* * *
■
After six weeks of analysis, iSight was ready to go public with its findings: It had discovered what appeared to be a vast, highly sophisticated espionage campaign with every indication of being a Russian government operation targeting NATO and Ukraine.
As Robinson had painstakingly unraveled that operation, his boss, John Hultquist, had become almost as fixated on the work of the Russian hackers as the malware analysts scrutinizing its code were. Robinson sat on the side of the bull pen closest to Hultquist’s office, and Hultquist would shout questions to him, his Tennessee-accented bellow easily penetrating the wall. But by the middle of October, Hultquist now invaded the bull pen on an almost daily basis to ask for updates from Robinson as the mystery spun out from that first PowerPoint zero day.
For all the hackers’ clever tricks, Hultquist knew that getting any attention for their discovery would still require media savvy. At the time, Chinese cyberspies, not Russian ones, were public enemy number one for the American media and security industry. Companies from Northrop Grumman to Dow Chemical to Google had all been breached by Chinese hackers in a series of shocking campaigns of data theft—mostly focused on intellectual property and trade secrets—that the then NSA director, Keith Alexander, called the “greatest transfer of wealth in history.” A Russian espionage operation with unsurprising eastern European targets like this one, despite all its insidious skill and longevity, nonetheless risked getting lost in the noise.
Their hackers would need a catchy, attention-grabbing name. Choosing it, as was the custom in the cybersecurity industry, was iSight’s prerogative as the firm that had uncovered the group.* And clearly that name should reference the cyberspies’ apparent obsession with Dune.
Robinson, a Dune fan since he was a teenager, suggested they label the hacking operation “Bene Gesserit,” a reference to a mystical order of women in the book who possess near-magical powers of psychological manipulation. Hultquist, who had never actually read Frank Herbert’s book, vetoed the idea as too abstruse and difficult to pronounce.
Instead, Hultquist chose a more straightforward name, one he hoped would evoke a hidden monster, moving just beneath the surface, occasionally emerging to wield terrible power—a name more fitting than Hultquist himself could have known at the time. He called the group Sandworm.
* In fact, iSight wasn’t necessarily the first to piece together this hacker group’s fingerprints. The Slovakian firm ESET was, around the same time, making the same discoveries, including even the Dune-themed campaign codes in the group’s malware. ESET even presented its findings at the Virus Bulletin conference in Seattle in September 2014. But because ESET didn’t publish its findings online, iSight’s analysts told me they weren’t aware of its parallel research, and iSight has been widely credited—perhaps mistakenly—with discovering Sandworm first.
4
FORCE MULTIPLIER
Six weeks after they’d first discovered Sandworm, iSight’s staff held a round of celebratory drinks in the office, gathering at a bar the company kept fully stocked down the hall from the analysts’ bull pen. Sandworm’s debut onto the world stage had been everything Hultquist had hoped for. When the company went public with its discovery of a five-years-running, zero-day-equipped, Dune-themed Russian espionage campaign, the news had rippled across the industry and the media, with stories appearing in The Washington Post, Wired, and countless tech and security industry trade publications. Robinson remembers toasting Hultquist with a glass of vodka, in honor of the new species of Russian hacker they’d unearthed.
But that same evening, 2,500 miles to the west, another security researcher was still digging. Kyle Wilhoit, a malware analyst for the Japanese security firm Trend Micro, had spotted iSight’s Sandworm report online that afternoon, in the midst of the endless meetings of the corporate conference he was attending at a hotel in Cupertino, California. Wilhoit knew iSight by reputation and John Hultquist in particular and made a note to take a closer look at the end of the day. He sensed that discoveries as significant as iSight’s tended to cascade. Perhaps it would shake loose new findings for him and Trend Micro.
That night, sitting outside at the hotel bar, Wilhoit and another Trend Micro researcher, Jim Gogolinski, pulled out their laptops and downloaded everything that iSight had made public—the so-called indicators of compromise it had published in the hopes of helping other potential victims of Sandworm detect and block their attackers.
