On the most prosaic level, that meant GRU hackers were more likely to wear a uniform and to work in actual GRU buildings, compared with other Russian agencies’ hackers. But that soldier mentality also meant GRU hackers had fewer qualms about carrying out high-risk or even highly destructive campaigns, Galeotti said. The agency maintains a macho, military culture that rewards risk taking, even to the point of shortsightedness. “They’re more likely to be promoted because they gave something a try, even if it didn’t work, than because they’re a pair of safe hands,” Galeotti told me. “If you prove you’re aggressive and effective, bosses will smile on that.”
Despite many spetsnaz having been moved out from under GRU control years earlier, it still served as the home of special-ops killers and saboteurs, Galeotti reminded me, and that spirit infected the entire agency. “The defense attaché and the commando who goes behind enemy lines to blow up bridges and assassinate people are in the same organization,” he told me. “Sometimes they’re the same person. At the very least, they feel an association.”
Much of the rank-and-file GRU mentality, as the Russia-watchers I spoke to described it, seemed also to line up with Gerasimov’s cynicism, the same conspiracy theorizing that led him to believe the West had incited the Arab Spring. Ukraine’s sovereignty, many Russian soldiers held, was entirely a creation of the West, its recent revolutions just more U.S.-triggered coups. Attacking the pseudo-nation of Ukraine was not only an expedient task to please their superiors but a patriotic duty in an ongoing, undeclared second cold war with Europe and the United States.
That stereotypical portraiture of a GRU hacker, however, was far from universal, Soldatov warned me. Some, contrary to Galeotti’s description, are in fact outside contractors and freelancers from the private sector, conscripted for their services with little choice in the matter.
For those secondary players in the GRU’s orbit, their personal motivation is different. Refuse to lend your services as a researcher, as a developer, or even as an operational hacker, and you could face the destruction of your business, your career, or worse. “People disguise fear with many things: with patriotism, with cynicism,” Soldatov told me. “But when you talk to people, you see that fear plays a big part. You scratch them, and under the surface you see fear.”
*1 One clue does hint at the GRU’s involvement in the Georgian cyberattacks: The website StopGeorgia.ru, which seemed designed to recruit and equip hacktivists to participate in those attacks, was hosted by a company called SteadyHost, which was headquartered next door to a known GRU research institute in Moscow.
*2 In the spring of 2018, the investigative news outlet Bellingcat and the Russian news site The Insider would also name two GRU officers as responsible for the downing of Malaysian Airlines flight MH17, which resulted in 298 civilian deaths. In the following months, the same investigators would also name three GRU agents as the assassins responsible for the attempted murder of Sergei Skripal.
33
THE PENALTY
One afternoon in February 2018, the Trump White House released an extremely short, straightforward statement:
In June 2017, the Russian military launched the most destructive and costly cyber-attack in history.
The attack, dubbed “NotPetya,” quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences.
With those four sentences displayed on a page of the White House website, the U.S. government had finally, publicly acknowledged Russia’s cyberwar in Ukraine. That acknowledgment had come nearly three and a half years after the siege had begun and almost eight months after it exploded out to the rest of the world.
The announcement seemed belated even on the timescale of that day: The British intelligence agency GCHQ had published its own statement pinning NotPetya on Russia earlier that morning, preempting the White House. But after the U.S. statement in the late afternoon, intelligence agencies from Canada, Australia, and New Zealand would all follow with their own confirmations. By that night, all of the so-called Five Eyes—the loosely allied agencies of those five English-speaking countries—had assembled a rare, joint set of confirmations tying NotPetya to Russia and condemning the attack, intended to leave no room for doubt of their findings.
The Kremlin, of course, denied them anyway. “We strongly reject such accusations, we consider them to be groundless, they are part of the similarly groundless campaign based on hatred against Russia,” Putin’s spokesperson Dmitry Peskov told reporters in Moscow.
The White House would never publicly back up its statement with evidence. But it had promised consequences, and a month later those consequences arrived: The U.S. Treasury announced new sanctions against nineteen people and five organizations. Most of the named individuals, however, seemed to have nothing to do with NotPetya. The listed culprits were lumped together in a broad collection of Russian misbehavior, largely still focused on interference in the 2016 election. They included a dozen staffers at the Internet Research Agency, the St. Petersburg–based institution that had paid civilian workers to flood social media with divisive and pro-Trump content, as well as a consultant firm and a catering company linked to that business. But they also named the GRU and its director, Igor Korobov, along with three deputy chiefs of the agency. While those GRU officers had already been listed in Obama’s earlier sanctions, the new list included one deputy chief who hadn’t been sanctioned before, as well as the head of the GRU’s training academy.
Like most sanctions, the punishment was purely financial. But it would have a personal impact on its targets nonetheless. For those named, living a life divorced from interaction with all American companies—and any other businesses that want to remain friendly with the United States—wouldn’t be easy, the Center for Strategic and International Studies’ Russia-watcher James Lewis told me at the time. “It makes you sort of an outcast on Wall Street,” Lewis said. “You’re going to take a vacation to Hungary and present them with a Russian credit card? What’s a Russian credit card? You’re cutting these people off from the American economy, and that has a global effect.”
