Sandworm Page 2
PowerPoint possesses “amazing powers,” as one of the black room’s two reverse engineers, Jon Erickson, explained to me. Over years of evolution, it’s become a Rube Goldberg machine packed with largely unnecessary features, so intricate that it practically serves as its own programming language. And whoever had exploited this zero day had deeply studied one feature that allowed anyone to place an information “object” inside a presentation, like a chart or video pulled from elsewhere in the PowerPoint file’s own bundle of data, or even from a remote computer over the internet.
In this case, the hackers had used the feature to carefully plant two chunks of data within the presentation. The first it loaded into a temporary folder on the target computer. The second took advantage of PowerPoint’s animation feature: PowerPoint’s animations don’t merely allow speakers to bore audiences with moving text and cartoons but actually execute commands on the computer on which the presentation is running. In this case, when the presentation loaded that animation file, it would run an automated script that right-clicked on the first file the presentation had planted on the machine and click “install” on the resulting drop-down menu, giving that code a foothold on the computer without tipping off its user. The result was something like a harmless-looking package left on your doorstep that, after you bring it inside, sprouts an arm, cuts itself open, and releases tiny robots into your foyer. All of this would happen immediately and invisibly, the instant the victim double-clicked the attachment to open it.
Erickson, the reverse engineer who first handled the zero day in iSight’s black room, remembers his work disassembling and defusing the attack as a somewhat rare, fascinating, but utterly impersonal event. In his career, he’d dealt with only a handful of real zero days found in the wild. But he’d analyzed thousands upon thousands of other malware samples and had learned to think of them as specimens for study without considering the author behind them—the human who had rigged together their devious machinery. “It was just some unknown guy and some unknown thing I hadn’t seen before,” he said.
But zero days do have authors. And when Erickson had first begun to pull apart this one in his blacked-out workshop that morning, he hadn’t simply been studying some naturally occurring, inanimate puzzle. He was admiring the first hints of a remote, malevolent intelligence.
2
BLACKENERGY
Once iSight’s initial frenzy surrounding its zero-day discovery had subsided, the questions remained: Who had written the attack code? Whom were they targeting with it, and why?
Those questions fell to Drew Robinson, a malware analyst at iSight whom John Hultquist described as a “daywalker”: Robinson possessed most of the same reverse-engineering skills as the black room’s vampire crew but sat in the sunlit bull pen next to Hultquist’s office, responsible for a far wider angle analysis of hacking campaigns, from the personnel who carried them out to their political motives. It would be Robinson’s job to follow the technical clues within that PowerPoint to solve the larger mysteries of the hidden operation it represented.
Minutes after Hultquist had walked into the bull pen to announce the all-hands-on-deck discovery of the PowerPoint zero day that Wednesday morning, Robinson was poring over the contents of the booby-trapped attachment. The actual presentation itself seemed to be a list of names written in Cyrillic characters over a blue-and-yellow Ukrainian flag, with a watermark of the Ukrainian coat of arms, a pale blue trident over a yellow shield. Those names, Robinson found after using Google Translate, were a list of supposed “terrorists”—those who sided with Russia in the Ukrainian conflict that had begun earlier that year when Russian troops invaded the east of the country and its Crimean peninsula, igniting separatist movements there and sparking an ongoing war.
That the hackers had chosen an anti-Russian message to carry their zero-day infection was Robinson’s first clue that the email was likely a Russian operation with Ukrainian targets, playing on the country’s patriotism and fears of internal Kremlin sympathizers. But as he searched for clues about the hackers behind that ploy, he quickly found another loose thread to pull. When the PowerPoint zero day executed, the file it dropped on a victim’s system turned out to be a variant of a piece of notorious malware, soon to become far more notorious still. It was called BlackEnergy.
BlackEnergy’s short history up to that point already contained, in some sense, its own primer on the taxonomy of common hacking operations, from the lowliest “script kiddies”—hackers so unskilled that they could generally only use tools written by someone more knowledgeable—to professional cybercriminals. The tool had originally been created by a Russian hacker named Dmytro Oleksiuk, also known by his handle, Cr4sh. Around 2007, Oleksiuk had sold BlackEnergy on Russian-language hacker forums, priced at around $40, with his handle emblazoned like a graffiti tag in a corner of its control panel.
The tool was designed for one express purpose: so-called distributed denial-of-service, or DDoS, attacks designed to flood websites with fraudulent requests for information from hundreds or thousands of computers simultaneously, knocking them off-line. Infect a victim machine with BlackEnergy, and it became a member of a so-called botnet, a collection of hijacked computers, or bots. A botnet operator could configure Oleksiuk’s user-friendly software to control which web target its enslaved machines would pummel with spoofed requests as well as the type and rate of that digital bombardment.
By late 2007, the security firm Arbor Networks counted more than thirty botnets built with BlackEnergy, mostly aiming their attacks at Russian websites. But on the spectrum of cyberattack sophistication, distributed denial-of-service attacks were largely crude and blunt. After all, they could cause costly downtime but not the serious data breaches inflicted by more penetrating hacking techniques.
