On the website of a Ukrainian seller of antiques and collectibles, one of those pins seemed to be offered for sale—the FBI’s photograph was too low-resolution to know for sure—a round chunk of golden metal engraved with the image of a white diamond at its center. A lightning bolt and a sword slashed across the circle, crossing behind the gem. At the bottom of the image was a sash with the numbers “74455” written across it. On the other side of it was an engraving that translated to “in service of the fatherland.”
I was more intrigued by the two other faces: Anatoliy Kovalev and Aleksey Potemkin were both far younger men. Potemkin, the older of the two at thirty-five, wore a blue shirt and tie, along with a green cap that hid what looked like closely buzzed hair. His light blue eyes stared into the camera with a steely, almost contemptuous gaze.
Kovalev, accused of the hands-on hacking of at least one U.S. state’s board of elections website, was listed as only twenty-seven years old. His photograph, cut off at the neck, showed no sign of his uniform, and despite his close-cropped hair he had the sort of open, intelligent face I could imagine seeing on any hacker in a cybersecurity company or graduate school across the world. In 2017, Kovalev had been listed on the website of the cybersecurity conference Positive Hack Days as an attendee. He’d noted his affiliation as Moscow State Technical University. My Russian translator called the school; she found that no one there had ever heard of him.
I now had three names, three faces, and an address. They were the barest of clues. But they were also, I began to realize in the days that followed my meeting with Hultquist, the closest thing to solid leads I was going to get. With those names and the address of the Tower burned in my mind, I booked a flight for Russia.
* The clues that led Matonis to make that connection, tying Sandworm to a French election-focused hacking operation, represent another long and intricate path through the web of his investigation. For a complete breakdown, see the appendix.
38
RUSSIA
In late November 2018, I arrived in St. Petersburg, deep into one of the city’s subzero, seventeen-hour winter nights. The next morning I walked into the A2 Green Concert club near the city’s center, a massive music venue with its internal brick walls lit in glowing green and purple and thrumming with bass. In two of those rooms, hackers on stages presented technical research on everything from industrial control system hijacking methods to ATM hardware reverse engineering. In the rest of the building, young, darkly dressed people milled around the venue’s hallways and bars. At one table, Russia’s state-owned bank Sberbank was recruiting security engineers. At another, hackers crowded around with their laptops, trying to win a contest to breach an email server in the shortest possible time. This was ZeroNights—one of the two largest hacker conferences in Russia and what I hoped might be my best chance to learn about how Russia’s hacker community interacted with the GRU.
For the next two days at the conference, I’d ask any Russian hacker with whom I could start a conversation about a topic that was perhaps the event’s worst possible icebreaker: their country’s intelligence services. Most of them grew visibly distant as soon as I brought it up, told me they had nothing to say on the topic, and found an excuse to walk away. The few who did talk said they didn’t know the three members of the GRU’s 74455 I was looking for or any other GRU agents. What they told me instead seemed to lead me even further from the truth, or in circles: The Russian government doesn’t have sophisticated hackers; it can’t pay enough to afford them. No one at an event like this works with Russian intelligence agencies. No Russian hacker with any skill is both smart enough to be a talented hacker and dumb enough to be a patriotic GRU agent. I don’t want to talk to anyone who believes the story that Russia hacked the U.S. election. The Ukrainian power grid? You don’t even have to hack it. You just wait a while and it will fall apart on its own.
Finally, one security researcher sat down with me and openly admitted that he and others he knew did sell hacking tools to the Russian government—if indirectly. In his case, he offered a subscription service for zero-day vulnerabilities and the tools to exploit them. The targets of his hacking wares, he said, were industrial control system software.
