Sandworm Read online

  So in early 1999, after the desperate Moonlight Maze investigators had failed for years to stop the penetrations or prove any definitive connection to the Kremlin, they resorted to a backup plan: They asked Russia for help.

  * * *

  ■

  In March 1999, FBI agents hosted officials from Russia’s Ministry of Internal Affairs at an upscale D.C. restaurant, toasted them with vodka, and formally requested the assistance of Russian law enforcement to track down the hackers who were almost certainly based in Moscow.

  The ministry offered a surprisingly friendly response, promising to lend “aggressive investigative support.” After all, this was in the post-Soviet, pre-Putin era of the 1990s. America had, ostensibly, won the Cold War. The new, post-perestroika Russia under President Boris Yeltsin seemed as if it might become an actual democratic ally of the West.

  Less than two weeks later, the American investigators flew to Moscow to meet with Russian officials. One, a general, was particularly friendly with the U.S. delegation, inviting the investigators to another vodka-drenched dinner. Too friendly, it turned out: At the end of that second evening of diplomacy, the inebriated general nearly caused an international incident by inserting his tongue uninvited into a female FBI agent’s ear.

  But the next day, the ministry really did follow through on its offer of cooperation: The hungover general ordered a subordinate to take the Americans to the offices of the internet service providers that had been used by the Moonlight Maze hackers, including Cityline. The investigators soon found that Cityline offered its internet services not just to civilians but to the Russian government, a clue that they hoped might lead to evidence of the Kremlin’s involvement.

  Then, something unexpected happened. In another meeting at the Russian Defense Ministry, the same general shocked the group by straightforwardly confirming that the Russian government was behind the Moonlight Maze break-ins.

  The intrusions had been staged through the Russian Academy of Sciences, the general explained, but the individuals responsible were “those motherfuckers in intelligence.” He declared that such behavior toward Russia’s newfound friends in the United States would not be tolerated. The U.S. delegation, hardly believing its luck, congratulated each other on the successful trip. Perhaps what had seemed like an intractable problem, this new plague of Russian cyberspying, could be solved with diplomacy.

  The Americans’ optimism was short-lived. The next day, the delegation learned from their Russian handlers that their schedule had been filled with sightseeing trips around Moscow. When the same thing happened the day after that, the investigators began to grow frustrated. They asked their Russian contacts about the whereabouts of the general they’d been meeting with and received no clear response. After a third day without further meetings, they knew that their brief, unexpected interlude of Russo-American cooperation on cybersecurity was over.

  The confused investigators could only guess at what had occurred. Their friendly general, it seemed, had missed the memo on the Kremlin’s hacking campaign. He had considered it a rogue aberration instead of what it was: a powerful new capability, and one that the Russian government was honing into a central tool for intelligence gathering in the post-Soviet era. The mistake no doubt carried serious consequences. The Americans never saw the general again.

  When the investigators returned to the United States, they found that Moonlight Maze’s intrusions had ceased. For a moment, it seemed, their probe might have chastened the Russian government into ordering a stop to the espionage spree. Then, just two months later, in the spring of 1999, military network administrators saw that the same relentless hacking had restarted, now with better stealth and more obfuscation in the code of its tools. A new age of state-sponsored cyberespionage had begun.

  Not long after that trip, in June 1999, the Department of Defense officially launched the Joint Task Force–Computer Network Defense, or JTF-CND, a new arm of the Pentagon devoted to the growing threat of digital intrusions. At the ribbon-cutting ceremony to celebrate the unit’s creation in August of that year, Deputy Secretary of Defense John Hamre discreetly alluded to the ongoing cybersecurity crisis the military was facing as Moonlight Maze continued to siphon its secrets.

  “The Department of Defense has been at cyberwar for the last half year,” Hamre told the audience. He didn’t name Moonlight Maze; the code name would only leak to the press months later. “Cyberspace isn’t just for geeks,” Hamre added in his JTF-CND speech. “It’s for warriors now.”