In the years that followed, however, BlackEnergy had evolved. Security firms began to detect a new version of the software, now equipped with an arsenal of interchangeable features. This revamped version of the tool could still hit websites with junk traffic, but it could also be programmed to send spam email, destroy files on the computers it had infested, and steal banking usernames and passwords.*1
Now, before Robinson’s eyes, BlackEnergy had resurfaced in yet another form. The version he was looking at from his seat in iSight’s bull pen seemed different from any he’d read about before—certainly not a simple website attack tool, and likely not a tool of financial fraud, either. After all, why would a fraud-focused cybercrime scheme be using a list of pro-Russian terrorists as its bait? The ruse seemed politically targeted. From his first look at the Ukrainian BlackEnergy sample, he began to suspect he was looking at a variant of the code with a new goal: not mere crime, but espionage.*2
Soon after, Robinson made a lucky find that revealed something further about the malware’s purpose. When he ran this new BlackEnergy sample on a virtual machine, it tried to connect out over the internet to an IP address somewhere in Europe. That connection, he could immediately see, was the so-called command-and-control server that functioned as the program’s remote puppet master. And when Robinson reached out himself via his web browser to that faraway machine, he was pleasantly shocked. The command-and-control computer had been left entirely unsecured, allowing anyone to browse its files at will.
The files included, amazingly, a kind of help document for this unique version of BlackEnergy that conveniently listed its commands. It confirmed Robinson’s suspicion: The zero-day-delivered version of BlackEnergy had a far broader array of data-collection abilities than the usual sample of the malware found in cybercrime investigations. The program could take screenshots, extract files and encryption keys from victim machines, and record keystrokes, all hallmarks of targeted, thorough cyberspying rather than some profit-focused bank-fraud racket.
But even more important than the contents of that how-to file was the language it was written in: Russian.
*1 As that more sophis
ticated cybercriminal use of BlackEnergy spread, its original creator, Oleksiuk, had been careful to distance himself from it—particularly after BlackEnergy was connected to financial fraud against Russian banks, a dangerous move in a country otherwise known to look the other way when cybercriminals focused on Western victims. “The fact that its source code was available to many people in all sorts of (semi) private parties, can mean that someone took it for their own needs,” Oleksiuk tried to explain in a post—titled “Fuck me I’m famous”—on the blogging site LiveJournal in 2009. “To suspect that the author of this bot software, whose autograph was written on publicly accessible versions of it 3 years ago, is involved in criminal machinations, you’d have to be a complete idiot.”
*2 In fact, security analysts at the Russian security firm Kaspersky had quietly suspected someone had been using BlackEnergy for sophisticated spying since early 2013. Versions of the tool had begun appearing that were no longer offered for sale on hacker forums, and some were designed to infect machines that run Linux—an operating system rare enough that the hackers must have been using it for precision spy operations, not indiscriminate theft. “The crimeware use was gone,” the Kaspersky analyst Maria Garnaeva told me. “That was when the hackers using this became a unique targeted attack group.”
3
ARRAKIS02
The cybersecurity industry constantly warns of the “attribution problem”—that the faraway hackers behind any operation, especially a sophisticated one, are very often impossible to pinpoint. The internet offers too many opportunities for proxies, misdirection, and sheer overwhelming geographic uncertainty. But by identifying the unsecured command-and-control server, Robinson had broken through iSight’s BlackEnergy mystery with a rare identifying detail. Despite all the care they’d displayed in their PowerPoint hacking, the hackers seemed to have let slip a strong clue of their nationality.
After that windfall, however, Robinson still faced the task of actually delving into the innards of the malware’s code in an effort to find more clues and create a “signature” that security firms and iSight’s customers could use to detect if other networks had been infected with the same program. Deciphering the functionality of the malware’s code wasn’t going to be nearly as easy as tracing its command-and-control server. As Robinson would painstakingly learn over the next days of solid, brain-numbing work, it had been thoroughly scrambled with three alternating layers of compression and encryption.
In other words, getting to the malware’s secrets was something like a scavenger hunt. Although Robinson knew that the malware was self-contained and therefore had to include all the encryption keys necessary to unscramble itself and run its code, the key to each layer of that scrambling could only be found after decoding the layer on top of it. And even after guessing the compression algorithm the hackers had used by scanning the random-looking noise for recognizable patterns, Robinson spent days longer working to identify the encryption scheme they’d used, a unique modification of an existing system. As he fell deeper and deeper into that puzzle, he’d look up from his desk and find that hours had seemingly jumped forward. Even at home, he’d find himself standing fixated in the shower, turning the cipher over and over in his mind.
When Robinson finally cracked those layers of obfuscation after a week of trial and error, he was rewarded with a view of the BlackEnergy sample’s millions of ones and zeros—a collection of data that was, at a glance, still entirely meaningless. This was, after all, the program in its compiled form, translated into machine-readable binary rather than any human-readable programming language. To understand the binary, Robinson would have to watch it execute step-by-step on his computer, unraveling it in real time with a common reverse-engineering tool called IDA Pro that translated the function of its commands into code as they ran. “It’s almost like you’re trying to determine what someone might look like solely by looking at their DNA,” Robinson said. “And the god that created that person was trying to make the process as hard as possible.”
