Sandworm Read online

  The final straw, however, wasn’t Yanukovich’s corruption but his Russian alliances. Under Yushchenko, Ukraine had started on a long road to membership in NATO, a prospect that no doubt infuriated and terrified Putin. Ukrainians’ European hopes had still lingered under Yanukovich in the form of an association agreement with the European Union, trade negotiations that represented the first baby step toward the West. But a week before signing the agreement, under pressure from Putin, Yanukovich killed the deal.

  The uprising and crackdown that followed had little of the bloodless idealism of the Orange Revolution. When hundreds of thousands of people again flooded the Maidan in November 2013, police clumsily sought to disperse them with water cannons, rubber bullets, and tear gas. Protesters responded with barricades and Molotov cocktails.

  In the midst of that increasing violence, the Maidan movement also began to see the first signs of digital attacks. Calls and SMS messages from mysterious origins flooded the phone lines of pro-Western and pro-revolution government officials. At the telecom provider Kyivstar, engineers like Oleksii Yasinsky found themselves struggling to keep the mobile network intact as the crisis mounted. On one street near the Maidan, devices known as IMSI catchers impersonated cell phone towers to spam out text messages to protesters, telling them to go home. But as the square’s physical conflict ramped up, few people registered those first signs of digital meddling.

  By the end of that winter, the bullets were no longer rubber. As protesters made a final notorious charge up the slope of the Maidan toward the Hotel Ukraine, snipers fired on them from above, led by a unit of brutal pro-Russian militarized police known as the Berkut—Ukrainian for “eagle.” Many Ukrainians believe the Berkut were joined by actual Russian soldiers brought in by Yanukovich. The death toll was 103 protesters, a group now immortalized as the “Heavenly Hundred”—the same martyrs whose lives were being memorialized on the Maidan on my first night in Kiev.

  After the revolution’s final, tragic bloodletting, Yanukovich could see that the violence had only steeled the movement against him. He fled to Russia.

  Putin, not one to let geopolitics turn against him, took a different approach: He promptly invaded.

  * * *

  ■

  Before the dust had even settled on the Maidan, in late February 2014, a group of militiamen in unmarked uniforms, including Berkut soldiers, entered the parliament of the southern Ukrainian peninsular state of Crimea and installed a pro-Russian government. In a blink, thirty-five thousand Russian troops moved in, swiftly occupying the region with barely a shot fired. Two months later, more unmarked Russian soldiers—they soon came to be known as “little green men”—began to trickle across the border into the Russian-speaking eastern Ukrainian region of Donbas, helping to arm a separatist movement that quickly took control of the cities of Donetsk and Luhansk with Russian tanks and artillery.

  Since then, Russia has successfully made Crimea its full-fledged possession as Ukraine’s eastern front has settled into a grinding, undeclared war. Two million Ukrainians have become internal refugees, and 10,000 Ukrainians have been killed. In July 2014, the callousness of the Kremlin-backed forces shocked the world when a Russian anti-aircraft unit, under the guise of pro-Russian Ukrainian forces, fired a Buk missile that downed a Malaysian passenger jet over Ukrainian territory, killing all 298 people on board.

  But from the early months of the invasion, another kind of front began to form in Ukraine’s war. Four days before Ukraine’s post-revolution elections in May 2014, a pro-Russian hacker group calling itself CyberBerkut—an allusion to the same police force that had killed protesters during the Maidan revolution—announced on the website cyber-berkut.org its intention to disrupt the coming presidential election to replace the seat vacated by Yanukovich. “The anti-people junta is trying to legalize itself by organizing this show, directed by the West,” the message read in Russian. “We will not allow it!”

  That night, the group began a devious series of cyberattacks on the country’s Central Election Commission: They broke into the commission’s network and wiped dozens of computers. “The idea was to destroy the system, to prevent it showing the results, and then to blame Ukraine’s so-called junta,” says Victor Zhora, a security contractor for the commission at the time. “The goal was to discredit the election process.”

