Sandworm Page 24

  “NotPetya tested the red lines of the West, and the result of the test was that there are no red lines yet,” Johns Hopkins’s Thomas Rid said. “The lack of any proper response is almost an invitation to escalate more.”

  * * *

  ■

  Finally, in January 2018, the first cracks in that wall of silence began to appear. Ellen Nakashima, the veteran intelligence agency reporter at The Washington Post who had first broken the news of the Democratic National Committee breach, published a brief story of just 424 words. It had the headline “Russian Military Was Behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes.” The story cited unnamed U.S. intelligence officials who had seen a CIA report from the previous November that asserted with “high confidence” that Russian military hackers had created NotPetya. Such a statement from an intelligence agency like the CIA would carry even more meaning than a similar finding from a private intelligence firm like CrowdStrike or FireEye. The CIA, like the NSA, has unique abilities to penetrate to the source of a cyberattack with human and digital spying techniques that would be illegal for practically anyone else.

  Nakashima’s report didn’t merely suggest that the U.S. government strongly believed the Russian state was behind the attack. It also went on to name the exact organization NotPetya’s programmers worked for: the Main Center for Special Technology, or GTsST, a part of Russia’s military spy agency known as the Main Intelligence Directorate, or Glavnoye Razvedyvatel’noye Upravleniye, commonly referred to by its Russian acronym. The GRU.

  Suddenly anonymous government sources were not only holding Russia accountable but pointing to an answer—albeit without any explanation—to the larger mystery of Sandworm’s identity. That answer, that the GRU was responsible for NotPetya and, by inference, that the years-long campaign of escalating attacks on Ukraine fell under the auspices of the GRU, too, was simultaneously a major revelation and not entirely surprising. The GRU was, after all, the same agency whose Fancy Bear hackers had already been revealed as the chief meddlers in both the 2016 U.S. presidential election and the 2014 Ukrainian presidential election—the latter under the guise of the hacktivist group CyberBerkut. The notion that Sandworm, the ultimate crosser of cyberwar’s red lines, was part of the same institution responsible for those other reckless, norm-breaking attempts to sabotage democracy seemed to fit.

  I had, in fact, heard hints of Sandworm’s connection to the GRU’s Fancy Bear hackers before. A year earlier, I’d been sitting with John Hultquist on the lawn of a hotel on the eastern shore of the Caribbean island of St. Martin. We were eating lunch during a break from the Security Analyst Summit run by the Russian security firm Kaspersky. I started quizzing Hultquist about his favorite topic, the hacker group he’d helped to discover and name and who had only months earlier taken down a Ukrainian power grid for the second time.

  “This is just rumint,” he’d prefaced his answer, lowering his voice. (“Rumint” is a half-joking piece of intelligence community jargon: Just as “sigint” refers to intelligence collected from intercepted signals and “humint” is intelligence gathered from human sources, “rumint” means clues gleaned from the intelligence community grapevine—in other words, unsubstantiated gossip.)

  Sandworm and Fancy Bear, Hultquist said he’d been told by well-placed sources, were one and the same. “I’ve even heard people use the names interchangeably,” he’d said with a raised eyebrow. I’d responded, confused, that the two groups seemed to have distinct tool sets, missions, and even personalities—that Sandworm focused on sophisticated infrastructure disruption while Fancy Bear practiced noisy, more basic hacking operations like political leaks and smear campaigns.

  Hultquist had shrugged, seeming as puzzled as I was. His rumint went that far, and no further.

  Now the Washington Post story seemed to offer one way to interpret his tip: Sandworm and Fancy Bear were both hacker teams within the GRU. Maybe Hultquist’s government contacts simply hadn’t bothered to differentiate between them, painting both hyperaggressive GRU operations with the same broad brush.

  In the months that followed the Post’s story, I at one point met with a pair of officials at the SBU, Ukraine’s main intelligence agency, in a closed-curtained conference room in central Kiev. When I asked them about the attacks attributed to Sandworm, they made exactly the same confusing claim that I’d heard in Hultquist’s rumint. “Different factors allow us to agree with our American colleagues that this is a group called Fancy Bear,” an SBU analyst named Matviy Mykhailov told me, again lumping Sandworm in with what I had thought was a distinct hacker entity. “The GRU is probably behind the disruptive attacks on Ukrainian infrastructure.”

