SANDWORM: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

And the winner by acclamation in the nonfiction ‘Holy Crap! I May Never Be Able To Sleep Again!’ category is Sandworm by Andy Greenberg. And, yes, Greenberg’s tale of cyberwar over the past decade is absolutely that terrifying. Here’s how his book begins:

On June 27, 2017, something strange and terrible began to ripple out across the infrastructure of the world.

 

A group of hospitals in Pennsylvania began delaying surgeries and turning away patients. A Cadbury factory in Tasmania stopped churning out chocolates. The pharmaceutical giant Merck ceased manufacturing vaccines for human papillomavirus.

 

Soon, seventeen terminals at ports across the globe, all owned by the world’s largest shipping firm, Maersk, found themselves paralyzed. Tens of thousands of eighteen-wheeler trucks carrying shipping containers began to line up outside those ports’ gates. Massive ships arrived from journeys across oceans, each carrying hundreds of thousands of tons of cargo, only to find that no one could unload them. Like victims of a global outbreak of some brain-eating bacteria, major components in the intertwined, automated systems of the world seemed to have spontaneously forgotten how to function.

 

At the attack’s epicenter, in Ukraine, the effects of the technological doomsday were more concentrated. ATMs and credit card payment systems inexplicably dropped off-line. Mass transit in the country’s capital of Kiev was crippled. Government agencies, airports, hospitals, the postal service, even scientists monitoring radioactivity levels at the ruins of the Chernobyl nuclear power plant, all watched helplessly as practically every computer in their networks was infected and wiped by a mysterious piece of malicious code.

 

This is what cyberwar looks like: an invisible force capable of striking out from an unknown origin to sabotage, on a massive scale, the technologies that underpin civilization (emphasis added).

That malware attack, dubbed NotPetya, remains the most devastating and costly in history — with damages conservatively estimated at more than $10 billion. It was perpetrated by Sandworm, a hacker/cyberwar adjunct of the Russian military. Unfortunately, NotPetya was likely just a dress rehearsal for far greater devastation to come.

Much of Greenberg’s book details his efforts to pin down responsibility for NotPetya by interviewing prominent members of what one might call the global cyber sleuth community — sophisticated computer experts who continually battle against the hacking tide and, after the fact, attempt to unravel subtle clues to affix responsibility. Eventually, Greenberg’s experts determined that much of the most serious cyber hacking over the past decade was done by two particular units of the GRU, the Russian equivalent of our CIA.

The hacks were specific implementations of the ‘Gerasimov Doctrine,’ first put forth in a 2013 speech by General Valery Gerasimov, chief of the General Staff of the Russian military. His speech, and follow-on article, advocated an aggressive weaponization of information technology, arguing that “long-distance, contactless actions against the enemy are becoming the main means of achieving combat and operational goals.” These new weapons of war would, as a key objective, reduce the military-economic potential of an enemy state “by the destruction of critically important facilities of its military and civilian infrastructure in a short time.”

But there was another, scarier aspect of the Gerasimov Doctrine: it no longer acknowledged any meaningful distinction between times of war and times of peace and, by implication, between soldiers and civilians. There is only national self interest.

Cyberwar and Nuclear War

As I read Greenberg’s book, I found myself thinking about how cyberwar compares to nuclear war. The bombs dropped on Hiroshima and Nagasaki were the first, and last, use of nuclear weapons. That was 75 years ago. Essentially, humankind realized these weapons were too terrible to use. It might be possible to bomb an enemy ‘back to the stone age,’ but almost no one thought that was a good idea. Or morally defensible.

But what if computer code can bring about the same outcome? After all, what happens to a modern civilization if no one — individuals, companies, the government — can access their money (or even prove they have any) because their banks’ computers have had their data destroyed? Or what if cyber weapons cause the computers that run the airlines, or global shipping, to freeze up? What if grocery stores can’t pay suppliers so food and other essentials go undelivered? Or gas pumps and hospitals shut down? Or, probably worst case, what if malware can reach out silently to destroy (considerable portions of) a country’s electrical grid? How long will it take for a civilization to go from state of the art to stone age? Most experts believe the time is measured in days, a few weeks at most. After that, we’re probably in Lord of the Flies territory. As one cyberwar expert noted grimly, “Tell me what doesn’t change dramatically when key cities across half of the U.S. don’t have power for a month.”

Despite that, except for a few ‘voices in the wilderness’ like Brad Smith at Microsoft, there is no building drumbeat against the use of cyberwar weapons, and seemingly little political appetite to move in that direction. Russia, and others employing cyber weapons, have found instead that there are no red lines, not even when it comes to harm inflicted on peace-time civilians. Rather, according to Greenberg, we are in the midst of a full-throttle, no-holds-barred cyberwar arms race.

An Electronic Pearl Harbor

Maybe that will eventually result in the sort of standoff we’ve seen with nuclear weapons — a stasis of ‘mutually assured destruction.’ Or maybe not. As long ago as 1997, Deputy Secretary of Defense John Hamre warned Congress that the United States must expect an “‘electronic Pearl Harbor’: a calamitous, surprise cyberattack designed not just to take out military command-and-control communications but to physically devastate American infrastructure.”

At the time no one had any idea that computer code could, in fact, physically devastate infrastructure. But now through the Stuxnet worm that destroyed Iran’s uranium centrifuges, and the NotPetya malware that destroyed power systems in Ukraine (and did a great deal more damage), both the U.S. and Russia have unleashed exactly that capability.

Scarier still, the FBI and the Department of Homeland Security tell us that Russian hackers have, at least since 2016, targeted a wide range of critical American infrastructure, including water and energy utilities, some of which are nuclear power plants. In some of these cases, the intruders have penetrated beyond the utilities’ traditional IT networks and into their industrial control systems. They haven’t crossed the line into causing actual disruptions to physical equipment — but they could. In fact, Secretary of Homeland Security Kirstjen Nielsen characterized Russia’s hacking as an attempt to “prep the battlefield.”

Greenberg suggests this is Russia’s new, 21st-century form of insurgency:

Putin has little hope of outgunning the West as the center of global power in a symmetric face-off . . . Yet Russia sets off its IEDs — NotPetya, interference in the U.S. election, the attack on the Olympics — as cheap, asymmetrical tactics to destabilize a world order that’s long ago turned against it.

We can hope, I suppose, that Putin exercises a degree of restraint. And China. After all, they’ve got plenty to lose. But what about North Korea, or Iran? Or even ISIS? It’s hard to imagine that the cyberwar arms race doesn’t end in someone, somewhere, pushing the Send button. Then we’re headed back to the stone age, or maybe Mad Max.

Or, as Greenberg concludes: “On the internet, we are all Ukraine. In a dimension of conflict without borders, we all live on the front line. And if we fail to heed the borderland’s warnings, we may all share its fate.” Yep, a good night’s sleep seems less and less likely.

X