  The commission’s IT administrators managed to rebuild the network in time for the election. But they found on Election Day that hackers had planted an image of fake results on the commission’s web server, which seemed to show the ultraright presidential candidate, Dmytro Yarosh, as the winner. Administrators discovered the image file before voting ended and prevented it from ever being publicly displayed. But Russian state television, seemingly coordinating with the hackers, went ahead with a false announcement that Yarosh had won, an apparent attempt to cast doubt on the election of the real winner, the politically moderate chocolate magnate Petro Poroshenko. The next morning, the election commission was hit with a third and final attack, this time a punishing wave of junk traffic designed to keep its servers off-line and prevent them from confirming the legitimate results. (The CyberBerkut hackers would be revealed years later to be linked with the Russian hacker group Fancy Bear that meddled in U.S. elections, too.)

  That election trickery was the prelude to a far wider digital barrage, destroying thousands of computers and paralyzing victim organizations. By the time I visited Kiev in early 2017, practically every strata of Ukrainian society was being hit in successive waves of coordinated hacker sabotage: media, energy, transportation, finance, government, and military. “You can’t really find a space in Ukraine where there hasn’t been an attack,” Kenneth Geers, a NATO ambassador who focuses on cybersecurity, told me at the time. “Turn over every rock, and you’ll find a computer network operation.”

  When I spoke to former president Yushchenko on the phone later that year, he argued that Russia’s tactics, online and off, have one single aim: “to destabilize the situation in Ukraine, to make its government look incompetent and vulnerable.” He lumped the cyberattacks together with the Russian disinformation flooding Ukraine’s media, the terroristic fighting in the east of the country, and his own poisoning years earlier—all underhanded moves aimed at pulling Ukraine to the east or painting it as a broken nation. “Russia will never accept Ukraine being a sovereign and independent country,” he told me. “Twenty-five years since the Soviet collapse, Russia is still sick with this imperialistic syndrome.”

  Putin’s fixation on Ukraine no doubt includes economic jealousy of its position as a lucrative pipeline route to Europe and its access to warm-water ports. But foreign policy analysts argued that Putin wasn’t necessarily seeking to somehow reintegrate his Little Russia into the Kremlin’s empire. Instead, he hoped to create a “frozen conflict”: By taking enough Ukrainian territory to lock it into a permanent war, Russia sought to prevent the country from being welcomed into the European Union or NATO, instead pinning it in place as a strategic buffer between Moscow and the West.

  But in my conversation with Yushchenko, he also insisted on another, less explained and more foreboding point: that Russia’s attacks on Ukraine, whether they’re carried out with destructive malware or Buk missiles, shouldn’t be seen as Ukraine’s problem alone. Russia’s aggression against its neighbor reveals a dark playbook, he insisted, one that would sooner or later spread to the rest of the globe.

  “The question is not for whom the bell tolls,” Yushchenko warned. “The bell tolls for us all. This is a threat to every country in the world.”

  * * *

  ■

  In late November 2015, as the pace of the digital blitzkrieg against Ukraine was accelerating, John Hultquist was invited to give a briefing at the Pentagon, a rare chance to win contracts and bend the ear of the world’s most powerful military. He sat down among intelligence officials at a conference table in the most senior
officer’s medal-adorned office, deep in the gargantuan building.

  When it came to his turn to speak, Hultquist wasted no time introducing his favorite subject. He gave the elevator-pitch version of Sandworm’s history: Russian fingerprints, dangerous sophistication, targets stretching from Poland to the United States but clustering in Ukraine, with a disturbing focus on critical infrastructure. He noted that Russia’s actual, ongoing war with Ukraine was heating up and that it had increasingly metastasized from physical invasion to disruptive digital attacks on everything from media firms to government agencies. Pro-Ukrainian activists had retaliated against Russia with a lower-tech form of sabotage, tearing down pylons that supplied electricity to the Crimean peninsula, throwing the territory Russia had seized into a mass blackout. Putin, of course, blamed the Ukrainian government for the sabotage.