By the second week, however, that microscopic step-by-step analysis of the binary finally began to pay off. When he managed to decipher the malware’s configuration settings, they contained a so-called campaign code—essentially a tag associated with that version of the malware that the hackers could use to sort and track any victims it infected. And for the BlackEnergy sample dropped by their Ukrainian PowerPoint, that campaign code was one that he immediately recognized, not from his career as a malware analyst, but from his private life as a science fiction nerd: “arrakis02.”
In fact, for Robinson, or virtually any other sci-fi-literate geek, the word “Arrakis” is more than recognizable: It’s as familiar as Tatooine or Middle-earth, the setting of a central pillar of the cultural canon. Arrakis is the desert planet where the novel Dune, the 1965 epic by Frank Herbert, takes place.
The story of Dune is set in a world where Earth has long ago been ravaged by a global nuclear war against artificially intelligent machines. It follows the fate of the noble Atreides family after they’ve been installed as the rulers of Arrakis—also known as Dune—and then politically sabotaged and purged from power by their evil rivals, the Harkonnens.
After the Atreides are overthrown, the book’s adolescent hero Paul Atreides takes refuge in the planet’s vast desert, where thousand-foot-long sandworms roam underground, occasionally rising to the surface to consume everything in their path. As he grows up, Atreides learns the ways of Arrakis’s natives, known as the Fremen, including the ability to harness and ride the sandworms. Eventually, he leads a spartan guerrilla uprising, and riding on the backs of sandworms into a devastating battle, he and the native Fremen take the capital city back from the Harkonnens, their insurgency ultimately seizing control of the entire global empire that had backed the Harkonnens’ coup.
“Whoever these hackers were,” Robinson remembers thinking, “it seems like they’re Frank Herbert fans.”
* * *
■
When he found that arrakis02 campaign code, Robinson could sense he’d stumbled onto something more than a singular clue about the hackers who had chosen that name. He felt for the first time that he was seeing into their minds and imaginations. In fact, he began to wonder if it might serve as a kind of fingerprint. Perhaps he could match it to other crime scenes.
Over the next days, Robinson set the Ukrainian PowerPoint version of BlackEnergy aside and went digging, both in iSight’s archives of older malware samples and in a database called VirusTotal. Owned by Google’s parent company, Alphabet, VirusTotal allows any security researcher who’s testing a piece of malware to upload it and check it against dozens of commercial antivirus products—a quick and rough method to see if other security firms have detected the code elsewhere and what they might know about it. As a result, VirusTotal has assembled a massive collection of in-the-wild code samples amassed over more than a decade that researchers can pay to access. Robinson began to run a series of scans of those malware records, searching for similar snippets of code in what he’d unpacked from his BlackEnergy sample to match earlier code samples in iSight’s or VirusTotal’s catalog.
Soon he had a hit. Another BlackEnergy sample from four months earlier, in May 2014, was a rough duplicate of the one dropped by the Ukrainian PowerPoint. When Robinson dug up its campaign code, he found what he was looking for: houseatreides94, another unmistakable Dune reference. This time the BlackEnergy sample had been hidden in a Word document, a discussion of oil and gas prices apparently designed as a lure for a Polish energy company.
For the next few weeks, Robinson continued to scour his archive of malicious programs. He eventually wrote his own tools that could scan for the malware matches, automate the process of unlocking the files’ layers of obfuscating encryption, and then pull out the campaign code. His collection of samples slowly began to grow: BasharoftheSardaukars, SalusaSecundus2, epsiloneridani0, as if the hackers were trying t
o impress him with their increasingly obscure knowledge of Dune’s minutiae.
Each of those Dune references was tied, like the first two he’d found, to a lure document that revealed something about the malware’s intended victims. One was a diplomatic document discussing Europe’s “tug-of-war” with Russia over Ukraine as the country struggled between a popular movement pulling it toward the West and Russia’s lingering influence. Another seemed to be designed as bait for visitors attending a Ukraine-focused summit in Wales and a NATO-related event in Slovakia that focused in part on Russian espionage. One even seemed to specifically target an American academic researcher focused on Russian foreign policy, whose identity iSight decided not to reveal publicly. Thanks to the hackers’ helpful Dune references, all of those disparate attacks could be definitively tied together.
But some of the victims didn’t look quite like the usual subjects of Russian geopolitical espionage. Why exactly, for instance, were the hackers focused on a Polish energy company? Another lure, iSight would later find, targeted Ukraine’s railway agency, Ukrzaliznytsia.
But as Robinson dug deeper and deeper into the trash heap of the security industry, hunting for those Dune references, he was most struck by another realization: While the PowerPoint zero day they’d discovered was relatively new, the hackers’ broader attack campaign stretched back not just months but years. The earliest appearance of the Dune-linked hackers’ lures had come in 2009. Until Robinson had managed to piece together the bread crumbs of their operations, they’d been penetrating organizations in secret for half a decade.