Sandworm Page 23

  They’d somehow leveraged their control of that web server to gain access to the M.E.Doc update server on the same network, though Serper couldn’t explain to me exactly how. They essentially turned that update server into a command-and-control beacon for their backdoor software updates, hiding the entire back-end setup of a traditional malware infection inside Linkos Group’s own infrastructure, like a community of parasites that’s taken up residence in a host’s extremities and brain at the same time.

  Even more striking was the mode of communication between that hacked update server and the backdoor copies of M.E.Doc that it controlled around the world. M.E.Doc was designed to connect with Linkos Group’s servers via http, the same basic internet communications that web browsers use to talk to websites. As such, those http messages include a standard channel for “cookies,” the bits of data that websites plant in users’ browsers to track their activities.

  Now the command-and-control software installed on the hacked M.E.Doc server had used that same covert cookie channel to send commands to the computers it had backdoored. It could send a range of instruction, including not only installing files like NotPetya but also stealing any file the hackers chose from a machine running the accounting software, using M.E.Doc’s own communication system to avoid detection. “The way they used M.E.Doc’s infrastructure against itself was very elegant,” Serper said. “It was a job well done.”

  Serper was struck by just how mismatched these hackers were for the defenses they were up against. These agile, innovative intruders were strolling through holes in M.E.Doc’s server software that was years old, poorly configured, and shoddily patched. “This was not a challenge,” he told me, as if refraining from saying something less polite.

  But perhaps most remarkable of all was the sheer longevity of M.E.Doc’s security woes. On the company’s hard drives, Serper also discovered another, older set of log files from November 2015, a record of the company’s network activity years before it became the epicenter of NotPetya’s meltdown. In those logs, Serper found another hidden web shell.

  There was no way to tell if that earlier infection had ties to NotPetya or to any particular group of hackers. But it showed that someone had secret access to the same network that had served as the epicenter of a global calamity for at least twenty months. The company that would serve as the trigger for Sandworm’s climactic cyberweapon had been quietly penetrated even before the hackers’ first Christmas blackout.

  29

  DISTANCE

  When Olesya Linnyk talks about NotPetya, she assumes the tired patience of someone who has gotten used to reliving the worst moment of her career again and again. “Emotionally, it has been a total horror movie,” Linnyk told me in a tone of measured disgust, sitting in a Linkos Group conference room. “Our slogan was ‘financial reporting without problems.’ Then we became the problem.”

  Over the previous seven years leading up to the company’s ill-fated moment in the spotlight, Linnyk had spun off M.E.Doc as a new product independent from her father’s accounting software firm and nurtured it from a seed of an idea into its own thriving business. She had hired nearly three hundred people, simultaneously raised four children, and considered her company almost as another. “It’s like my fifth child, the oldest one, and my other kids often get less attention,” she told me with a fleeting smile. “Seven years of reputation, destroyed.”

  I was ready to ask the unkind question: Why then, with so much at stake for her, her company, and the world, didn’t Linkos better protect itself? Why leave such a powerful mechanism for global infection so unsecured?

  Linnyk spared me by answering the question before I could ask it. She insisted that her company hadn’t willfully neglected to protect itself and its customers against cyberattacks. They had simply never imagined that they might be a target. “We do quite basic and simple things. We help out accountants,” she said. “We saw ourselves as quite distant from cybersecurity issues.”

  That understanding of “distance” struck me as a kind of concise summary of the broader attitude that made NotPetya’s epic effects on the global internet possible. Linkos Group hadn’t remotely imagined that it could be a carrier for a worldwide digital contagion. The Ukrainian police, in the aftermath of the disaster, had staged a showy raid on the headquarters of the worm’s unwitting launch point, while the real perpetrators of the attack watched with impunity, likely thousands of miles away. The American intelligence community—and to a lesser extent the creator of Mimikatz—hadn’t reckoned with the potential consequences of their tools falling into the enemy’s hands. Even NotPetya’s own creators seem not to have understood the extent of the worm’s collateral damage beyond Ukraine, both to the West and to Russia itself.

  But the largest of those blind spots, perhaps, can be found in the West’s attitude to Ukraine and silence in the face of the cyberwar afflicting it. For a decade, the United States had treated Russian cyberattacks on its neighbors—Estonia, Georgia, and Ukraine, above all—as a “distant” problem. The Obama administration had watched since 2015 as Ukraine became a helpless victim and a nation-sized laboratory for Russia’s cruelest hacking techniques. It allowed those hackers to cross one red line after another, including not one but two unprecedented blackout attacks. The second had been well timed to slip through the diplomatic cracks, coming as the administration already had one foot out the door, ending its tenure without a single public rebuke of those sabotage campaigns.

  The Trump administration, of course, had made those concessions to Putin far more explicit. Trump’s nihilistic denials had made Russia’s hacking of American election targets a subject for debate—in the face of mounting, incontrovertible evidence—leaving no space for even a discussion of the vastly more aggressive hacking of critical institutions in Ukraine. At the same time, Trump had overtly praised Putin, repeatedly calling him a “strong leader” in public comments and even complimenting his response to the Obama administration’s sanctions.