Among those bits of evidence, like the plastic-bagged exhibits from a crime scene, were the IP addresses of the command-and-control servers the BlackEnergy samples had communicated back to. As the night wore on and the bar emptied out, Wilhoit and Gogolinski began to check those IP addresses against Trend Micro’s own archive of malware and VirusTotal, to see if they could find any new matches.
After the hotel’s bar closed, leaving the two researchers alone on the dark patio, Wilhoit found a match for one of those IP addresses, pointing to a server Sandworm had used in Stockholm. The file he’d found, config.bak, also connected to that Swedish machine. And while it would have looked entirely unremarkable to the average person in the security industry, it immediately snapped Wilhoit’s mind to attention.
Wilhoit had an unusual background for a security researcher. Just two years earlier, he’d left a job in St. Louis as manager of IT security for Peabody Energy, America’s largest coal company. So he knew his way around so-called industrial control systems, or ICS—also known in some cases as supervisory control and data acquisition, or SCADA, systems. That software doesn’t just push bits around, but instead sends commands to and takes in feedback from industrial equipment, a point where the digital and physical worlds meet.
ICS software is used for everything from the ventilators that circulate air in Peabody’s mines to the massive washing basins that scrub its coal, to the generators that burn coal in power plants to the circuit breakers at the substations that feed electrical power to consumers. ICS applications run factories, water plants, oil and gas refineries, and transportation systems—in other words, all of the gargantuan, highly complex machinery that forms the backbone of modern civilization and that most of us take for granted.
One common piece of ICS software sold by General Electric is Cimplicity, which includes a kind of application known as a human-machine interface, essentially the control panel for those digital-to-physical command systems. The config.bak file Wilhoit had found was in fact a .cim file, designed to be opened in Cimplicity. Typically, a .cim file loads up an entire custom control panel in Cimplicity’s software, like an infinitely reconfigurable dashboard for industrial equipment.
This Cimplicity file didn’t do much of anything—except connect back to the Stockholm server iSight had identified as Sandworm’s. But for anyone who had dealt with industrial control systems, the notion of that connection alone was deeply troubling. The infrastructure that runs those sensitive systems is meant to be entirely cut off from the internet, to protect it from hackers who might sabotage it and carry out catastrophic attacks.
The companies that run such equipment, particularly the electric utilities that serve as the most fundamental layer on which the rest of the industrialized world is built, constantly offer the public assurances that they have a strict “air gap” between their normal IT network and their industrial control network. But in a disturbing fraction of cases, those industrial control systems still maintain thin connections to the rest of their systems—or even the public internet—allowing engineers to access them remotely, for instance, or update their software.
The link between Sandworm and a Cimplicity file that phoned home to a server in Sweden was enough for Wilhoit to come to a startling conclusion: Sandworm wasn’t merely focused on espionage. Intelligence-gathering operations don’t break into industrial control systems. Sandworm seemed to be going further, trying to reach into victims’ systems that could p
otentially hijack physical machinery, with physical consequences.
“They’re gathering information in preparation to move to a second stage,” Wilhoit realized as he sat in the cool night air outside his Cupertino hotel. “They’re possibly trying to bridge the gap between digital and kinetic.” The hackers’ goals seemed to extend beyond spying to industrial sabotage.
Wilhoit and Gogolinski didn’t sleep that night. Instead, they settled in at the hotel’s outdoor table and started scouring for more clues of what Sandworm might be doing in ICS systems. How was it gaining control of those interfaces? Who were its targets? The answers continued to elude them.
They skipped all their meetings the next day, writing up their findings and posting them on Trend Micro’s blog. Wilhoit also shared them with a contact at the FBI who—in typically tight-lipped G-man fashion—accepted the information without offering any in return.
Back in his Chantilly office, John Hultquist read Trend Micro’s blog post on the Cimplicity file. He was so excited that he didn’t even think to be annoyed that Trend Micro had found an unturned stone in the middle of iSight’s major discovery. “It totally opened up a new game,” Hultquist said.
