The detectives tracking Sandworm were running their hands over those same bits of anatomy and coming to equally disparate conclusions. Some, like Hultquist and Matonis, were taking the logical leap necessary to assemble their tactile experiences into an idea of a single, complex animal. Others, like Lee, were carefully describing only what they could directly observe—a trunk here, a tail there, each of which might be an independent organism. After all the years of effort and forensic breakthroughs, stretching back to Sandworm’s first traces, the full shape of that animal remained a frustrating mystery.
* * *
■
Just days after my visit with John Hultquist, however, the U.K. government’s National Cyber Security Centre released a remarkable document. It served as a final confirmation of the GRU’s connection to Sandworm, establishing a layer of ground truth beneath the fog of cyberwar.
As I’d come to expect from government statements on state-sponsored hacking, it provided only conclusions, not the clues that led to them. But it served as a kind of omnibus reproach to the Russian government for almost all of the cyberattacks I’d associated with Sandworm over the previous two years. And it settled any last, lingering questions of which intelligence agency might be ultimately responsible.
“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability,” read the statement from the U.K. foreign secretary, Jeremy Hunt. “The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.”
The statement was followed by two lists. One enumerated the aliases that the cybersecurity community had used for groups whose association with the GRU the British government could now confirm. Those names included practically every way of referring to all the known Russian players in the story of this book: “Fancy Bear,” “Black Energy Actors,” “Cyber Berkut,” “Voodoo Bear,” and finally “Sandworm.”
The document went on to list a series of operations it tied to those actors: NotPetya. Bad Rabbit. The attacks on the Democratic National Committee. The intrusions of the World Anti-Doping Agency. The attempted breach of the Organisation for the Prohibition of Chemical Weapons that Matonis had tied to Olympic Destroyer. For each of those operations, the National Cyber Security Centre stated (with its emphasis) that it had “high confidence that the GRU was almost certainly responsible.”
There was no longer room for doubt about this underlying fact: Whatever the shape of Sandworm, almost every attack that anyone had ever attributed to it had now been named as the work of the GRU.
That clarion signal came, in fact, just as the clear boundaries describing Sandworm as an entity were beginning to break down. My sense of the distinction between Sandworm and Fancy Bear was dissolving.* I had believed Sandworm to be a single cyberwar unit focused on physical disruption, but it now seemed to be something less defined. The line between development and operations teams was blurring, too. Its mission, as I understood it, no longer had the purity of a cyberattack sabotage campaign but was mixed up with election-focused influence operations.
All of that meant conceiving of the group Hultquist’s team had discovered in 2014 as a distinct, named entity, with its own discrete set of operations, was losing its usefulness. That simple model no longer fit reality. The story of Sandworm, in that sense, was over.
The underlying mystery of its identity, however, had been solved. The answer was the one that had been coming into focus all along. It didn’t matter which part of the elephant the blind men were touching. The animal was the GRU, working in the service of the Russian Federation and its president, Vladimir Putin.
* * *
■
Hultquist’s unified theory of Sandworm, that it mapped cleanly onto Unit 74455 and its Khimki Tower, might have been correct—or perhaps not. No one outside an intelligence agency may ever be able to confirm or refute it.
But when Hultquist described his theory to me in his kitchen on that warm autumn afternoon in 2018, it had been, in some sense, too unwieldy for my brain to process. The same GRU hackers had turned off the lights in Ukraine, unleashed NotPetya, attacked the Olympics, hacked the U.S. state boards of elections, and even helped to set up the bizarre fake persona Guccifer 2.0? How could those absurdly disparate missions all fall under the remit of one hacking team within the GRU?
For Hultquist, however, linking Sandworm to 74455 held a certain counterintuitive, explanatory power. As he described it to me, that connection brought the purpose behind the group’s entire history into focus. Now he could see that there wasn’t some line between the influence operation of election meddling and disruptive attacks on infrastructure. All of it was an influence operation, he now believed.
“It’s not about turning out the lights,” Hultquist said, his eyes wide with epiphany. “It’s about letting people know you can turn out the lights.”
Russia’s cyberwar in Ukraine hadn’t, in fact, resulted in any concrete military wins, Hultquist pointed out. No territorial gains, enemy casualties, or other tactical victories. Its entire purpose was psychological: to reduce the will of the Ukrainian people to fight. “It’s not about specific changes on the battlefield. It’s about making people feel they’re not safe anymore,” Hultquist insisted. “There was no military, long-term objective. It was about a psychological objective, taking that war out of the eastern front and bringing it right to Kiev.”
Just as election hacking is meant to rattle the foundations of citizens’ trust that their democracy is functioning, infrastructure hacking is meant to shake their faith in the fundamental security of their society, Hultquist told me, echoing the unified sense of information warfare Gerasimov’s paper had described five years earlier. “The foundation for government is the ability to protect their people,” Hultquist continued, holding forth as if my questions had unlocked a torrent of ideas he’d been bottling for months. “If they can’t do that—if they can’t protect these soft targets—they look illegitimate.”