Among his buyers were penetration testers seeking to suss out their clients’ vulnerabilities, U.S. government agencies, and, he believed, Russian companies that served as fronts for Kremlin intelligence staff, though he politely declined to pinpoint any customers by name. He told me he didn’t know anyone who had been coerced into working with the FSB or GRU, but had no doubt that he and his hacker associates had—wittingly or not—done deals with them. “They don’t need to pressure you, that was only in years past,” he said calmly, as we sat on the venue’s balcony, the smell of stale cigarettes wafting out of the smoking room next to us. “Money solves a lot of problems.”
Did he believe GRU agents or their front companies were at ZeroNights now, recruiting or buying tools? He didn’t know, but he had certainly seen them at other Russian conferences, he told me. “They don’t walk around wearing badges,” he said. “They could be anyone here.”
* * *
■
I left St. Petersburg after the conference, more confused by my conversations than enlightened, and boarded the Sapsan bullet train to Moscow. That evening I emerged from Leningradsky station into the core of Russia’s capital just as a light snow was beginning to fall. But even as I was approaching the geographic heart of the GRU, I found myself still banging my head against its wall of secrecy.
I felt that impenetrability tangibly the next day when I paid a visit to the global headquarters of Kaspersky Labs, arriving at its sleek glass building along a highway in Moscow’s northwest, with orchids and a Salvador Dalí sculpture of an elephant decorating its white-paneled lobby. In a conference room on the fourth floor, I met with Igor Soumenkov, the brilliant security researcher who had found the first, most telling clue exculpating North Korea for the Olympic Destroyer attack.
For the next hour, I interviewed him about that impressive finding, and the thin, kind-faced thirty-two-year-old laid out the case for North Korea’s innocence in perfect English, with all the confidence and clarity of a university professor. At the conference room’s whiteboard, he drew charts of how software compilers function, to explain the mismatch in the malware’s header that showed its failed attempt at a false flag. Kaspersky had, by then, also made most of the same connections out from Olympic Destroyer that FireEye’s Michael Matonis had found, linking the Olympic hackers to attacks targeting Ukraine, Russian businesses, and the Swiss chemical weapons laboratory. (Soumenkov didn’t mention those hackers’ link to the attacks on the U.S. state boards of elections, which tied them to Unit 74455 of the GRU. Because Matonis and Hultquist had shared that key data point with me in confidence, I didn’t mention it to Soumenkov, either.)
Near the end of my hour-long briefing with Soumenkov, I summarized what he seemed to have laid out for me: The Olympic attack clearly wasn’t the work of North Korea. “It didn’t look like them at all,” Soumenkov agreed.
And it certainly wasn’t Chinese, despite the more transparent false code hidden in Olympic Destroyer that fooled some researchers early. “Chinese code is very recognizable, and this looks different,” Soumenkov agreed again.
Finally, I asked the glaring question: If not China, and not North Korea, then who? It seemed that the conclusion of the process of elimination was practically sitting there in the conference room with us and yet couldn’t be spoken aloud.
“Ah, for that question, I brought a nice game,” Soumenkov said, affecting a kind of chipper tone. He pulled out a small black cloth bag and took out of it a set of dice. On each side of the small black cubes were written words like “Anonymous,” “Cybercriminals,” “Hacktivists,” “USA,” “China,” “Russia,” “Ukraine,” “Cyber-terrorists,” “Iran.” I’d seen these so-called attribution dice before: a prop
designed to illustrate the nihilistic notion that no cyberattack could ever be traced to its source and anyone who tried was simply guessing.
As he held the dice, Soumenkov’s cheeks had taken on a mild red flush. Perhaps the room was stuffy, although I hadn’t felt it. Or perhaps Soumenkov was feeling the embarrassment of concealing an answer that his own innate intellectual honesty had helped uncover. Or perhaps he was feeling the fear that Andrei Soldatov had described to me among Russia’s cybersecurity community, hiding just a scratch’s depth beneath the skin.
Soumenkov tossed the dice on the table. “Attribution is a tricky game,” he said. “Who is behind this, it’s not our story, and it will never be.”
