Sandworm

A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

Title: Sandworm
Subtitle: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers
Author: Andy Greenberg
Published: 2020
ISBN: 978-0-525-56463-8
Purchased from Amazon UK in April 2021.

sandworm by andy greenberg

Verdict: Highly recommended for anyone with an interest or responsibility in the cyber security space.

The time and storyline of this book, interesting as it is, hops around quite a lot. Hence it’s not easy to present a nice sequential summary. So just a few of the interesting points follow. I’ll avoid the ‘pussy-footing-around’ such as ‘allegedly this’ and ‘allegedly that …’, and just cut straight to the chase. Technical evidence is pretty incontrovertible. The balance of probability leaves little doubt, the usual posturing and denials notwithstanding. Russian direct state-sponsored and tacitly-condoned criminal hackers are malicious and treacherous in the extreme. This would not be news to anyone with the vaguest notion of the hacking landscape. The problem, moreso than the hackers, is the limp, weak-kneed response by the authorities of the Governments who should be tackling this scourge, at least prior to Joe Biden.

Andy’s question is what have Russian hackers, including or most especially those in the employ or patronage of the Russian Government, by default Vladimir Putin, been up to since the Americans and Israelis demonstrated their cyber offensive capability with Stuxnet in 2009.

The Stuxnet attack was an awesome technical hacking achievement. It essentially targeted the pinpoint-specific Siemens programmable controllers for the centrifuges the Iranian Islamic fundamentalist dictatorship was using to enrich uranium to nuclear weapons grade. Stuxnet was lazer-focused on finding only equipment with that very specific industrial control system, and through infecting the controller program code, spinning the centrifuges out of control to the point of destruction. Stuxnet did this with complete effectiveness and without being discovered by the Iranian engineers. Mission accomplished!

Because the Iranian nuclear centrifuge systems were ‘airgapped’ from the Internet as a measure to defend against such attacks, Stuxnet was originally planted via physical storage media such as usb sticks, disks, memory cards etc. We can allow our imaginations a lot of latitude in perceiving how that might have been achieved, but people have their weaknesses! The problem of course was, once ‘in the wild’, this malware just continued its search as intended, but sat passively on industrial control systems around the world that were not linked to the target Iranian centrifuges. Then it was only a matter of time until the malware was discovered and de-masked by some very bright technologists in the cyber security space – which of course happened, as we know. It was like leaving bits of paper lying around with your bank login details on them. Enough bits of paper and eventually some persistent bright spark discovers what it is and who you are, with a predictable outcome.

The game was now up, which obviously alerted the Russian security and military apparatus about the cyber offensive capability of their perceived adversaries.

It’s unreasonable to contend that Stuxnet was the sole motive for the Russians developing and deploying massive and devastating cyber offensive capability. It would however have flagged the potential of such capability against adversaries and also that the Russians had quite a bit of catching up to do.

A few of the outrageous attacks that the Russians have visited upon various nation and organisational victims, and chronicled in the book, are outlined below.

Prior to Stuxnet as outlined above, a crude large-scale denial of service (DOS) cyber attack was made on Estonia in 2007. This crashed a large portion of the Internet and public services in Estonia for a 3-week period. The Russian motive was thought to be nationalistic sentiment due to Estonia becoming a Western democracy and a statue of a Soviet soldier being moved from a prominent location in Tallin, the capital. Other than the scale of the attack, this was cyber 101 in terms of sophistication. It drew almost zero response from Western governments, just a weak-kneed ‘Oh, that’s awful, but we feel it’s not our problem!’, and Estonia was basically left to fend for itself. Then things went relatively quiet for some time.

At Christmas in 2015 Russian hackers attacked with a piece of malware nicknamed ‘Sandworm’ and took down a section of the Ukrainian electric power grid, causing a blackout for about a quarter of a million Ukrainians. Many other sections of Ukrainian society were also targeted in this attack, including the national pension system. This was Russian hackers’ first direct attack on national civilian critical infrastructure. The particular hacker group was known to have also probed US power grid infrastructure.

The US Democratic National Committee headquarters was hacked in 2016 by the same Russian state organisaton that attacked Ukraine in 2015. The resulting US Presidential Elections interference is now well documented. Much clumsy, ham-fisted smoke-screening ensued by the main Russian Intelligence Directorate (GRU) and SVR foreign intelligence agency.

Also in 2016 a cyber attack was carried out on the World Anti-Doping Agency with the blessing of Putin’s government. They were furious at the agency’s banning of Russian athletes from the 2016 Olympics due to widespread programs of performance-enhancing drug use. The hackers left clear forensic evidence of their real identity.