The threat, Hultquist argued, was in essence the same one he’d battled in Iraq and Afghanistan: sudden, unpredictable destruction aimed more at shattering a sense of security than actually furthering military control. “The reason you carry out terrorism is rarely to kill those particular victims,” Hultquist said. “It doesn’t degrade the fighting capability of the adversary. That’s never why someone tried to hit me with an IED. It’s about scaring the shit out of people so they lose the will to fight, or change their mind about the legitimacy of their own security service, or overreact.”
The theory of cyberwar Hultquist was describing sounded less like a new front for traditional wars than a new form of insurgency. And as he spoke, it occurred to me that this role—as an insurgent—might be the most accurate description of Russia’s place in modern geopolitics. Putin has little hope of outgunning the West as the center of global power in a symmetric face-off. Russia’s economy is smaller than Italy’s or Canada’s. And even with its outsized spending on war relative to that economy, its military budget is just over a tenth the size of America’s.
Yet Russia sets off its IEDs—NotPetya, interference in the U.S. election, the attack on the Olympics—as cheap, asymmetrical tactics to destabilize a world order that’s long ago turned against it. “This is Russia: embattled, short on resources, reaching out and touching people,” Hultquist finally concluded.
He left unspoken the other corollary of this theory of cyberwar, the one that he knew all too well from his experience in Iraq and, most of all, Afghanistan. One of those wars stretched to almost a decade. The other began when Hultquist was still in college and continues as of this writing,
eighteen years later. Counterinsurgencies are long. And for this digital one, there’s no end in sight.
* Around the same time, another set of new clues was also blurring the line between Sandworm and Fancy Bear: ESET in October 2018 had revealed a tool kit it called GreyEnergy, which the company said Sandworm had used as a successor to BlackEnergy to target industrial control system victims in Ukraine and Poland. Then, in February 2019, Kaspersky exposed a connection between that GreyEnergy malware and Fancy Bear, pointing out that a group within Fancy Bear seemed to be targeting the same victims at the same time as that GreyEnergy malware and using the same command-and-control servers.
PART VI
LESSONS
The concept of progress acts as a protective mechanism to shield us from the terrors of the future.
40
GENEVA
One afternoon in late January 2018, just over a year after J. Michael Daniel walked out of the White House as an executive branch official for the last time, I met him for coffee on the sixty-fourth floor of 1 World Trade Center, the building where I work for Wired magazine. The meeting was a kind of belated exit interview, a chance to look back at his record as Obama’s top cybersecurity official, responsible for overseeing the administration’s handling of every conflict on the internet over the nearly five years he held the post.
Daniel was proud of that record, which included carefully calibrated responses to everything from Iranian DDoS attacks on American banks to the North Korean attack on Sony to Russian attacks on the U.S. election. But I wanted to talk to him instead about the one series of events where the Obama administration had offered practically no response at all: the Ukrainian cyberwar and, in particular, the world’s first-ever blackout attacks carried out by Sandworm just before Christmas 2015.
“I believe the White House and the Obama administration handled those incidents reasonably well given what we knew at the time and the evolving understanding,” Daniel said judiciously, after he’d sat down on a couch overlooking a view of downtown Manhattan.
I followed up with an impolite question: With years of hindsight, and the knowledge that the same hackers would go on to unleash the most expensive, global malware pandemic in history, did he regret not acting against those hackers earlier, at the time of their first unprecedented infrastructure attack? If not sanctions or indictments, why not at least answer those blackouts with a public statement calling out the power grid attacks as unacceptable behavior on the international stage?
Daniel’s first, clearest answer was that he very well might have advocated those sorts of responses—if the attacks had targeted Americans or even NATO members. “There’s a distinction between what happens overseas and what happens to a U.S. company or on U.S. soil,” he said.
But then Daniel followed with a darker, more realpolitik justification for America’s inaction in the face of Ukraine’s cyberwar: that the United States might not want wartime cyberattacks against critical infrastructure to be considered off-limits—that it wants the freedom to carry out those attacks itself. “That’s the fundamental tension,” he continued. “We don’t want to take any options for ourselves off the table.”
In the late 1990s war in Kosovo, Daniel pointed out, NATO planes dropped bombs that exploded in the air over targets and released showers of tiny carbon fibers designed to short out electrical equipment, shutting down five power plants that distributed electricity to the Serbian armed forces. “We need to consistently advocate for not disrupting infrastructure during peacetime,” Daniel said. “You can argue that in wartime the power grid is a legitimate target.”
But none of that offered an entirely satisfying answer. Ukraine might have been at war with Russia, but the power grid serving western Ukrainian civilians on the opposite side of the country from that fighting couldn’t remotely be called a military target. And Ukraine’s non-NATO status hadn’t stopped the world from publicly condemning Russia’s invasion of Crimea and Donbas, and even hitting Russia with sanctions for that physical aggression, less than a year before it gave the country an unspoken pass for its subsequent digital attacks.