  * * *

  ■

  What did Hamre mean by all this talk of warriors in cyberspace and that still unfamiliar word, “cyberwar”?

  By the time of Hamre’s speech in 1999, the notion had already been tossed around in military studies circles for years. The term “cyberwar” had been coined in a 1987 Omni magazine article that defined it in terms of giant robots and autonomous weapon systems replacing and augmenting human soldiers. It described flying drones, self-guided tanks, and battlefields covered in the “carcasses of crippled machines.”

  But in 1993, another landmark paper scrapped that Terminator-style definition and gave cyberwar a far more influential meaning, expressing it in terms of military forces’ potential exploitation of information technology. That article by two analysts from the think tank Rand, John Arquilla and David Ronfeldt, appeared in the journal Comparative Strategy with the title “Cyberwar Is Coming!” (The exclamation point, Arquilla would later say, was intended “to show everybody how serious this was.”)

  The two Rand analysts defined cyberwar as any means of warfare that shifts the balance of knowledge in the attacker’s favor. Those tactics could include reconnaissance and espionage, but also, crucially, attacking the enemy’s command-and-control systems. “It means disrupting if not destroying the information and communications systems, broadly defined to include even military culture, on which an adversary relies in order to ‘know’ itself: who it is, where it is, what it can do when, why it is fighting, which threats to counter first, etc.,” Arquilla and Ronfeldt wrote. “As an innovation in warfare, we anticipate that cyberwar may be to the 21st century what blitzkrieg was to the 20th century.”*

  But by the time of Hamre’s ribbon-cutting speech half a decade later, a darker conception of cyberwar had slowly begun to take shape. Hamre had said in a 1997 congressional hearing that the United States must prepare for an “electronic Pearl Harbor”: a calamitous, surprise cyberattack designed not just to take out military command-and-control communications but to physically devastate American infrastructure.

  That more apocalyptic vision of cyberwar had been brewing in government and military analysis circles, too. What if, the war wonks had only just begun to wonder, hackers could reach out from the internet and into the physical systems that underpin civilization?

  Rand’s think tankers, three years after Arquilla and Ronfeldt’s cyberwar article, had run their own hacker war-game simulations around this exact question in 1996. In that exercise, dramatically titled “The Day After…in Cyberspace,” Rand’s analysts imagined catastrophic, lethal consequences from cyberattacks that affected militaries and civilians alike: the derailment of a train in Germany, the disruption of controls at the Saudi Arabian oil firm Aramco, cutting power to a U.S. air base, crashing an airliner in Chicago, or sparking panic on the New York and London stock exchanges.

  This vision of a digital Armageddon took a chilling leap beyond the picture of cyberwar that Arquilla and Ronfeldt had described. Instead of merely using a cyberattack to cut the communicative strings of a military’s soldiers and weapons, what if cyberwar meant that hackers themselves would become the soldiers? What if cyberattacks became their weapons, as physically destructive as a bullet or a warhead?

  This notion of a physically debilitating attack by digital means, as Rand imagined it, raised troubling questions about the foundations of modern society. “If one
quarter of the air traffic control systems were inoperable for 48 hours, could air transportation continue?” the analysts asked themselves in their final report on the exercises. “Would two thirds of banking systems suffice; if so, for how long?”

  As they wondered aloud about these unthinkable scenarios, the war gamers came to the consensus that most critical of all was the vulnerability of the electricity supply, upon which all other layers of modern society’s technological infrastructure depend. “If the power system is at risk,” they wrote, “everything is at risk.”

  * * *

  ■

  In 1999, cyberwar was, more or less, science fiction. By almost any definition, John Hamre was getting ahead of himself in his foreboding speech. Moonlight Maze wasn’t cyberwar. It was straightforward cyberespionage.