  Meanwhile, his administration’s broader isolationism telegraphed to the world that Ukraine would be entirely on its own in the face of Russian attacks—physical or digital. “Why should U.S. taxpayers be interested in Ukraine?” Trump’s secretary of state, Rex Tillerson, callously asked a group of diplomats at a gathering in Italy, three months before NotPetya’s release.

  NotPetya provided a tidy answer to Tillerson’s question. Americans ignored Ukraine’s escalating cyberwar in the face of repeated warnings that the attacks there would soon spread to the rest of the world. Then, very suddenly, exactly that scenario played out, at an immense cost.

  The result of all these combined myopias was the closest thing the earth has yet seen to the long-predicted, infrastructure-crippling cyberwar doomsday. To an extent never seen before or—as of this writing—since, a single surprise cyberattack took a chunk out of the foundation of civilization, from pharmaceuticals to shipping to food. Distributed across the world, and in a far more concentrated sense for Ukraine itself, NotPetya was the “electronic Pearl Harbor” that John Hamre had first warned of in 1997.

  Even Thomas Rid, a professor of strategic and military studies at Johns Hopkins who has written skeptically about the potential for cyberwar, criticizing overblown metaphors of “cyberweapons” and an impending “cyber 9/11,” has said that NotPetya finally represented an event that warranted that sort of hyperbole. “If anything comes close to ‘cyber 9/11,’ ” Rid told me, “this was it.”

  * * *

  ■

  Reckoning with the extent of NotPetya’s damage, its victims often described it to me in the terms of an uncontrollable pathogen or natural disaster. But of course, there was nothing natural about it. The worm was man-made, imbued with its creators’ malicious intentions. The question remained: What were those hackers’ intentions?

  Nearly a year after the attack, I visited the new, upgraded headquarters of ISSP, which had dit
ched its old, dismal neighborhood and moved into a trendy complex of start-ups that included a satellite office of Uber. In a conference room inside, I met with Oleksii Yasinsky, whose appearance had shifted in the opposite direction of his surroundings: Instead of ironed business casual, he now wore torn jeans, a white T-shirt, and several days’ stubble, the uniform of the overworked cybersecurity expert.

  Yasinsky and his boss, ISSP’s co-founder Oleh Derevianko, quickly launched into their explanation of NotPetya’s purpose with all the usual theories about Ukraine’s cyberwar: intimidation, experimentation, collateral damage. But they added another striking claim: that NotPetya was intended not merely for destruction but also as a cleanup effort. After all, they pointed out, the hackers who launched NotPetya first had months of unfettered access to victims’ networks via their hijacked M.E.Doc infrastructure. On top of the panic and disruption it caused, NotPetya might have also wiped away evidence of espionage or even reconnaissance for future sabotage.

  In fact, when Yasinsky had looked at the networks of Ukrainian NotPetya victims in the days and weeks after they were struck by the worm, he’d found something that no one else had described to me: The “perfc” file that Amit Serper had identified as NotPetya’s vaccine appeared on computers that hadn’t actually been affected by the worm, close to 10 percent of machines in some cases. The victim companies’ administrators told him that they hadn’t installed the vaccine. But those computers had, nonetheless, been spared from encryption.

  Yasinsky believed that the “vaccine” had, in fact, served a different purpose in the hands of the hackers: It was designed to preserve their access. Even after a victim rebuilt his network, he might not rebuild those vaccinated, unscathed computers. And those machines might have some other, clever infection that neither the victims nor ISSP had yet identified. “Ukraine was used as a backdoor into the whole world,” Yasinsky told me. And some part of that backdoor, he warned, might remain open.

  As I spoke to other cybersecurity analysts about NotPetya, the notion that non-Ukrainian companies hit by the worm were unintended collateral damage came to seem like an oversimplification, too. Serper, ESET, and Cisco’s Talos security division had all noted that the M.E.Doc backdoor had the ability to upload to the hackers a certain Ukrainian government-issued tax identification number known as an EDRPOU, pulling that number from every installation of M.E.Doc. That ID would allow the hackers to look up each legal entity that had registered with the Ukrainian government, creating an exact catalog of each potential victim before unleashing the worm into its system. If they’d wished to, they could have carefully avoided the vast majority of collateral damage, instead coordinating a campaign of precision-guided missile strikes.

  Cisco’s Craig Williams argued that meant Russia knew full well the extent of the pain the worm would inflict internationally. The fallout, he posited, was no accident. Instead, it was a kind of hyperaggressive trade embargo, meant to explicitly punish anyone who would dare even to maintain an office inside the borders of Russia’s enemy. “Anyone who thinks this was accidental is engaged in wishful thinking,” Williams said. “This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.”

  Other debates about NotPetya’s intentions persist even today. Some cybersecurity researchers point to the vast damage it did to Russian companies as evidence that it couldn’t have been a Russian government operation. Vesselin Bontchev, a security researcher at the Bulgarian Academy of Sciences, has highlighted errors in the coding of NotPetya’s ransomware component that he argues must be the work of unsophisticated hackers, not Russian government agents, though he notes that the M.E.Doc backdoor does have all the hallmarks of a government intelligence operation. In fact, the mysteries over the thinking hidden beneath NotPetya’s layers of misdirection may never be definitively solved, absent its creators themselves revealing their intentions.