* * *
■
On my last morning in Russia, I walked out of my hotel and along the bank of the Moscow River toward 20 Komsomolsky Prospekt, the home of GRU Unit 26165, the primary actor in Russia’s interference operation targeting the 2016 U.S. election. As I approached the now-notorious address named in the U.S. indictment against those hackers, I passed an ornate Orthodox church and then came to a series of long, faded yellow buildings that filled an entire block. The center third of each building had a series of Greek columns in its facade, as if to signal its innocuous identity as an academic institution—officially, the Institute of Military Instructors.
But seeing the building in person made clear it contained something far more carefully guarded than a school. Its front door had been boarded up neatly with red wooden panels, and its side entrance was absurdly well protected: Guards screened visitors through a metal gate, surrounded by three fortified mounds of sandbags, each fronted by a curved steel plate with a slot for a rifle. Each of the three miniature bunkers was painted green and covered in camouflage netting, and thus looked ludicrously conspicuous on the central Moscow sidewalk. I watched as two older men in black coats and then a younger man in a green winter uniform entered the gate. Then I hurried away before the guards could notice my staring.
Perhaps Sandworm was inside that gate. But Hultquist’s theory, the only one that had even attempted to trace a line all the way from the very first BlackEnergy attacks in Ukraine to an actual unit number and address, had pointed elsewhere. I wanted to see that building, too. As snow began to fall again, I boarded the metro and took it northward to nearly the end of the line. After close to an hour, I emerged and took a taxi across the Moscow River to the suburban city of Khimki. The cabdriver dropped me off at 22 Kirova Street: the Tower, home of GRU Unit 74455.
The neighborhood of Khimki that abuts the Moscow River is made up of 1960s- and 1970s-era Soviet brick apartments. On that afternoon, their quiet courtyards were blanketed in snow, an idyllic picture of communist nostalgia. But on the banks of the river, the Tower loomed over them, more than twenty-five stories of glass and steel.
I walked past an auto body shop, a community gym, and the tower’s fortified gate, marked as the Glavnoye Upravleniye Obustroystva Voysk—translating roughly to the “General Directorate for the Arrangement of Troops”—which was surrounded by surveillance cameras. Then I descended a metal staircase to a path by the river, which had broadened north of the city and frozen, becoming a perfect flat ribbon of white snow.
With the river to my back, the Tower stood directly above me, blocked off by a high iron fence on a steep hill. I couldn’t make out a single human figure through its windows without using a pair of binoculars, which I wasn’t brave enough to try.
It struck me that this was as close as I was likely ever going to get to the hackers I’d now been following for two years. After traveling close to five thousand miles, I was no nearer to understanding or unmasking Sandworm than I had been in John Hultquist’s kitchen in northern Virginia.
I had felt the need to seek out the place where Sandworm lived. But now it seemed as though I’d been tricked by the same peculiarity of cyberwar’s geography that had made the Ukrainian police’s raid on the M.E.Doc server room so absurd. Just as NotPetya had defied human intuition about the physical origin of a weapon’s launch—just as distance hadn’t protected its victims—proximity hadn’t brought me meaningfully closer to its perpetrators.
A security guard appeared on the edge of the parking lot above me, looking out from within the Tower’s fence—whether watching me or taking a smoke break, I couldn’t tell. It was time for me to leave. I walked north along the Moscow River, away from the Tower, and through the hush of the neighborhood’s snow-padded parks and pathways to the nearby train station. On the train back to the city center, I glimpsed the glass building one last time from the other side of the frozen river before it was swallowed up in the Moscow skyline.
39
THE ELEPHANT AND THE INSURGENT
When Hultquist told me that Unit 74455 of the GRU was Sandworm, I wanted to believe him. Those five digits, as impenetrable as they might have been, seemed to offer a kind of solution to Sandworm’s mystery. But even before I flew to Russia with the Tower hanging in my imagination, I couldn’t ignore the nagging skepticism telling me that the full story wasn’t so simple.