  An older, more cautious lawyer colleague sitting next to Mykhailov raised a finger. “Maybe,” he added in English. (When I mentioned that strange conversation to the Russia-watcher Mark Galeotti at the Institute of International Relations, he said intelligence sources had told him that Sandworm was GRU in less uncertain terms. “A conversation with no lawyers and with alcohol tends to lead to more candid discussion,” he said.)

  The clues were jumbled and incomplete. But by the beginning of 2018, they were adding up to something remarkable: A single agency within the Russian government was responsible for at least three of the most brazen hacking milestones in history, all in just the past three years. The GRU, it now seemed, had masterminded the first-ever hacker-induced blackouts, the plot to interfere in a U.S. presidential election, and the most destructive cyberweapon ever released. A larger question now began to loom in my mind: Who are the GRU?

  *1 In late 2018, this claim that NotPetya didn’t rise to the level of an act of war would be formally disputed by an unexpected victim of the worm’s damage: an insurance company. When food producer Mondelēz filed for a $100 million payout from Zurich Insurance Group for its NotPetya damages, the insurer rejected its claim, citing a fine-print provision that its insurance didn’t cover any “hostile or warlike act” by a “government or sovereign power.” Mondelēz sued, and as of this writing the case is ongoing.

  *2 Learning the details of those attacks, such as those I included in the previous chapters of this book, would instead require months of anonymous, back-channel conversations with current and former staff at victim companies like Maersk, many of whom were terrified of having their careers ruined if superiors learned they were talking to a reporter about NotPetya’s effects.

  31

  DEFECTORS

  For most of the hundred years since the GRU’s founding in the early days of the Soviet Union, the institution has been almost entirely shrouded in mystery. The agency didn’t merely hide its goals, its tactics and tools, or its organizational structure. For decades, it hid the very fact of its existence.

  The GRU was created by Lenin in 1918—and initially called the Registration Directorate, or RU—both to serve as the eyes and ears of the Red Army and to balance the power of the dreaded KGB, then known as the Cheka. The military spy agency’s mission, unlike the KGB’s, was assigned to foreign operations and didn’t share in the surveillance and elimination of domestic enemies that gave the KGB its terrifying reputation. That foreign focus meant that the GRU never needed to instill fear in Soviet subjects, as the KGB did. It didn’t advertise its insidious power with a grand headquarters on a central square in Moscow. Nor did it ever take the public blame for internal purges, repressions, and mass executions when the Communist Party needed a scapegoat for those atrocities, as when Khrushchev blamed the wanton political massacres known as the Great Terror on the KGB.

  For most of its long, obscure history, that discipline of institutional secrecy had its intended effect: Even as the GRU wielded several times the budget and manpower of the KGB in its foreign spying and sabotage operations—and even as it outlived the KGB, which was officially dissolved after the Soviet Union’s collapse—the GRU’s name was for decades only rarely written or spoken in public. It op
erated quietly, little known to Soviet or Russian citizens and less known still in the foreign countries where it stealthily carried out its work.

  Most of what the world does know about the history of the GRU and the people inside it comes from its rare defectors and moles. And the GRU has minimized those leaks by imposing legendarily severe consequences on anyone who dared betray it. Vladimir Rezun, a GRU captain who did successfully defect in 1978, wrote in his memoir how, on the first day of his training at the agency, he was shown a video of a turncoat colonel who was bound to a stretcher with wire and then pushed into a fire, cremated alive. On another occasion, he writes, he was told by a superior that a disloyal agent had been placed alive in a coffin and buried.