  But regardless of its targeting and purpose, the most enduring object lesson of NotPetya may simply be the strange, extradimensional landscape of the battlefield where it was launched. This is the confounding geography of cyberwarfare: In ways that still defy human intuition, phantoms inside M.E.Doc’s server room in a gritty corner of Kiev spread chaos into the gilded conference rooms of the capital’s federal agencies, into ports dotting the globe, into the stately headquarters of Maersk on the Copenhagen harbor, into operating rooms in U.S. hospitals, and across the global economy. “Somehow the vulnerability of this Ukrainian accounting software affects the U.S. national security supply of vaccines and global shipping?” Joshua Corman, the cybersecurity fellow at the Atlantic Council, asked me, as if still puzzling out the shape of the wormhole that made that cause and effect possible. “The physics of cyberspace are wholly different from every other war domain.”

  In those physics, NotPetya reminds us, distance is no defense. Every barbarian is already at every gate. And the network of entanglements in that ether, which have unified and elevated the world for the past twenty-five years, can, over a few hours on a summer day, bring it to a crashing halt.

  PART V

  IDENTITY

  Treachery within treachery within treachery.

  30

  GRU

  By late 2017, I had been tracking Sandworm for more than a year. I’d spent much of that time studying how its NotPetya apotheosis had played out across the globe. The group now had my full attention: Its members had distinguished themselves in my mind as the most dangerous hackers in the world. And it offended my sensibilities as a reporter that I still had practically no sense at all of who Sandworm was.

  Yes, they seemed to be Russian and almost certainly controlled by the Russian government. But I wanted more. I wanted to learn about the individual people unleashing Sandworm’s chaos from behind their keyboards and computer screens, their names, faces, and personal motives—or as close as I could get to any of those details about a group operating half a world away, with years of professional experience exploiting the internet’s potential for anonymity.

  Sandworm was becoming a kind of obsession for me, just as it had become for John Hultquist three years earlier. And I also shared something else with Hultquist, as well as with others like Oleksii Yasinsky and Rob Lee: I had joined the lonely club of Cassandras determined to bring attention to the group even as the rest of the world seemed determined to ignore it.

  Along with its unprecedented devastation, Sandworm’s NotPetya worm left in its wake six months of inexplicable silence. For the rest of the summer, the fall, and into the winter of 2017, no victim of NotPetya outside Ukraine would name Russia as the perpetrator of the attack. Nor did any government other than Ukraine’s speak out to name the Kremlin. Russia seemed to have launched a cyberwar weapon that had crossed countless borders, violated practically every norm of state-sponsored hacking imaginable, and yet earned not a single reproach from the West.

  Three days after NotPetya’s outbreak, the NATO Cooperative Cyber Defence Centre of Excellence, established in Estonia in the wake of Russia’s early, crude wave of cyberattacks there in 2007, had issued a milquetoast statement: It had called on the international community to take action and noted that NotPetya was very likely the work of some government, somewhere. “NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state,” the statement read. “Other options are unlikely.”

  But it had stopped short of naming Russia. And it had noted that any countermeasures would require definitive attribution of the attack to its source, which it argued was still a mystery. Even with firmer attribution, the statement had claimed naively or legalistically, NotPetya didn’t actually inflict “consequences comparable to an armed attack,” and thus didn’t trigger Article 5 of NATO’s collective defense provision—the one that required member states to treat a military attack against one of them as an act of war against them all.*1r />
  Other than brief public statements like those of Maersk’s chairman, Snabe, at the World Economic Forum, the international victims of NotPetya shared the very minimum amount of information necessary to explain the ballooning damages they were legally required to report to shareholders. Even as red ink poured down their balance sheets, none of those major multinationals would name Russia as their abuser. It was as if the companies were politely backing away from the messy melee of geopolitical conflicts, or, perhaps more likely, trying to avoid fanning the flames of a story they feared would draw attention to their cybersecurity vulnerabilities.*2

  In fact, the evidence of Russia’s responsibility was already clear enough for me. Anton Cherepanov at ESET had published his analysis of the meshed lines of forensic clues showing that Sandworm was very likely behind NotPetya. Reams of other public reporting showed that the same group was responsible for the escalating cyberwar in Ukraine, including its two blackouts, all signs pointing to the Kremlin’s culpability.

  The Western world’s apathy as those earlier sabotage operations homed in on Ukraine had seemed rational, if cruelly self-interested. Now, somehow, the same countries were turning a blind eye to an attack that had materialized with epic effects on their own soil.

  That seeming indifference, particularly on the part of the United States, was maddening. Was President Trump’s unwillingness to acknowledge the Russian hacking that had aided his campaign now extending to all Russian hacking, no matter how destructive? Or was his administration simply incompetent or misinformed? “They’ve never even named the actor,” Rob Lee told me in late 2017, marveling at the government’s continued nonresponse to Sandworm’s provocations.