  With all those elements aligning, Hultquist went on to predict that Russia’s hackers were about to carry out a form of attack that had never before occurred in the history of cybersecurity. “I think there’s a good chance,” he told the Pentagon officials, “that they’re going to try to turn out the lights.”

  The military audience seemed to acknowledge his warning, Hultquist remembers. But there were myriad other trouble spots across an internet crawling with potential threats, and so the meeting moved on. “To be honest,” Hultquist says, “I don’t think it really sunk in at all.”

  8

  BLACKOUT

  At first, Robert Lee blamed the squirrels.

  It was Christmas Eve 2015—and also, as it happened, the day before Lee was set to be married in his hometown of Cullman, Alabama. A barrel-chested, bearded, and redheaded twenty-seven-year-old, Lee had recently left a high-level job at the NSA, where he’d led a team of analysts focused on a unique mission: tracking hackers who threatened critical infrastructure. Now he was settling down to launch his own security start-up and marry the Dutch girlfriend he’d met while stationed abroad.

  As Lee busied himself with wedding preparations, he saw news reports that immediately distracted him from his matrimonial duties. Hackers had just taken down a power grid in western Ukraine, the headlines on his phone’s screen read. A significant swath of the country had apparently gone dark for six hours. After the initial wave of adrenaline passed, Lee’s natural skepticism kicked in. He remembered this was probably just more media hype; he had other things on his mind, and he’d heard spurious claims of hacked grids plenty of times before. The cause was usually a rodent or a bird; the notion that squirrels represented a greater threat to the power grid than hackers had become a running joke in the industry.

  The next day, however, just before the wedding itself, Lee received a text message that dragged the incident back into his awareness. It came from Mike Assante, the director of industrial control systems security at the SANS Institute, an elite cybersecurity training center where Lee also taught courses. A message from Assante, for Lee, held far more weight than any news outlet: When it comes to digital threats affecting power grids, Assante was one of the most respected experts in the world. And he was telling Lee that the Ukraine blackout hack looked like the real thing.

  Lee cleared the messages from his phone and tried to focus on his wedding. But moments after he had said his vows and kissed his bride, a contact in Ukraine pinged him: The blackout hack was real, the man said, and he needed Lee’s help.

  Lee had spent his career preparing for this moment. At the NSA, he’d devoted years to tracking the rare, sophisticated hacker teams that targeted power grids, pipelines, and water systems, priding himself on protecting the most fundamental underpinnings of civilization. He’d briefed the government’s most senior officials on those threats. He’d gone so far as to build mock-ups of industrial control systems for testing in his own basement. Now, with absurdly bad timing, the historic milestone he’d anticipated for years seemed to have finally arrived: the first-known case of an actual hacker-induced blackout.

  There was hardly a choice to be made. He skipped out on not only Christmas with his family but also his own wedding reception, found a quiet corner of the room, and began to text with Assante about the details of the Ukrainian power grid attack.

  Still in his wedding suit, Lee eventually retreated to his mother’s desktop computer in his parents’ nearby home. Working in tandem with Assante, who had pulled out his laptop and hidden in the corner of a friend’s Christmas party in rural Idaho, they examined maps of Ukraine and a chart of its power grid. The three power companies’ substations that had been hit were in different regions of the country, hundreds of miles from one another, and unconnected. “This was not a squirrel,” Lee concluded with a dark thrill.

  By that night, Lee was busy dissecting the KillDisk malware his Ukrainian contact had sent him from the hacked power companies, much as Yasinsky had done after the StarLightMedia hack months before. “I have a very patient wife,” Lee says of his decision to spend his wedding night in front of a computer.

  Over the next few days, he received from his Ukrainian contact another sample of code and forensic data from the attacks. Pulling it apart, Lee saw how the intrusion had started. It began with a phishing email impersonating a message from the Ukrainian parliament. A malicious Word attachment had silently run a script known as a macro, a little program hidden inside the document, on the victims’ machines.