  Neither of those horror stories has been independently confirmed. Instead, the West’s first publicly recorded story of an ill-fated GRU source was that of Pyotr Popov, a young lieutenant colonel stationed in Vienna. In 1953, Popov dropped a note into the parked car of a U.S. diplomat offering to serve as an American spy inside the GRU. The twenty-nine-year-old had grown up the son of poor farmers in the northern region of the Volga River and had never forgiven Stalin’s regime for its brutalization of the peasant class, which in the 1930s had devastated some regions of Russia just as thoroughly as it had Ukraine.

  Over the next six years, as he worked to recruit Soviet agents in Vienna and then Berlin, Popov also met with the CIA and identified nearly the entire GRU command structure, including more than 650 GRU officers. Then, in 1959, after a botched operation escorting a Soviet spy flying out of Berlin, Popov was investigated by Russian authorities who promptly arrested him, briefly turned him into a double agent, and then shot him.

  Popov’s role as a top GRU leaker for Western intelligence was quickly replaced by a far more valuable source: Oleg Penkovsky. The GRU colonel, code-named HERO by the CIA, would become one of the highest-ranking and most prolific moles in the history of the Cold War. Like Popov, Penkovsky had deep resentment for the Soviet regime rooted in historical grievances: His father had been killed in a siege during Russia’s civil war while serving in the tsarist White Russian army, and he felt that his own advancement in the Soviet military was stymied by that family history. He also hoped to make enough money with his secret betrayal to buy a car and a dacha outside Moscow, to escape the two-room apartment where he lived with three generations of his family, and to someday relocate his family to the West.

  Starting in 1961, after contacting U.K. intelligence through a British businessman, he spent eighteen months feeding the British and American governments a steady flow of top secret reports and photographs. He’d pass the materials to officials in London—where he was assigned to carry out industrial espionage for the Soviets—or in meetings in a Moscow park with a British intelligence officer’s wife, who hid film canisters inside boxes of candy in her baby carriage.

  Those leaks are widely credited with changing the course of history. They included detailed information on the size of the Soviet nuclear arsenal, which the U.S. government had vastly overestimated in its perceived arms race. In 1961, most crucially, Penkovsky provided clues that later allowed the White House to deduce Khrushchev’s tactics as the Soviet leader moved to place nuclear missiles in Cuba. By some accounts, it was that warning that allowed President John F. Kennedy to confront Khrushchev and begin negotiations to remove the weapons days before they were operational.

  Almost immediately afterward, Penkovsky’s treachery was identified by Russian intelligence. He was arrested, repeatedly interrogated, and then executed. Exactly how he was caught has never been revealed.

  Penkovsky gave the West an unprecedented understanding of the inner workings of the Soviet military and Khrushchev’s strategic thinking. But he also gave his Western handlers, less intentionally, a new sense of the callous, hyperaggressive mind-set of a top-ranking GRU officer.

  Penkovsky made that stark impression in his very first meeting with the CIA and the British MI6 in a London hotel. After a break in the interview to eat sandwiches and drink dry German white wine, Penkovsky suggested, without prompting, that he was ready to lead a team that would hand-place small nuclear weapons equivalent to two thousand tons of TNT around the Moscow headquarters of the Soviet military, Communist Party, and KGB. At the Brits’ or Americans’ command, his team would then blow up all of those buildings, killing the entire senior staff of the U.S.S.R.’s government.

  Penkovsky calmly explained that he could help locate similar targets in every major Soviet city, as well as the residential and commercial buildings surrounding them that could serve as hiding places for the atomic weapons. He made no mention of the many thousands of civilians who would die in the explosions and the subsequent radioactive fallout.

  Penkovsky’s Western interrogators were stunned. According to transcripts of the meeting, they ignored his proposal and continued asking him about Soviet capabilities. But in history’s understanding of Soviet military intelligence, Penkovsky’s suggestion might have been one of his career’s most telling moments: a glimpse of how the GRU’s officials perceived new innovations in mass destruction and their willingness to use them.

  * * *

  ■

  If Popov and Penkovsky served as the best sources of information on the GRU in the windowless back rooms of Western intelligence agencies, Vladimir Rezun would fill that same role for the Western public: the GRU’s most prolific storyteller.

