- Home
- Andy Greenberg
Sandworm Page 4
Sandworm Read online
Page 4
But Hultquist didn’t know that someone else had been tracking the group’s campaign of intrusions, too, and had quietly assembled by far the most disturbing portrait of the group yet.
Thirteen days after Trend Micro had released its findings on Sandworm’s connection to industrial control system attacks, the division of the Department of Homeland Security known as the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, released its own report. ICS-CERT acts as a specialized infrastructure-focused government cybersecurity watchdog tasked with warning Americans about impending digital security threats. It had deep ties with U.S. utilities like power and water suppliers. And now, perhaps triggered by iSight and Trend Micro’s research, it was confirming Hultquist’s worst fears about Sandworm’s reach.
Sandworm, according to the ICS-CERT report, had built tools for hacking not only the GE Cimplicity human-machine interfaces Trend Micro had noted but also similar software sold by two other major vendors, Siemens and Advantech/Broadwin. The report stated that the intrusions of industrial control system targets had begun as early as 2011 and continued until as recently as September 2014, the month iSight detected Sandworm. And the hackers had successfully penetrated multiple critical infrastructure targets, though none were named in the document. As far as ICS-CERT could tell, the operations had only reached the stage of reconnaissance, not actual sabotage.
iSight’s analysts began discreetly following up on the DHS report with their sources in the security industry and quickly confirmed what they’d read between the lines: Some of Sandworm’s intrusions had occurred at infrastructure targets that weren’t just Ukrainian or Polish. They were American.
Less than two months after iSight had found its first fingerprints, Hultquist’s idea of Sandworm had shifted yet again. “This was a foreign actor who had access to zero days making a deliberate attempt on our critical infrastructure,” Hultquist says. “We’d detected a group on the other side of the world carrying out espionage. We’d pored over its artifacts. And we’d found it was a threat to the United States.”
* * *
■
Even the revelation that Sandworm was a fully equipped infrastructure-hacking team with ties to Russia and global attack ambitions never received the attention Hultquist thought it deserved. It was accompanied by no statement from White House officials. The security and utility industry trade press briefly buzzed with the news and then moved on. “It was a sideshow, and no one gave a shit,” Hultquist said with a rare hint of bitterness.
But all the attention seemed to have finally reached one audience: Sandworm itself. When iSight looked for the servers connected with the malware again after all of the public reports, the computers had been pulled off-line. The company would find one more BlackEnergy sample in early 2015 that seemed to have been created by the same authors, this time without any Dune references in its campaign codes. It would never find that sort of obvious, human fingerprint again; the group had learned from the mistake of revealing its sci-fi preferences.
Sandworm had gone back underground. It wouldn’t surface again for another year. When it did, it would no longer be focused on reconnaissance. It would be primed to strike.
5
STARLIGHTMEDIA
On a calm Sunday morning in October 2015, more than a year before Yasinsky would look out of his kitchen window at a blacked-out skyline, he sat near that same window in his family’s high-rise apartment in Kiev, sipping tea and eating a bowl of cornflakes. Suddenly his phone buzzed with a call from an IT administrator at work.
Yasinsky was, at the time, employed as the director of information security at StarLightMedia, Ukraine’s largest TV broadcasting conglomerate. The night before, his colleague on the phone told him, two of StarLight’s servers had inexplicably gone off-line. The admin assured Yasinsky that it wasn’t an emergency. The machines had already been restored from backups.
But as Yasinsky quizzed his colleague further about the server outage, one fact immediately made him feel uneasy. The two machines had gone dark at almost the same minute. “One server going down, it happens,” Yasinsky thought. “But two servers at the same time? That’s suspicious.”
Resigned to a lost weekend, he left his apartment and began his commute to StarLight’s offices, descending the endless escalator that leads into Kiev’s metro, one of the deepest in the world and designed during the Cold War to serve as a series of potential bomb shelter tunnels. After forty minutes underground, Yasinsky emerged into the cool autumn air of central Kiev. He took the scenic route to the office, walking through Taras Shevchenko Park and the university campus next to it. As he passed street musicians, college students on dates, then the botanical gardens, whose leaves were beginning to turn, the dismal war that had broken out in the east of the country felt far away.
Yasinsky arrived at StarLightMedia’s office, a five-story building on a quiet street. Inside, he and the company’s IT administrators began examining the image they’d kept of one of the corrupted servers, a digital replica of all its data. Yasinsky’s hunch that the outage was no accident was immediately confirmed. The server’s master boot record—the deep-seated, reptile-brain portion of a computer’s hard drive that tells the machine where to find its own operating system—had been precisely overwritten with zeros. And the two victim servers that had suffered that lobotomy weren’t randomly chosen. They were domain controllers, computers with powerful privileges that could be used to reach into hundreds of other machines on the corporate network.
Yasinsky quickly discovered the attack had indeed gone far beyond just those two machines. Before they had been wiped, the pair of corrupted servers had themselves planted malware on the laptops of thirteen StarLight employees. The staffers had been preparing a morning TV news bulletin ahead of Kiev’s local elections when they suddenly found that their computers had been turned into black-screened, useless bricks. The infection had triggered the same boot-record overwrite technique on each of their hard drives.