After all of its denials of Russian hacking, the Trump administration seemed to have realized, with glacial timing, that it could no longer ignore the Kremlin’s escalating digital rampages. “Hard as it may be to believe, it looks like the White House attitude towards Russia is hardening,” Lewis said.
In a phone call with reporters on the day the sanctions were announced, President Trump’s homeland security adviser, Tom Bossert, made clear that it was in fact NotPetya that had most required redress—that it had violated a red line, spoken or unspoken, around how the United States expects fellow countries to behave on the internet. “The United States thinks any malware that propagates recklessly, without bounds, violates every standard and expectation of proportionality and discrimination. Truly responsible nations don’t behave this way,” Bossert said on the call. “We have an additional expectation that tools like NotPetya not be used in a reckless fashion, causing $10 billion or more in damage across the globe, not only in Europe but in the United States.”
With that day’s sanctions, Bossert said, the U.S. government meant to leave no doubt about the contours of that red line. “We’ve made clear the rule,” Bossert added. “We’ve started to make clear the penalty associated with that rule.”
* * *
■
The rebuke to Russia from the White House struck an optimistic note for anyone who hoped to prevent the full-scale cyberwars of the future: Finally, the worst cyberattack in history had earned some sort of response, rather than the sheer impunity that had seemed to shield Sandworm’s actions for years.
But it was shaded by another, simultaneous note of menace: In an announcement made on the same day as the sanctions, the FBI and the DHS also confirmed that Russian hackers had, starting in 2016, targeted a wide range of American critical infrastructure targets, including water and energy utilities, some of which were nuclear power plants. And unlike in previous warnings about that targeting, like Sandworm’s initial breaches of U.S. utilities in 2014, these hackers had dug in deep.
In a handful of cases—thankfully not in nuclear facilities—the intruders had penetrated beyond the utilities’ traditional IT networks and into their industrial control systems. They hadn’t crossed the line of causing actual disruptions to physical equipment. But they had gained enough access to that equipment’s controls that they could have started to manipulate it at will. Months later, Secretary of Homeland Security Kirstjen Nielsen would explain that the operation seemed like reconnaissance—what she described as an attempt to “prep the battlefield.”
By all accounts, these hackers were distinct from Sandworm. As far as security researchers could tell, the new group used none of Sandworm’s unique tools, techniques, or infrastructure. The security firm Symantec had first detailed their attacks in a report six months earlier and attributed the intrusions to a group it called Dragonfly 2.0, without naming any nation where the hackers might be based. But Symantec did note that never before had anyone found evidence of such deep penetrations into utilities’ networks—except in Ukraine’s two blackouts.
“There’s a difference between being a step away from conducting sabotage and actually…being able to flip the switch on power generation,” Eric Chien, a Symantec security analyst, had told me at the time. “We’re now talking about on-the-ground technical evidence this could happen in the U.S., and there’s nothing left standing in the way except the motivation of some actor out in the world.”
Now, in March 2018, the U.S. government was confirming what everyone had suspected: that the actor with its fingers on that switch was Russia, the only nation whose hackers had dared to turn off the power to civilians before. Even as the world was waking up to Sandworm’s threat, the group’s experiments in societal sabotage seemed to be metastasizing out to other Russian hackers’ operations—and to new victims.
34
BAD RABBIT, OLYMPIC DESTROYER
The attribution of NotPetya to the Russian military was the strongest confirmation yet of Sandworm’s GRU identity. But just as that identity seemed to be coming into focus in the first months of 2018, two strange events clouded the picture, each of which seemed intuitively linked to the hacker group’s trail of disruption. And yet they included mysterious aberrations from Sandworm’s profile, breaking any clean mental model that I had tried to use to make sense of its actions.
The first had come as a kind of NotPetya aftershock. Early on the morning of October 24, 2017, ESET’s Anton Cherepanov was sitting in the same seat in the same Houston room of ESET’s headquarters when he once again began to receive screenshots of ransomware messages taken from the security company’s eastern European customers. This time those messages had the unexplained words “BAD RABBIT” displayed above their demand that victims make a Bitcoin payment to decrypt their files. Once again, the malware was spreading quickly through Ukrainian networks. Soon it had hit Odessa’s airport and the Kiev metro, again paralyzing the transit system’s credit card payments.
Cherepanov would describe the feeling as a kind of déjà vu. Just as he had done with NotPetya four months earlier, Cherepanov dug up a fresh sample of the malware from ESET’s antivirus collection and began to take its code apart. He quickly found that, as before, the malware used Mimikatz and a leaked NSA technique to branch out its infections from machine to machine. But surprisingly, it didn’t include the EternalBlue code used in NotPetya. Instead, it used only the EternalRomance program from the NSA’s leaked tool set, which targeted older versions of Windows, along with a custom-coded mechanism that cycled through a collection of common passwords as it attempted to spread via the same computer-to-computer communications feature of Windows that those NSA hacking tools exploited.