The US National Security Agency (NSA), supposedly the most cyber-capable and cyber-savvy organisation on the planet, was breached by Kremlin-backed hackers in August 2016. A trove of more than twenty potent offensive hacking tools from the most formidable digital hacking arsenal that had been developed by the NSA were stolen. Many of these digital tools were used to massive damaging effect in future cyber attacks.

Again in December 2016, Ukraine came under a widespread cyber attack from the Kremlin Sandworm hackers. Targets again included the power infrastructure and railway systems. Power and transportation infrastructure outages in the Ukrainian winter obviously cause serious and widespread harm. The usual incontrovertible forensic identity evidence, and the usual clumsy attempts to side-step attribution by the Russians. Western response? You guessed it!

In June 2017, Maersk, the world’s largest shipping conglomerate, became the victim of a massive cyber attack, about which Maersk employees are still reluctant to speak for fear of consequences. The entire global Maersk organisation had to disconnect from the Internet. Chaos ensued in world shipping, with huge costs involved.

About the same time in 2017, the Kremlin-sponsored hackers (Shadow Brokers) who hacked the top-secret NSA offensive hacking tools had tried to sell these tools on the open market to the highest bidder. This didn’t work, so in retaliation they just put them up publicly on the Internet. Two of the tools, Eternal Blue and Double Pulsar, were used by North Korean hackers for a devastating ramsomware attack nicknamed ‘WannaCry’ on the UK National Health Service and victims in dozens of other countries. This attack could have caused a global crisis, except a young UK technology whiz called Marcus Hutchins stumbled upon the WannaCry kill-switch while analysing the malware, thus saving untold worldwide chaos. Global damage due to WannaCry is estimated at $4 billion.

Ukraine again came under sustained countrywide cyber attack in June 2017, this time by ransomware nicknamed NotPetya. No kill-switch was quickly found on this occasion. NotPetya took down banks, government agancies, hospitals, transportation hubs, power infrastructure, card payment systems, airports, general businesses – the lot! It was reputed to be the fastest spreading malware ever seen. Ukraine was the worst affected to the extent of being a national disaster. Within hours it had spread beyone Ukraine and out to countless machines around the world, including Maersk again on an unimaginable scale. Maersk’s chairman, Jim Snabe estimated the cost of the attack to be around $300 million. Maersk staffers estimated the cost to be much higher. The global cost of NotPetya – we can’t even imagine, but it’s estimated to be more than $10 billion. Yes, that’s $10 billion, 10 with nine zeros behind it! The indirect life and death effects and decisions in the hospital care environment have not been considered. Concrete evidence again pointed to the Russian government sponsored Sandworm hackers being culpable. Based on CIA evidence, The Washington Post cited the Russian Military, specifically the GRU (Glavnoye Razvedyvatel’noye Upravleniye). The collective Western response at the time? “________________________ “, aka sfa.

In February 2018, some Western governments, particularly the US and UK, finally started to wake up and issue strong statements of attribution for some of the above attacks. They identified by name some of the Russians involved and imposed sanctions on these individuals. The Russian denial charade of course ensued. On the same day as these announcements, the US Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) confirmed that starting in 2016, Russian hackers had penetrated deep into the industrial control systems of Americal critical infrastructure targets. We have already seen what this did to Ukraine.

Furthermore, there was a major cyber attack on the Winter Olympics in South Korea in 2018. The attackers took steps to plant evidence implicating North Korea, the North Korean sponsored Lazarus hacking group. However, Western expert analysts were able to see through the ruse, and again forensically identified the Russian GRU-sponsored hackers (Sandworm) as the perpetrators, even down to identifying the particular GRU unit involved (Unit 74455). The Olympic attackers could even be traced back to a hacking operation that directly targeted the 2016 US Presidential elections. The Russian motive was thought to be their banning from participation in the 2018 Winter Olympics.

In the final chapters the book further indentifies by name (through various indictments served by US authorities) many of the Russian GRU hackers involved. It also chronicles a trip the author made to Moscow in an attempted fact-finding mission – which unsurprisingly for such a closed, dysfunctional state, didn’t unearth much in the way of stunning new facts. He concludes the book by pointing out the critical need for resilience in national infrastructure systems by way of more stand-alone manual fallback systems backing up the purely digital networked systems currently in place.

Anyone with digital security interests and tasked with functional responsibilities of same, most especially at a national level, needs to be intimately aware of the matters raised by the author of this book. That needs to include devising and implementing strategies to protect the national interests and interests of those who elected them to positions of responsibility. The fulfillment of such responsibilities still seems a long way off.