  Even as the Russian hackers stole reams upon reams of data, they weren’t using their access to military networks to sabotage or corrupt those systems. There was no sign that they were seeking to disrupt or deceive U.S. command and control to gain the kind of tactical advantage Arquilla and Ronfeldt had described. And they certainly weren’t reaching out into the physical world to cause lethal mayhem and blackouts.

  But Moonlight Maze did demonstrate that state-sponsored hackers could gain far deeper and broader access than many in the U.S. government had thought possible. And next time, they might not use those abilities for mere spying.

  In January 2000, President Bill Clinton himself encapsulated the threat in an ominous speech on the White House’s South Lawn. The brief remarks were intended to unveil a plan to kick-start U.S. cybersecurity research and recruiting. Instead, they resonate as a warning from the past. “Today, our critical systems, from power structures to air traffic control, are connected and run by computers,” Clinton said.

  There has never been a time like this in which we have the power to create knowledge and the power to create havoc, and both those powers rest in the same hands. We live in an age when one person sitting at one computer can come up with an idea, travel through cyberspace, and take humanity to new heights. Yet, someone can sit at the same computer, hack into a computer system and potentially paralyze a company, a city, or a government.

  The day when hackers would inflict that scale of disruption hadn’t yet arrived. But Clinton’s imagination of that future wasn’t wrong. In fact, it was just beyond the horizon.

  * The authors suggested that the sort of cyberwar they described might actually be a less violent and lethal form of military combat, one in which an attacker might be able to quickly pierce to the command center of an enemy army rather than fight a grueling and bloody war of attrition. “It is hard to think of any kind of warfare as humane, but a fully articulated cyberwar doctrine might allow the development of a capability to use force not only in ways that minimize the costs to oneself, but which also allow victory to be achieved without the need to maximize the destruction of the enemy,” they wrote. “If for no other reason, this potential of cyberwar to lessen war’s cruelty demands its careful study and elaboration.”

  12

  FLASHBACK: ESTONIA

  Toomas Hendrik Ilves’s internet was down.

  Or so it seemed to the fifty-three-year-old president of Estonia when he woke up on his family farm one Saturday in late April 2007. At first, he assumed it must be a problem with the connection at his remote farmhouse, surrounded by acres of rolling hills. Ilves bristled at the latest annoyance. The day before, he’d grudgingly allowed the country’s security services to smuggle him out of the presidential palace in the capital of Tallinn and bring him 125 miles south to his family estate, named Ärma, where a perimeter of national guardsmen stood watch.

  The last-minute move was designed to protect Ilves from an increasingly volatile situation in Tallinn. Violence had shaken the city for days. Angry rioters, composed largely of the country’s Russian-speaking minority, had overturned cars and smashed storefronts, causing millions of dollars in damage. They’d brawled with police and called for the government’s resignation—a demand echoed by Russian government statements.

  All of that chaos had been triggered by a symbolic slight: Sixteen years after the fall of the Soviet Union, the Estonian government had finally made the decision to relocate from central Tallinn a statue of a Soviet soldier, surrounded by a small collection of graves of World War II casualties. To the country’s ethnic Russians, the graves and the six-and-a-half-foot-tall bronze monument served as a remembrance of the Soviet Union’s bloody sacrifices to defeat Estonia’s Nazi occupiers. To most Estonians, they were instead a reminder of the grim Soviet occupation that followed, marked by mass deportations to Siberia and decades of economic stagnation.

  The statue had served for years as a flash point for Estonia’s tensions with Russia and its own Russian-speaking population. When government workers exhumed the Soviet war graves and transferred them, along with the statue, to a military cemetery on the edge of town in late April 2007, pro-Russian Estonians flooded into central Tallinn in a seething mass of unrest.

  Ilves had left Tallinn reluctantly and remained anxious about the escalating riots. So the first thing he did upon waking up early that morning in his farmhouse’s second-floor bedroom was to open his MacBook Pro and visit the website for Estonia’s main newspaper, Postimees, looking for an update on the riots and Russia’s calls for his government’s ouster. But the news site mysteriously failed to load. His browser’s request timed out and left him with an error message.