Rob Lee, with his official pedigree as an NSA hacker-hunter, had warned me months earlier that the international researchers tracking Sandworm—from FireEye to Kaspersky to ESET—were all only seeing pieces of the picture. For the most part, he pointed out, they were analyzing clues in the malware left behind in the wake of the hackers’ attacks, not other evidence such as the intrusion data pulled from victims’ logs.
The problem with that malware analysis approach, Lee explained, was that highly sophisticated hacking operations aren’t typically carried out by a single team working alone. Instead, like in any well-developed industry, the hackers inside any competent intelligence agency specialize. One team might be assigned only to build tools. Another might focus on gaining initial access to target networks. A third might be assigned to take over that foothold, monitoring implanted spyware or carrying out the next stage of the intrusion, like penetrating from the IT network to the computers that connect to industrial control systems.
The problem with the story of Sandworm as I knew it, Lee pointed out, was that the group had mostly been tracked via clues in the software it used. Even its name had come from the Dune references in the code of its BlackEnergy infections. The cybersecurity research community had started from those initial fingerprints, finding other software hints that connected to those intrusions and grouping those operations as the work of Sandworm. But what if those operations shared only the same software developers, and different operations teams had deployed that code in their attacks? “You’re tracking the malware. The people who develop it are not always the same people who use it,” Lee warned me in a phone call. The result might be misconceptions along the lines of tying together a series of murders as the work of a single gang, when in fact they had simply all been carried out with weapons from the same gun shop.
It seemed true, I had to admit, that there were at least two distinct threads within Sandworm’s cyberwar fronts: one that seemed intent on destroying data, from KillDisk to NotPetya, and one that seemed to be honing attacks with physical effects, culminating in Crash Override, a.k.a. Industroyer. What if they were different groups, linked only by a shared software development team?
At Dragos, Lee had sought to clarify the distinction by creating a new name for what he considered Sandworm’s development team, calling it “Electrum” in a reference to its blackout malware. In fact, he argued, that team of developers might even be not part of the same agency but a private contractor. “Shit, what we’re tracking as Electrum could be the Booz Allen of Russia,” Lee had mused. “They could be GRU, but they could also be a shared resource.”
The security firm CrowdStrike, which had initially led the analysis of Fancy Bear’s attacks on U.S. election targets, suggested to me that it had a different but similarly thorny theory: Sandworm—or Voodoo Bear, as CrowdStrike named the group—might be
the heavyweight crew called in late in an operation when Russian intelligence was looking to inflict maximum damage. CrowdStrike’s vice president of intelligence, Adam Meyers, hinted to me—but declined to show evidence to back up—that he had seen the group’s fingerprints appear alongside multiple other Russian hacking groups, including one that CrowdStrike believed wasn’t even a GRU operation but FSB.
Meyers’s working theory was that Voodoo Bear/Sandworm might be a shared resource of a different kind from what Lee had described: That other group might be assigned to gain access, and Sandworm would take over when it was time to drop the payload. “Voodoo Bear could be a specialized sabotage group that’s a collaborative effort between GRU and FSB,” Meyers said. “It could be kind of like a team effort that comes in to do disruptive or destructive attacks.”
FireEye had, in the fall of 2018, shared with me an entirely different theory. Hearing Michael Matonis’s analysis of overlapping command-and-control servers between the Olympic attacks, NotPetya, and election-hacking operations, I couldn’t help but consider whether this represented yet another distinct way to track Sandworm that might confuse the picture further still. Matonis was, after all, tracking the infrastructure links between different attacks and connecting them with Sandworm’s operations and malware. But if Lee was right, those three elements—the software, the servers, and the hands on the keyboard—might all be the work of different teams.
The larger research community surrounding Sandworm had begun to remind me of the story about the blind men surrounding an elephant. One man grabs the elephant’s tail and decides it’s a rope. Another touches its leg and declares it’s a pillar. A third feels its ear and swears the elephant must be a kind of large fan.
Sandworm Page 29