For the past six years, Russia has been waging an ongoing cyberwar campaign against Ukraine: hacks that have disabled power plants, frozen government agencies, and paralyzed hospitals. For weeks prior to the physical re-invasion of Ukraine, which began Thursday morning, a Russian military unit has been launching cyberattacks on government networks, banks, and the military.
On Friday’s episode of What Next: TBD, I spoke with Andy Greenberg, a senior writer at Wired and the author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, about the parallel digital war that’s taking place alongside the physical one in Ukraine—and the possibility for broader, more global targets. Our conversation has been edited and condensed for clarity.
Lizzie O’Leary: Can you describe the Russian hacking ecosystem?
Andy Greenberg: There is a whole array of these hacker groups that all work for the Kremlin, but the simplest way to split them up is probably among the three major intelligence agencies in Russia: the FSB, a domestic law enforcement agency and a successor to the KGB. Another successor to the KGB is the SVR: the foreign intelligence agency, sort of their equivalent to the CIA. Then there is the agency that I am most focused on or obsessed with: the GRU, a military intelligence agency that can easily be said to be the most reckless and brazen and disruptive of the three in its hacking activities.
The two most active hacking units I know of within the GRU are Unit 26165, also known as Fancy Bear or a APT28, who famously were the ones who led the breach of the Democratic National Committee and the Clinton campaign in 2016 and leaked those documents. Then, there is Unit 74455 of the GRU, also known as Voodoo Bear or, most famously, Sandworm. They, you could say, are the most active cyberwarfare hacker group in the world. This is a group that specializes in just inflicting maximum chaos globally.
How directly is the Sandworm group tied to the GRU and to the Kremlin? Who’s giving them their marching orders?
I think it’s fair to say that Sandworm is a part of the GRU. These are hackers who wear military uniforms and sit in a government building, a tower in the neighborhood of Khimki on the outskirts of Moscow. They are soldiers, essentially.
The first big Russian cyberattack in Ukraine happened just before Christmas in 2015. The previous few years had been tumultuous, with Russia’s annexation of Crimea and fighting throughout Eastern Ukraine, which also led to the downing of a Malaysian passenger plane. By this point, a series of ceasefire agreements had been signed, but the situation was still tense. Can you talk us through that atmosphere?
So just before Christmas in 2015, in the midst of Russia’s physical invasion of the country, we saw the first ever blackout attack. It hits a group of Ukrainian electric utilities. They used a piece of wiper malware to first wipe a bunch of computers in the facility to initially throw them into a state of chaos. They also bombarded the facility with fake phone calls just to add an extra layer of confusion. But then, they actually took over the IT helpdesk software to take over the actual mouse movements of the operators in the control room. These poor operators were forced to watch as their own mouse movements clicked through circuit breakers and turned off the lights to tens of thousands of Ukrainians.
There probably were easier ways to turn off the lights to Ukrainian civilians, but I think that this was designed as a kind of terrorism to make Ukrainians feel like they are under attack, like they’re in a war zone, like their government is not keeping them safe, like they are not in control. And, to make the rest of the world feel that way about Ukraine as well. To keep the West’s hands off Ukraine, to prevent investment from coming into the country, to make it look like a failed state. This is, I think, cyberwar but it’s also cyberterrorism.
Roughly a year-and-a-half later, Sandworm attacked on a new scale. If 2015 was scary and embarrassing, this was an all-encompassing whirlwind. The malware that Sandworm used this time was called NotPetya. How did this malware work?
In 2017 Sandworm essentially hijacked the software updates of this Ukrainian accounting software called MeDoc. MeDoc is basically used by everyone in Ukraine to file taxes. It is the TurboTax or Quicken of Ukraine. Sandworm corrupted those updates so that if you had a copy of MeDoc installed, you suddenly had a copy of NotPetya, this malicious software installed, too. It immediately took down, by some measures, hundreds of companies in Ukraine. But of course, MeDoc is used outside of Ukraine and a cyberattack like this, a self-spreading piece of code, doesn’t respect national borders. So very quickly we began to see NotPetya infections around the world. I reported this out in most detail at Maersk.