  In 1978, Rezun defected from his position as a GRU captain, passing a note to the British embassy in Vienna and eventually making his way to London. As he later described it, he had been ordered to betray a friend at the agency and never forgave the Soviet system that had forced him to make that decision. In his new life, he became a remarkably prolific writer of tell-all accounts of his time in Soviet intelligence—though with most of their truly valuable secrets removed or obscured, and other details fabricated or exaggerated, some intelligence experts warn. His most revelatory books, written under the pen name Viktor Suvorov, include Inside Soviet Military Intelligence (which he dedicated to Oleg Penkovsky) and a memoir called Inside the Aquarium, a reference to the glass-encased, nine-story building on Moscow’s Khodinka airfield that once served as GRU headquarters.

  In those books, Rezun tells his own personal story of being plucked from his low-ranking position as a tank company commander and groomed for the GRU. He describes a weeklong entrance exam that consisted of thousands of questions for seventeen-hour days, sometimes without food or water, and his rise through the agency from a lowly “borzoi” tasked with supporting other officers to a “viking,” an accomplished spy running his own informants. Rezun went on to detail the daily work of recruiting Western civilians as sources and searching out and cataloging “dead drops,” secret locations where information could be hidden and picked up by other agents, sometimes in compartments stashed underground, underwater, or posing as tiny mundane objects like false rivets on a bridge’s supports.

  According to Rezun, practically any technology expo or conference was swarming with GRU agents, who saw the events as bonanzas for acquiring sources for industrial espionage. Space, too, was the GRU’s domain: He writes that a third of all Soviet satellites were used by the GRU, and the “vast majority” of cosmonauts devoted roughly half their time to the GRU’s spying tasks. Rezun’s own innovation, as he tells it, was to come up with the idea of buying a series of hotels in Europe that were entirely controlled by the GRU, designed to attract Western officials taking alpine vacations and target them as potential sources.

  But Rezun’s account of the GRU isn’t limited to mere espionage. He also spent a short stint in the special forces branch of the agency known as spetsnaz, devoted to sabotage, assassination, and terrorism. Each of the Soviet armed forces’ fifty or so intelligence departments included such a subgroup, he says. “This company, which numbers 115 saboteurs and cut-throats, is capable of penetrating into the enemy’s territory to
murder and kidnap people, blow up bridges, electric power stations, dams, oil pipelines and so on,” Rezun wrote.

  He describes how those special forces parachuted behind enemy lines wearing oxhide “jump boots” with soles designed for deception: Depending on their mission, the interchangeable soles’ patterns could be designed to mimic those of an adversary or another nation. In some cases, he wrote, they wore boots that left footprints with the heel in front and the toe behind, so that they appeared to be traveling in the opposite direction, each member of the group stepping in the others’ prints to conceal their numbers.

  Some of the more sensational details Rezun described of the spetsnaz’s practices seem to blur the line between fact and red-scare fiction. He describes how the soldiers would hone their hand-to-hand combat skills by fighting “puppets”—desperate inmates from Soviet prisons condemned to death. (While that description has been disputed, an Amnesty International report in 1996 noted that spetsnaz were indeed authorized to use prisoners in their training, many of whom were tortured or mistreated in the process.) He went further in another, questionably accurate book titled Spetsnaz. In that volume, he claims that in addition to plastic explosives, mines, and other typical saboteur tools the special forces carried chemical and biological weapons, as well as small nuclear weapons with a charge equal to about two kilotons of TNT, the same size of atomic bomb as Oleg Penkovsky had suggested be planted in the center of Moscow.

  As dubious as Rezun’s descriptions of those mass-destruction weapons may be, another GRU defector would repeat them in even more shocking terms a decade later. Stanislav Lunev, a GRU colonel who defected to the United States in 1992, would write his own tell-all memoir, titled Through the Eyes of the Enemy. In that slim volume, Lunev, who said he was disaffected with the corruption of the Russian government after the collapse of the U.S.S.R., didn’t merely double down on Rezun’s claims of the GRU’s massive sabotage plots. He also claimed that Russia and the GRU had only advanced them in the post-Soviet era.