  The effect was the same as the zero-day technique iSight had first found Sandworm using in its infected Microsoft PowerPoint documents in 2014, but with a new trade-off: Without the zero day, the victims had to be tricked into clicking a button to allow the script to run. Until they clicked, the document would appear to be missing content or broken, so most users unthinkingly clicked to load it. But by using a simpler replacement for their zero-day technique, the hackers had been able to operate much less conspicuously, and their attack didn’t depend on keeping a rare vulnerability secret from Microsoft.

  The Word script had planted an infection of BlackEnergy, the piece of malware that had by now become practically the official national disease of Ukrainian IT networks. From that foothold, it appeared, the hackers had spread through the power companies’ systems and eventually compromised a virtual private network, a tool the companies had used for remote access to their systems—including the highly specialized industrial control software that gives operators command over equipment like circuit breakers.

  Looking at the attackers’ methods and their use of BlackEnergy, Lee began to make connections to iSight’s earlier findings and others from his time at NSA. This was the work of Sandworm, he was sure of it. After years of lurking, spying, building their capabilities, and performing reconnaissance work, Sandworm had taken the step that no other hackers had ever dared to: They’d caused an actual blackout, indiscriminately disrupting the physical infrastructure of hundreds of thousands of civilians.

  For Lee, the pieces came together: Yes, the Sandworm connection meant the blackout was very likely a Russian attack, targeting Russia’s preferred victim, Ukraine. But as he followed the known history of Sandworm to its conclusion, he was reminded that ICS-CERT had blamed the group for BlackEnergy infections on U.S. critical infrastructure networks, too. In other words, the same group that had just snuffed out the lights for nearly a quarter of a million Ukrainians had only a year before infected the computers of American electric utilities with the very same malware.

  In Lee’s mind, alarms went off. The Ukraine attack represented something more than a faraway foreign case study. “An adversary that had already targeted American energy utilities had crossed the line and taken down a power grid,” Lee says. “It was an imminent threat to the United States.”

  * * *

  ■

  Lee had long preached a simple rule. “No one should be messing with civilian industrial control systems,” he says. “Never.”

  Cyberattacks on nonmilitary, physical infrastructure, Lee believed, were
a class of weapon that ought to be considered, along with cluster bombs and biological weapons, simply too dangerous and uncontrollable for any ethical nation to wield. After all, not every hacker attack on a power grid could necessarily be remedied in a mere six hours, nor would the attackers know, in some cases, the extent of the damage they were inflicting. Lee had spent years thinking through the potential knock-on effects of cyberattacks on critical infrastructure, and his nightmare scenario was hacker-induced blackouts that lasted weeks or even a month, long enough that their consequences were unpredictable and might include crippling hospitals, manufacturing, or food distribution. “You risk collateral damage that’s not even humane,” Lee argues. “This is exactly the sort of damage that we’ve tried through international conventions and norms to do away with in other fields of conflict.”

  His imagined ban on infrastructure-targeted hacking was a surprisingly dovish take for someone who had practically been born into the military. One of Lee’s grandfathers had been a World War II radio operator. The other had been a Green Beret. Both his parents, when he was growing up in Alabama, were U.S. Air Force enlisted personnel; his father had fought in Vietnam, and shortly after Lee was born, his mother and father had both served in Operation Desert Storm, with his mother deployed stateside to take care of Lee and his sisters. When he was a young teenager, she’d deployed again in the wars in Iraq and Afghanistan, coordinating C-17 transport planes from a base in Illinois.

  Lee’s father, who was ten years older than his mother, had received a Bronze Star in Vietnam, though he’d never told Lee what exactly he’d done to earn it. In Iraq, he worked as an air force loadmaster, responsible for, among other things, arranging all the ordnance that military aircraft would drop onto targets. Lee remembers his father showing him photographs of bombs on which he’d scrawled out a message: “To Saddam, from the Lees.”