Nonetheless, Yasinsky could see that his company had been lucky. When he looked at StarLightMedia’s network logs, it appeared the domain controllers had committed suicide prematurely. They’d actually been set to infect and destroy two hundred more of the company’s PCs. Someone had carefully planted a logic bomb at the heart of the media firm’s network, designed to cause it as much disruption as possible.
Yasinsky managed to pull a copy of the destructive program from the backups, and that night, back at home in the north of the city, he scrutinized its code. He was struck by the layers of obfuscation; the malware had evaded all antivirus scans. It had even impersonated an antivirus scanner itself, Microsoft’s Windows Defender. After his family had gone to sleep, Yasinsky printed the code and laid the papers across his kitchen table and floor, crossing out lines of camouflaging characters and highlighting commands to see the malware’s true form.
Yasinsky had been working in information security for twenty years. After a stint in the army, he’d spent thirteen years as an IT security analyst for Kyivstar, Ukraine’s largest telecommunications firm. He’d managed massive networks and fought off crews of sophisticated cybercriminal hackers. But he’d never analyzed such a well-concealed and highly targeted digital weapon.
As a security researcher, Yasinsky had long prided himself on a dispassionate and scientific approach to the problems of information security, drilling into the practical details of digital defense rather than obsessing over the psychology of his adversary. But as he followed Sandworm’s tracks through StarLightMedia’s network, he nonetheless could sense he was facing an enemy more sophisticated than he’d ever seen before.
* * *
■
Oleksii Yasinsky had understood intuitively from childhood that the digital was no less real than the physical—that life and death could depend as easily on one as on the other.
As a nine-year-old growing up in Soviet
Kiev in 1985, he’d sneak a copy of the state-issued magazine Tekhnika Molodezhi, or “Technology for the Youth,” under his blanket, along with a flashlight and his treasured MK-61 calculator. He’d flip to the pages devoted to the continuing adventures of the two fictional cosmonauts Korshunov and Perepyolkin. The pair, through the vagaries of fate, had found themselves stuck on the moon with only a lunar transport vehicle designed for short trips. Even worse, they were low on fuel, with no electronic guidance system. It was Yasinsky’s secret responsibility, in his illicit post-bedtime cocoon, to get those two men home by copying commands from the magazine into his programmable calculator.
“The life of two people helplessly dangling in space depended on this little boy,” Yasinsky would later write in a journal, describing the intensity of that first programming experience.
Back then I did not yet understand the meaning hidden in the neat columns of mysterious characters printed on yellowed pages of the magazine. Pages seemed to be torn from some sort of wizard manuscript, and I was clicking on the soft gray keys of the calculator anticipating a new adventure. But even at the time I knew: this was the key to a completely different world, or, more precisely, the myriad of other worlds I could create myself.
Yasinsky grew up in a two-room home in a typical five-story, Khrushchev-era Soviet apartment complex in Kiev. He was a child of engineers: His father worked in a record-player factory, and his mother was a university researcher in aerospace metals. He had, as he describes it, a very typical Soviet childhood. He proudly wore the red-scarfed uniform of Lenin’s Young Pioneers to school every day, played in the building’s courtyard with his friends, and occasionally broke neighbors’ windows with a soccer ball. He remembers no politics ever being discussed at home, with the exception of a few whispers from his parents in the kitchen about a visit his great-grandparents had received from the secret police, a conversation quickly cut short for fear of eavesdropping neighbors.
School never interested Yasinsky as much as the adventures he unlocked with his MK-61 calculator. It was, after all, his first computer, at a time when the Apple IIs and Nintendo consoles of the West had yet to penetrate the Iron Curtain. But when Yasinsky was around twelve, his father managed to collect and then assemble the components of a Sinclair Spectrum PC. It was, for Yasinsky, a mind-blowing upgrade. He spent hours painstakingly reading manuals he found photocopied at the local radio market, writing code in BASIC and later assembly, filling the screen with pixel art depictions of wire-frame spaceships.
The moment he believes turned his obsession with computers from a hobby to a career, however, was an act not of programming but of reverse engineering. Simply by changing a few bytes in the code of a primitive shooter video game, he discovered he could endow his character with unlimited lives and ammunition. That basic act of hacking, for Yasinsky, wasn’t merely a way to cheat in a meaningless game. It was instead as if he’d gained new powers to reshape reality itself. “I had turned the world upside down. I’d gone into the other side of the screen,” Yasinsky remembers.
It followed intuitively, for him, that if this power could change the digital world, it could control the physical universe, too. “I realized the world is not what we see,” he says. “It wasn’t about getting extra lives; it was about changing the world I’d found myself in.”
In the late 1980s, however, came Gorbachev’s policy of glasnost, or “openness,” and with it a flood of Western distractions. For Yasinsky and his young teenage friends, the influx of global media took the form of Jean-Claude Van Damme and Bruce Lee kung fu films. A karate and judo obsession briefly superseded his love for computers. Yasinsky was a talented enough fighter that in 1993 he was selected for the Ukrainian national karate championships. But in one of those tournament matches, he says, an opponent struck him with an illegal kick just below the knee, tearing the ligaments in the back of his leg and ending his brief martial arts career. “Fortunately, I still had Assembly,” Yasinsky wrote in his journal.
