Beginning in 2015, Ukraine was on the receiving end of vicious cyberattacks that experts later determined were launched by Russia. The attacks were ruthless, targeting every aspect of Ukrainian society: government servers, media organizations, transportation hubs. Ukrainian cyberexperts watched helplessly as systems began to crash all around them. There were no public schedules or train service one day. ATMs went dark the next. The coup de grace came when the hackers targeted the electricity grid, plunging hundreds of thousands of innocent Ukrainians into darkness.
“A single group of hackers seemed to be behind all of it,” Greenberg reveals, and in the attacks’ aftermath Ukrainians said the effect was to feel as if “phantoms . . . had reached back, out through the internet’s ether,” into their homes.
So begins Greenberg’s immensely readable “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers,” a hair-raising, cautionary tale about the burgeoning, post-Stuxnet world of state-sponsored hackers. This is a book that goes beyond influence campaigns and ransomware. Greenberg lays out in chilling detail how future wars will be waged in cyberspace and makes the case that we have done little, as of yet, to prevent it.
His dogged reporting leads him to the GRU, Russia’s military intelligence agency, which he argues has become the most methodical and destructive cyber-force on the planet. You may have heard of it. Cybersecurity company CrowdStrike named one group within the GRU Fancy Bear and blamed that group for meddling in the 2016 U.S. presidential election. But the cognoscenti are familiar with a different group of GRU hackers known by the name Sandworm.
For sci-fi nerds and devotees of Frank Herbert’s “Dune” novels, Sandworm may ring a bell. It is an enormous fictional creature that lives on the planet Arrakis and plays a pivotal role in Herbert’s story. It turns out that members of the GRU’s special hacking unit were huge fans. When one of their data-collection programs, BlackEnergy, was unwound and taken apart by cybersecurity specialist Drew Robinson, one of the main characters in the book, he discovered a signature: a file called “arrakis02.”
“When he found that arrakis02 campaign code, Robinson could sense he’d stumbled onto something more than a singular clue about the hackers who had chosen that name,” Greenberg writes. “He felt for the first time that he was seeing into their minds and imaginations. In fact, he began to wonder if it might serve as a kind of fingerprint. Perhaps he could match it to other crime scenes.”
It turned out he could. Experts began linking cold-case hacks from around the world to the group, though it took years to confirm that the GRU’s Sandworm and hackers using secret security flaws in software (known as a “zero days”) to wreak havoc around the world were, in fact, one and the same. Sandworm spent years obfuscating and feinting and leaving false flags to suggest that others were behind its handiwork. Eventually, cybersecurity experts were able to prove differently.
In Greenberg’s capable hands, the twists and turns of the attribution process are not tech-laden and confusing, but instead become tantalizing clues in a detective story. Readers are ushered into darkened rooms where cyber-sleuths tease out bits of code and write programs to scan for malware matches, just as a detective might for fingerprints.
The GRU hackers set themselves apart from other intelligence operatives because their intentions were broader. “Sandworm wasn’t merely focused on espionage,” Greenberg reveals as its culpability becomes clear. “Intelligence-gathering operations don’t break into industrial control systems. Sandworm seemed to be going further, trying to reach into victims’ systems that could potentially hijack physical machinery, with physical consequences.”
Their missions included weaponized swarms of Internet traffic or malware that installed back doors on a victim’s computer so Sandworm would have complete access. The cyberattacks became renowned, with names like BlackEnergy, Bad Rabbit and NotPetya, among others. NotPetya, just to put it in perspective, is considered the most damaging worm ever introduced into the wild. Originally meant to attack Ukraine, its ransomware spread across the world, encrypting computer data and demanding payments to unlock it. Turns out there was no decryption after a ransomware was paid; there was just destruction.
“Sucking passwords out of computers’ memories, it instantly hopscotched from machine to machine, using common Windows management tools that give administrators free rein to access other computers on the network,” Greenberg writes. “The result was scorched-earth file corruption that spread automatically, rapidly, and indiscriminately.”
To help readers understand how Sandworm became one of the most aggressive hacking units on Earth, Greenberg takes us back to the Russia-Georgia war of 2008. He maintains that it was a turning point for the GRU. In the eyes of the Kremlin, the GRU had failed miserably during that conflict. Its intelligence lapses had led to embarrassments like the bombing of an abandoned airstrip or its failure to recognize, before it was too late, that Georgia had acquired antiaircraft missiles. The GRU’s attempts to intercept Georgian communications were similarly lackluster. The Kremlin was so angry it mulled demoting the service altogether. The GRU responded by setting up Sandworm.
U.S. officials don’t have to wonder how an all-out election hack might unfold in 2020. Ukraine provides a dress rehearsal. Four days before the country’s May 2014 elections, a pro-Russian hacking group publicly announced that it planned to disrupt the process. A short time later, the group broke into the country’s Central Election Commission and wiped dozens of computers.
“The idea was to destroy the system, to prevent it showing the results, and then to blame Ukraine’s so-called junta,” Victor Zhora, a security contractor for the commission at the time, tells Greenberg. “The goal was to discredit the election process.” The commission’s IT department was able to rebuild the network before the polls opened, but in the process it discovered something disturbing on its server: an image of fake election results.
The administrators managed to delete the fake data before it was publicly displayed, but “Russian state television, seemingly coordinating with the hackers, went ahead with a false announcement that [Dmytro] Yarosh had won, an apparent attempt to cast doubt on the election of the real winner, the political moderate chocolate magnate Petro Poroshenko.”
Sound uncomfortably familiar?
It gets worse. The next morning, the hackers struck again. Ukraine’s election commission was hit with a “denial of service” attack that knocked its servers offline, making it doubly difficult to confirm the legitimate results.
Could something like that be awaiting us in 2020? Greenberg suggests that if we don’t take cybersecurity more seriously, that is exactly what the future may hold. “On the internet, we are all Ukraine,” he writes. “We all live on the front line.”
A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
By Andy Greenberg
Doubleday. 348 pp. $28.95