As I pressed Daniel further, his responses became more elliptical: He wasn’t present for all the discussions about Russian relations at the time, he said. Other parts of the executive branch were factoring the Ukraine cyberattacks into a bigger, tangled web of relationships that also included the bloody unraveling of Syria, where Russia and the United States were at odds. The administration’s policy on Russia was still recalibrating after its earlier attempt at a friendly “reset” with the Kremlin, a détente shattered by the Crimean invasion. He didn’t want to reveal private conversations with the president that he considered protected by executive privilege. He didn’t want to “Monday-morning quarterback.”
But the third time I asked him whether he regretted not doing more, Daniel overtly admitted that he did. “I wish that we could have been more up-front and done a bigger push about this issue, yes,” he said.
Then he offered something unusual for a lifelong political official: a series of honest thoughts that, beyond his legalistic arguments, sounded like a deeply considered analysis of a past decision he was still not sure he’d made correctly. “This is an incredibly new area,” Daniel said, now speaking in a different, unguarded tone. “We haven’t made the shift to thinking about this nodal, light-speed network that doesn’t play by the physics that the real world plays by and yet is intimately connected with the real world, and more connected every day.
“Our understanding is still growing. What’s important is that we take these lessons and apply them going forward,” he concluded. “Because it will be one of those issues that will come back up. It will happen again.”
* * *
■
Four months later in May 2018, it was Tom Bossert’s turn for an exit interview. Until April, Bossert had been Trump’s homeland security adviser, and thus his most senior official focused on cybersecurity. Then came the latest reorganization of Trump’s tumultuous cabinet, this time led by his sharp-elbowed new national security advisor, John Bolton. Bossert had resigned after a little more than a year on the job—on friendly terms, he was careful to assure me.
I found the newly unemployed Bossert in Manhattan’s Union Square with his meetings over, a couple hours to spare before his train back to D.C., and in urgent need of a bagel. “You can’t come to New York and not eat a bagel,” he told me as I speed-walked down the street to keep up with him. Tall and handsome, Bossert projected a politician’s importance and impatience, and I found myself instinctively acting as his personal assistant, consulting Yelp to find Bossert’s bagel for him. He considered my suggestion and, in an executive decision, dismissed it as too far to walk, instead turning around and hurrying into an Au Bon Pain.
Bossert, even more than Daniel, was fiercely proud of his accomplishments in the White House. He was, after all, the one who finally cracked down on Sandworm with actual sanctions in response to NotPetya after years of inaction. “My premise coming in, which I maintained through my entire time there, was to be aggressive, active about attribution,” he told me once he’d sat down at a window table with his bagel sandwich. “It isn’t for the sake of knowledge alone. It’s for the sake of punitive action when you’ve determined a culprit.”
Sure, the sanctions on the GRU in response to NotPetya came eight months after the fact. But they sent the necessary message, and just in time, Bossert adds, to pressure European Union allies into voting to continue the wider sanctions on Russia that had been enacted in response to its 2014 invasion of Ukraine.
But Bossert insisted, with the logical precision of his legal training, that the decision to sanction NotPetya’s perpetrators was based on a rule that remained distinct from the wider context of Russia’s behavior in Ukraine. “There’s an expectation of discrimination and proportionality,” he said, laying out his argument like a judge giv
ing a rapid-fire sentencing statement. “The theory behind my anger with that particular cyberattack is that its spreading damage was not only predictable; it was obvious that it would propagate without control outside of Ukraine.”
That all sounded fine, I agreed. But what about all the attacks that the GRU launched against Ukraine before the one that spilled out to become the largest cyberattack in history? What about the arguments made by Rob Lee, Thomas Rid, and others that the use of unprecedented cyberattacks on Ukraine’s civilian infrastructure for years, including two blackout attacks, should already have been enough to trigger a response? After all, the Industroyer/Crash Override malware that took down the Kiev power grid came to light in June 2017, well into Bossert’s watch.
“They were annoyed that blackout attacks in Ukraine didn’t meet with a U.S. response against Russia?” Bossert asked me with raised eyebrows. “Forget about the cyber component and wrap your head around any act of aggression. Suggest to yourself that there are regional acts of aggression going on in any number of places in the world. What’s the U.S.’s responsibility and risk calculus in entering that fray?”
The Cassandras’ warnings about Sandworm and their calls for early deterrence, Bossert argued, ignored the massive burden of that imagined policy, the sheer number of conflicts the United States would be signing up for if it were unilaterally imposed. “They’re taking the world police responsibility of the U.S. to a ridiculous extreme,” he said evenly, as if taming his outrage. “Imagine the resources we’d have to impose on the taxpayers of the U.S. to provide a blanket defense against all malicious cyberactivity.”
But the administration’s critics aren’t asking for a policy that requires a response to “all malicious cyberactivity,” I suggested. What about a simpler, narrower policy: a norm we set for the world, that even in wartime no one should use cyberattacks to turn out the lights on civilians?
Sandworm Page 30