After two years studying computer science at the Kiev Polytechnic Institute, Yasinsky was drafted into the army. He describes the next year and a half as a long lesson in discipline, organization, self-confidence, and intensely rigorous drudgery. “A soldier’s best friend is a shovel, and it’s good to be a soldier,” he remembers his superiors drumming into him. Aside from that bit of character building, he says that he learned nothing except how to properly make a bed.
When he was released and got back to his university education, he finally returned to computer science. He found that there was an emerging field within the discipline that appealed to his sense of the hidden structure of the world and the levers that moved it: cybersecurity.
Yasinsky learned only its barest basics in his studies. But when he graduated, he landed a job at Kyivstar, then Ukraine’s largest telecom provider. That job, he says, gave him his real education. Though most of his career there is protected by a nondisclosure agreement, he hints that he worked on the company’s team that fights fraud and crime and served as a consultant to law enforcement. He also says that the job was his first experience learning to sift through massive data sets to fight intelligent, malicious adversaries. “It was like the Matrix,” he says. “You look at all these numbers and you can see real human behavior.”
After six years, Yasinsky moved on to a purely digital version of the same cat-and-mouse game: Rather than physical-world criminals, he was tasked with tracking the hackers who sought to exploit Kyivstar’s systems. In the late 2000s, those hackers were transitioning from opportunistic criminal schemes to highly organized fraud operations. Yasinsky found himself engaged in the same sort of reverse engineering that had captivated him as a teenager. But instead of taking apart the code of a mere video game, he was dissecting elaborate criminal intrusions, deconstructing malware to see the intentions of the devious parasites within Kyivstar’s network.
Even as the stakes of that cat-and-mouse game escalated, it had seemed like a fair fight. In cybersecurity, attackers have the advantage: There are always more points of ingress than defenders can protect, and a skilled hacker needs only one. But these were nonetheless mostly small criminal operations facing a well-organized corporate security team capable of identifying their incursions and limiting the damage they could inflict.
Then, not long before the outbreak of Ukraine’s war with Russia, Yasinsky took a position as chief information security officer at StarLightMedia. And he found himself facing a new form of conflict—one for which neither his company nor his country nor the world at large was prepared.
* * *
■
By the fall of 2015, only the smallest hints of that conflict’s scale were visible. For days, Yasinsky worked to determine the basic facts of the mysterious attack on StarLightMedia, reverse engineering the obfuscated code he’d pulled from the company’s backups, the digital IED that had nearly devastated its network. Beneath all its cloaking and misdirection, Yasinsky determined, was a piece of malware known as KillDisk, a data-destroying tool that had been circulating among hackers for about a decade.*
Understanding how that destructive program got into StarLightMedia’s system would take weeks longer: Along with two colleagues, Yasinsky obsessively dug into the company’s network logs, combing them again and again, working through nights and weekends to parse the data with ever finer filters, hoping to extract clues.
The team began to find the telltale signs of the hackers’ presence—some compromised corporate YouTube accounts, an administrator’s network log-in that had remained active even when he was out sick. Slowly, with a sinking dread, they found evidence showing that the intruders had been inside their network for weeks before detonating their attack’s payload. Then another clue suggested they’d been inside the system for three months. Then six.
Finally, they identified the piece of malware that had given the hackers their initial foothold, penetrating one of the staff�
��s PCs via an infected attachment: It was again a form of BlackEnergy, the same malware that iSight had tied to Sandworm a year earlier. But now it had been reworked to evade detection by antivirus software and included new modules that allowed the hacker to spread to other machines on the same network and execute the KillDisk data wiper.
As he dug into the forensics of how his company had been sabotaged, Yasinsky began to hear from colleagues at other firms and in the government that they too had been hacked, and in almost exactly the same way. A competing media company, TRK, hadn’t gotten off as easily: It had lost more than a hundred computers to the KillDisk attack. Another intrusion had hit Ukrzaliznytsia, Ukraine’s biggest railway company. Yasinsky would later learn that Kiev’s main airport, Boryspil, had been struck. There were other targets, too, ones that asked Yasinsky to keep their breaches secret. Again and again, the hackers used the all-purpose BlackEnergy malware for access and reconnaissance, then KillDisk for data destruction. Their motives remained an enigma, but their marks were everywhere.
“With every step forward, it became clearer that our Titanic had found its iceberg,” says Yasinsky. “The deeper we looked, the bigger it was.”
* Two security researchers, Michael Goedeker and Andrii Bezverkhyi, say they and Bezverkhyi’s security firm, SOC Prime, were deeply involved in StarLightMedia’s investigation. But Yasinsky disputed the extent of this cooperation, telling me that while he had shared some information with Bezverkhyi and SOC Prime had provided some tools for their work, neither Goedeker nor anyone from SOC Prime had contributed to StarLightMedia’s final analysis.