Stranger still were the statistics ESET began to pull from the computers around the world that ran its antivirus software. They showed that this time the worm had only encrypted a few hundred machines—a tiny fraction of the destructive results of NotPetya. And weirdest of all, the victims’ numbers had flipped: The vast majority of infected computers weren’t in Ukraine but in Russia. Fully 65 percent of the victims that ESET detected were Russian, compared with just a little over 12 percent in Ukraine.
As ESET and analysts at the Russian security firm Kaspersky analyzed the source of the Bad Rabbit malware (as they’d immediately named it), they found that it had spread via a so-called watering hole attack, the technique of hacking certain websites to infect those sites’ visitors. The hackers had broken into a series of news sites in Russia, Ukraine, Bulgaria, and Turkey and planted code on their pages that asked visitors to install a fake Flash software update containing the ransomware. That technique seemed crude and sloppy compared with the powerful, Ukraine-focused backdoor that had carried NotPetya’s payload.
But there was little doubt that Bad Rabbit had been released by the same hackers as NotPetya. It contained fully 67 percent of the same code, according to the security firm CrowdStrike. Kaspersky revealed within hours of Bad Rabbit’s outbreak that there was stronger proof, still: NotPetya, it turned out, had also been distributed via a watering hole attack in at least one case. Kaspersky had found that the Ukrainian news site Bahmut.com.ua had been hacked and used to deliver NotPetya back on its June 27 trigger date. The company’s analysts had then connected that website’s breach to a series of attacks on thirty other sites, many of which were now spreading Bad Rabbit. NotPetya’s masterminds, it seemed, had been laying the groundwork for their Bad Rabbit follow-up for months.
But why? Even in the fall of 2017, before Sandworm had been officially linked to the Russian military, all signs hinted that the group’s hackers were working in the service of the Kremlin. What would motivate Russian government hackers to purposefully infect hundreds of Russian computers with malware?
As Cherepanov and his boss, Robert Lipovsky, puzzled over the incongruent clues, they noted one suspicious element of the Bad Rabbit attack: Exactly how the malware had reached Ukrainian infrastructure like subway and airport networks remained unexplained, but those infections appeared to be highly targeted. Meanwhile, the watering hole attack that had hit Russian computers struck them as far more random.
“It seemed like a smoke screen,” Lipovsky told me. “They had targets they wanted to infect. Then they released their malware everywhere else as a distraction.”
Lipovsky cautioned that he could only speculate—that Bad Rabbit still defied an intuitive explanation. But his theory implied that the attack had, perhaps, two distinct goals: It had scored one more blow, in passing, against Ukraine’s infrastructure. And at the same time, it had created a new layer of confusion for investigators. “It blurs things,” Lipovsky told me. “It makes it impossible to attribute the attack based on the targeted country.”
Was the GRU really so callous as to randomly destroy the computers of Russia’s own citizens, simply as a feint? In fact, its next operation would reveal that it was willing to go far further still in the interests of sowing uncertainty.
* * *
■
Just before 8:00 p.m. on February 9, 2018, high in the northeastern mountains of South Korea, Sang-jin Oh was sitting behind the press section of the Pyeongchang Olympic Stadium, a few hundred feet away from the vast, circular stage on which the 2018 Winter Olympics’ opening ceremony was about to start.
Anticipation buzzed through the 35,000-person crowd. But few felt it more intensely than Oh. For more than three years, the forty-seven-year-old civil servant had held the position of director of technology for the Pyeongchang Olympic
s organizing committee. He’d overseen the setup of an IT back end for the games that comprised more than 10,000 PCs, nearly 25,000 mobile devices, 6,300 Wi-Fi routers, and 300 servers in two Seoul-based data centers, with more than 100 additional servers in partner companies’ facilities.
A few minutes earlier, he’d gotten word from one of those partner companies that it was having some sort of technical issue. The firm’s glitches, in fact, had been a long-term headache. Oh’s response had been annoyance: Even now, with the entire world’s spotlight on the event they were managing, the company was still working out its bugs?
The data centers in Seoul, however, weren’t reporting any such problems, and Oh’s team believed the issues at the partner’s data center were manageable. He didn’t yet know that they were already preventing some attendees from printing tickets that would let them enter the stadium. He’d settled into his seat, ready to watch a highlight of his career unfold.
Ten seconds before 8:00 p.m., numbers began to form, one by one, in projected light around the stage, as a choir of children’s voices counted down in Korean to the start of the event:
“Sip!”
“Gu!”
“Pal!”
“Chil!”
In the middle of that countdown, Oh’s Samsung Galaxy Note 8 phone abruptly lit up. He looked down to see a message from a subordinate on KakaoTalk, a popular Korean messaging app. The message shared perhaps the worst possible news that Oh could have received at that exact moment: Something was shutting down every domain controller in the Seoul data centers.
As the opening ceremony got underway, thousands of fireworks exploded around the stadium on cue, and dozens of massive puppets and Korean dancers entered the stage. Oh saw none of it. He was texting furiously with his staff as they watched their entire IT setup go dark. He quickly realized that what the partner company had reported wasn’t a mere glitch. It was the first sign of an unfolding attack. He needed to get to his technology operations center.
Sandworm Page 26