Suddenly those misfit infrastructure targets among Sandworm’s victims, like the Polish energy firm, made sense. Six weeks earlier, iSight had found the clues that shifted its mental model of the hackers’ mission from mere cybercrime to nation-state-level intelligence gathering. Now Hultquist’s idea of the threat was shifting again: beyond cyberspying to cyberwar. “This didn’t look like classic espionage anymore,” Hultquist thought. “We were looking at reconnaissance for attack.”
* * *
■
Hultquist had, in some sense, been searching for something like Sandworm his entire career, long before iSight stumbled into it, before he even knew what form it would take. Like many others in the cybersecurity industry, and particularly those with a military background, he’d been expecting cyberwar’s arrival: a new era that would finally apply hackers’ digital abilities to the older, more familiar worlds of war and terrorism. For Hultquist, it would be a return to form. Since his army days a decade and a half earlier, he’d learned to think of adversaries as ruthless people willing to blow things up, to disrupt infrastructure, and to kill him, his friends, and innocent civilians he’d been tasked to protect.
An army reservist from the tiny town of Alcoa in eastern Tennessee, Hultquist had been called up in the midst of college to serve in Afghanistan after September 11. Soon the twenty-year-old found himself in Kandahar province in a Civil Affairs unit. Their job was to roll around the countryside in a six-man team, meeting with the heads of local villages in an effort to win hearts and minds. “We were still armed to the teeth, of course,” Hultquist told me, followed by a kind of cackle that punctuates many of his stories. “It was high adventure.” He let his black beard grow wild and came to be known within the unit as Teen Wolf.
His Civil Affairs unit’s motto, printed across a badge on their uniforms’ shoulder, was vis amplificans vim, a phrase his superiors had told him roughly translated to “force multiplier.” The idea was to build relationships with local civilians that would aid in and expand on the less subtle work of expelling and killing the Taliban; they were the carrot to the infantry and Special Forces’ stick. They’d have lunch with a group of village elders, ask them what they needed over a meal of goat and flatbread, and then, say, dig them a well. “Sometimes we’d come back a couple weeks later and they’d tell us where an ammo cache was hidden,” Hultquist says.
In those early days of the war, the Taliban had already mostly fled the country, evaporating away from the initial U.S. invasion into the mountains of Pakistan. As they slowly began to slip back into Afghanistan in the months that followed, however, the violence ramped up again. One night, a Taliban guerrilla shot two rockets at the building where Hultquist and his unit were sleeping. One missed, banking skyward. The other, by a stroke of luck, failed to explode and was defused by their explosive-ordnance unit. Just days later, those same bomb technicians were killed when explosives they were defusing in a hidden Taliban rocket cache suddenly detonated. Hultquist and his unit were the first to the scene and spent hours collecting their dismembered body parts.
After the invasion of Iraq in 2003, Hultquist was transferred there, a deployment that was immediately as intense and bloody as Afghanistan had grown to be. In Iraq, the war quickly shifted to a hunt for a largely invisible force of saboteurs planting hidden makeshift bombs, a highly asymmetric guerrilla conflict. Hultquist learned how psychologically devastating those repeated, unpredictable, and lethal explosions could be. He’d eventually earn an army commendation for valor for his quick response when a team of fellow soldiers’ Humvee was hit with a roadside bomb, administering first aid and an IV to two men who survived the attack.
The gunner on top of the vehicle, however, had died instantly in the blast. When the bomb had gone off, he’d had grenades strapped to his chest so that he could quickly feed them into the launcher. Hultquist still remembers the sound of those grenades exploding one by one as the man’s body burned.