  He tried other Estonian media sites, and they too were down. Was it his computer’s Wi-Fi card? Or his router? But no, he quickly discovered that the British Financial Times loaded just fine. Then Ilves tried a few Estonian government websites. They too were unreachable.

  Ilves called his IT administrator and asked what might be the problem with the Ärma connection. The confused presidential tech staffer told Ilves that it wasn’t unique to him. Estonian sites seemed to be down for everyone. Somehow a significant fraction of Estonia’s entire domestic web was crippled.

  Estonia had, over the prior decade, sprung out of its Soviet doldrums to become one of the most digitally vibrant countries in the world. The internet had become a pillar of Estonian life: 95 percent of its citizens’ banking took place on the web, close to 90 percent of income taxes were filed online, and the country had even become the first in the world to enable internet voting. Ilves himself took significant credit for pushing through many of those initiatives as a minister and later as president. Now it seemed that the uniquely web-friendly society he’d helped to build was experiencing a uniquely web-centric meltdown.

  As Ilves clicked through broken sites in his remote farmhouse, he sensed something far worse at play than simple broken technology. It seemed he’d stumbled into the fog of war, a feeling of strategic blindness and isolation in a critical moment of conflict. “Is this a prelude to something?” he asked himself. “What the hell is going on?”

  * * *

  ■

  The attacks had started the night before. Hillar Aarelaid had been expecting them.

  The head of Estonia’s Computer Emergency Response Team, or CERT, had been watching on hacker forums for days as pseudonymous figures had planned out an operation to unleash a flood of junk traffic at Estonian websites, in retaliation for the bronze soldier’s removal. They asked volunteers to aim a series of repeated pings from their computers at a long list of targets, massing into a brute-force distributed denial-of-service attack that would overwhelm the sites’ servers.

  When the first waves of that inundation hit, Aarelaid was at a pub in a small town in Ireland, drinking a Guinness after finishing two weeks of forensic training at a nearby police academy. His phone rang with a call from his co-worker at the Estonian CERT. “It’s started,” the man told him. The two Estonians agreed, with typical brevity, to monitor the attacks and respond with the countermeasures they had planned: work with t
he sites’ administrators to increase bandwidth, bring backup servers online, and filter out the malicious traffic. Aarelaid, a laconic former beat cop with close-cropped hair and perpetual stubble, hung up after no more than ten seconds and went back to drinking his Guinness.

  The next morning, as President Ilves was still puzzling over his farmhouse internet connection in the south of Estonia, Aarelaid’s CERT colleague picked him up at the Tallinn airport and briefed him on the attackers’ progress. The flood of malicious data was growing, and so was the target list. Most of the media and government sites from the Ministry of Defense to the parliament were under bombardment—a barrage big enough that many were now off-line.

  Aarelaid remained unmoved. These sorts of distributed denial-of-service attacks were low-hanging fruit for untalented hackers, mostly used for petty extortion. He still believed that the usual response to the annoyance would win out when the attackers got bored of the arms race. “We can handle this,” Aarelaid told his CERT co-worker. He considered the attack a mere “cyber riot,” the internet extension of the improvised chaos playing out on Tallinn’s streets.

  By the third day of the attacks, however, it was painfully clear to Aarelaid that these weren’t run-of-the-mill website takedowns, and the normal responses weren’t going to stop them. With every attempt to block the streams of malicious traffic, the attackers altered their techniques to evade filters and renew their pummeling. More and more computers were being enlisted to add their firepower to the toxic flood. Individual volunteer attackers had given way to massive botnets of tens of thousands of enslaved machines controlled by criminal hackers including the notorious Russian Business Network, a well-known cybercriminal operation responsible for a significant portion of the internet’s spam and credit-card-fraud campaigns. That meant malware-infected PCs all over the world, from Vietnam to the United States, were now training fire hoses of data at Estonia.