not the last.

  * * *

  ■

  On the edge of the trendy Podil neighborhood to the east of Kiev’s center, coffee shops and parks abruptly evaporate, replaced by a grim industrial landscape. Under a highway overpass, across some trash-strewn railroad tracks, and through a concrete gate stands the four-story headquarters of Linkos Group, a small, family-run Ukrainian software business.

  Up three flights of stairs in that building is a server room where a rack of pizza-box-sized computers is connected by a tangle of wires and marked with handwritten, numbered labels. On a normal day, these servers push out routine updates—bug fixes, security patches, new features—to a piece of accounting software called M.E.Doc, which is more or less Ukraine’s equivalent of TurboTax or Quicken. It’s used by nearly anyone who files taxes or does business in the country.

  But starting in the spring of 2017, those machines had served another purpose. Unbeknownst to anyone at Linkos Group, Sandworm’s hackers had hijacked the company’s update servers to allow them a hidden backdoor into the thousands of PCs around the country and the world that had M.E.Doc installed. Then, on that same morning of June 27, the saboteurs used that backdoor to release their payload: the most devastating cyberweapon in the history of the internet.

  * * *

  ■

  Oleksii Yasinsky had expected a calm Tuesday at the office. Earlier that morning, he’d read with dismay the headlines about the brazen assassination of a Ukrainian colonel in the middle of Kiev, but then he’d commuted to work as usual and come into an abnormally quiet office. It was the day before Ukraine’s Constitution Day, a national holiday, and most of his co-workers were either planning their vacations or already taking them. Not Yasinsky. His job description at ISSP no longer lent itself to downtime. Since the first blows of Russia’s cyberwar had hit StarLightMedia in 2015, in fact, he’d allowed himself a grand total of one week off.

  Yasinsky remained unperturbed when he received a call that morning from ISSP’s director telling him that Oschadbank, the second-largest bank in Ukraine, was under attack. The company had told ISSP that it was facing a ransomware infection, hardly an uncommon crisis for companies around the world targeted by cybercriminals. But when Yasinsky walked into Oschadbank’s IT department at its central Kiev office half an hour later, he quickly suspected this was something worse. “The staff were lost, confused, in a state of shock,” Yasinsky says. Around 90 percent of the bank’s thousands of computers were permanently locked. Some showed the “repairing file system on C:” message. Others displayed an “oops, your files are encrypted” ransom screen demanding $300 in bitcoins.

  After an examination of the bank’s surviving logs, Yasinsky could see that the ransomware attack was an automated worm. It looked vaguely like WannaCry, but different: It wasn’t merely scanning the internet at random and infecting any vulnerable computers it could find, but instead had somehow obtained an administrator’s credentials, giving it the run of the bank’s network. It had then rampaged through Oschadbank’s systems like a prison inmate who’d stolen the warden’s keys.

  As he analyzed the bank’s breach back in ISSP’s office, Yasinsky started receiving calls and messages from people around Ukraine, telling him of similar instances in other companies and government agencies. One told him that another victim had experimented with paying the worm’s ransom. As Yasinsky already guessed, the payment had no effect. This was no ordinary ransomware. “There was no silver bullet for this, no antidote,” he said. And unlike WannaCry, there was no kill switch.

  A thousand miles to the south, ISSP’s CEO, Roman Sologub, was attempting to take a Constitution Day vacation on the southern coast of Turkey, preparing to head to the beach with his family. His phone, too, began to explode with calls from ISSP clients who were either watching the mysterious worm tear across their networks or reading news of the attack and frantically seeking advice.

  Sologub retreated to his hotel, where he’d spend the rest of the day fielding more than fifty calls from customers reporting, one after another after another, that their networks had been infected. ISSP’s security operations center, which monitored the networks of clients in real time, warned Sologub that the new worm was saturating victims’ systems with terrifying speed: It took forty-five seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub, where ISSP had installed its equipment as a demonstration, was fully infected in sixteen seconds. Ukrenergo, the energy company whose network ISSP had been helping to rebuild after the 2016 blackout cyberattack, had also been struck yet again. “Do you remember we were about to implement new security controls?” Sologub recalled a frustrated Ukrenergo IT director asking him on the phone. “Well, too late.”

  By noon, ISSP’s co-founder, a serial entrepreneur named Oleh Derevianko, had sidelined his vacation too. Derevianko had been driving north to meet his family at his village house for the holiday when the calls began. Soon he had pulled off the highway and was working from a roadside restaurant. By the early afternoon, he was warning every executive who called to unplug their networks without hesitation, even if it meant shutting down their entire company. In many cases, they’d already waited too long. “By the time you reached them,” Derevianko said, “the infrastructure was already lost.”

  * * *

  ■

  The unfolding digital debacle soon had a name: NotPetya. Security firms around the globe immediately began examining the new worm, primed by the previous month’s WannaCry outbreak. Researcher
s at Kaspersky noted that the new malware’s code somewhat resembled a piece of criminal ransomware called Petya that had been circulating since early 2016. Like that older ransomware, when this specimen infected a new machine, it immediately set about encrypting the computer’s so-called master file table—the part of a computer’s operating system that keeps track of the location of data in storage. It also encrypted every file on the machine individually; the effect was like a vandal who first puts a library’s card catalog through a shredder, then moves on to methodically pulp its books, stack by stack.

  But the new ransomware was distinguished from that earlier criminal code by crucial modifications—hence its name. Within twenty-four hours, a French security researcher named Matthieu Suiche would discover that in fact the code didn’t actually allow decryption after a ransom was paid. Instead, its extortion messages seemed like a familiar ruse, covering its true intention of simple, permanent data destruction.

  NotPetya was also distinguished from its Petya namesake by another feature: It was honed for maximum virulence. The worm used both Mimikatz and EternalBlue in tandem. For the researchers pulling its code apart, exactly how the code was gaining its initial foothold on computer networks was, at first, a mystery. But once it had that first infection, they could see that Mimikatz acted as its primary tool of expansion. Sucking passwords out of computers’ memories, it instantly hopscotched from machine to machine, using common Windows management tools that give administrators free rein to access other computers on the network if they possess the right credentials—the inmates-running-the-prison case Yasinsky discovered at Oschadbank.

  But the NSA’s EternalBlue code leaked by the Shadow Brokers—along with another tool called EternalRomance for older versions of Windows—provided an extra, explosive catalyst. If any computer on a network hadn’t received Microsoft’s EternalBlue patch, NotPetya would jump to that vulnerable computer and continue to branch out from that new infection with its Mimikatz trick. The two tools paired to multiply their reach, making NotPetya more contagious than the sum of its parts. “You can infect computers that aren’t patched, and then you can grab the passwords from those computers to infect other computers that are patched,” said Mimikatz’s creator, Delpy. “When you mix these two technologies, it’s very powerful.”