* * *
■
Hultquist completed his tour of duty, returned to the United States, and finished college. After graduating, he got a job teaching a course on psychological operations at Fort Dix in New Jersey and then moved to one of the Information Sharing and Analysis Centers, or ISACs, that had been created around the country in the years after 9/11 to address possible terrorism threats. He was assigned to focus on the problem of highway safety and later the security of water systems and railways, thinking up countermeasures to grim scenarios like attackers plowing large vehicles into crowds or planting bombs in vehicles’ cargo holds, as terrorists had done in Sri Lanka in cases he studied.
He was introduced to the digital side of those security threats only in 2006, when he joined the State Department as a junior intelligence analyst contractor, tasked mostly with helping to protect the agency’s own networks from hackers. At the time, China’s state-sponsored cyberspying campaigns were just coming into focus as a serious problem for America’s national security and even its commercial dominance. In the mid-2000s, a series of intrusions known as Titan Rain, believed to be carried out by cyberspies working for China’s People’s Liberation Army, had broken into Lockheed Martin, Sandia National Labs, and NASA. By the time Hultquist started his job at State, reports were surfacing on an almost weekly basis of Chinese espionage that had breached the networks of targets from defense contractors to tech companies. “They were stealing all of our intellectual property, and all of our attention,” Hultquist says of the Chinese hackers.
But from his first years tracking state-sponsored cyberspies in the U.S. government, Hultquist gravitated to a different, less considered form of digital attack. After his experience trying to outthink insurgents and terrorists in the army and then at the ISACs, he naturally focused not on espionage but on the threats capable of inflicting psychological disruption on an enemy, shutting down civilian resources and creating chaos.
In 2007, for instance, Estonia had come under a punishing, unprecedented barrage of DDoS attacks that all seemed to originate in Russia. When Estonian police cracked down on riots incited by the country’s Russian-speaking minority, targeted floods of junk traffic knocked Estonia’s government, media, and banking sites off-line for days in a networked blitzkrieg like nothing the world had ever seen before. The next year, when war broke out between Russia and Georgia, another of its post-Soviet neighbors, crude cyberattacks pummeled that country’s government and media, too. Russia, it seemed to Hultquist, was trying out basic methods of pairing traditional physical attacks with digital weapons of mass disruption.
Back then, Hultquist had mostly watched from the sidelines. He’d studied the Estonian and Georgian attacks, met with researchers who tracked them, and briefed senior officials. But he’d rarely been a
ble to pull their attention away from the massive siphoning of state secrets and intellectual property being carried out by China’s hackers, a threat that seemed far more immediate to American interests.
Now, years later, iSight’s Sandworm discovery had put Hultquist at the vanguard of what seemed to be a new, far more advanced form of Russian cyberwar. In the midst of Russia’s invasion into Ukraine, a team of Russian hackers was using sophisticated penetration tools to gain access to its adversaries’ infrastructure, potentially laying the groundwork to attack the underpinnings of civilian society, hundreds of miles beyond the front lines: He imagined sabotaged manufacturing, paralyzed transportation, blackouts.
As Sandworm’s mission crystallized in his mind, a phrase from his time in the army’s Civil Affairs unit came to him from more than a decade earlier: vis amplificans vim.
* * *
■
After he read Trend Micro’s report, Hultquist’s fascination grew: Sandworm had transformed in his mind from a vexing puzzle to a rare and dangerous geopolitical phenomenon. He began to bring it up constantly with iSight’s analysts, with any reporter he spoke to, with other members of the security industry, and with the D.C. intelligence community. For iSight’s office Halloween party, he even made himself a Sandworm costume out of a green children’s play tunnel, an expression of his pet preoccupation that was perhaps only partly a self-mocking joke. “Sandworm was my favorite thing,” Hultquist said simply.
He was nonetheless frustrated to find that after the initial hype around iSight’s discovery, his Sandworm-watchers club didn’t have many other members. The mainstream media seemed to have, for the moment, largely exhausted its interest in the group. Vague hints of a technically convoluted connection to infrastructure attacks weren’t enough, it seemed, to attract even a fraction of the attention that iSight had initially brought to Sandworm’s zero day and secret Dune clues.
Sandworm Page 3