The big shipping company.
Yes. Inside of Maersk, I talked to one IT administrator who saw his screen go black and stood up and looked around the room if anybody else was having a problem. He saw a wave of black screens across the room as NotPetya infected and destroyed every computer at Maersk’s global headquarters. Within minutes people were running down hallways, yelling at each other to turn their computers off. They were going into conference rooms and unplugging machines in the middle of meetings. They were jumping over the turnstiles between different parts of the building because even those physical security systems had been paralyzed already by NotPetya.
This also hit Merck. Shut down their pharmaceutical manufacturing. They had to borrow their own HPV vaccine from the CDC because they couldn’t make enough of it. It hit the company that owns Cadbury and Nabisco. It shut down medical record systems in dozens of U.S. hospitals. I could go on and on. It still kind of boggles my mind to think that this happens, and I don’t really ever think that Russia was fully held accountable for it.
That’s what I was going to ask you, because the attack was so big, it was so brazen, it went to so many different places, but the international community’s response did not feel particularly loud. People were indicted, but not until 2020.
This is what drove me crazy as I reported on all of this. First, Russia caused blackouts in Ukraine. They actually attacked the power grid before we even get to NotPetya. That was supposed to be a red line, where you can do all sorts of state-sponsored hacking and get away with it, but if you touch the power grid, that was supposed to be an act of cyberwar, and it would be treated as such with real consequences. And yet nothing happened. No government around the world even said that was Russia that had done this except Ukraine, of course. Then, that kind of invited Russia to just keep going, to go further. When NotPetya hit, it still took eight months for anyone to say that this was Russia that had carried out the worst cyberattack in history, and then nine months for there to be any kind of sanctions.
What is the political goal is here? Is it just to render the physical infrastructure useless? Or is it to inflict economic pain to make Ukraine look foolish? To disrupt everyday lives?
The goal of these cyberattacks shifts over time based on what Russia needs to accomplish, what their tactical aims of the moment are. In 2014, 2015, 2016, and 2017, Russia had sort of sparked a war in the east of Ukraine, but that was a limited war, kind of a frozen conflict as people say, designed to weaken Ukraine but not to reach the capital. These cyberattacks were a way to send a message to the rest of Ukraine that you too are vulnerable. Even though you’re hundreds of miles away from the fronts, we can reach you, too. You’re all subject to our sphere of influence.
You talked to a Ukrainian cybersecurity consultant, and he said essentially that Sandworm was training, that they were using Ukraine as a training ground. A training ground for what?
When they caused a blackout for the second time in the capital of the country, it did seem that they were trying out new techniques. They were trying to innovate. It seemed like they had understood that they can get away with whatever they wanted to in Ukraine, and they might as well try live fire exercises to develop capabilities they could use in Ukraine but also elsewhere in the world.
What role do cyberattacks play in a physical war?
With this most recent ongoing invasion of Ukraine, it seems like cyberattacks have been designed to prepare the battleground in the sense of creating confusion as Ukraine tries to figure out what is going on, to scare people. But then once the physical invasion starts, it is more tactical accompaniments of physical war. We’re seeing attacks on organizations that support the military to maybe just actually confuse their command and control. Of course, these cyberattacks also kind of slip into the background. If you want to cause a blackout in Ukraine now, you hit a power station with a missile, which is absolutely happening, instead of trying to reach in with some IT helpdesk software.
In the past week, the U.S. and other international allies have been much quicker to call out Russian cyberactivity than we’ve seen in the past. There were some attacks Feb. 15 and 16, and the White House turned around a few days later and said GRU infrastructure was doing this. Why do you think the U.S. has been more willing to make this public so quickly?
You’re pointing to a huge sea change that is really significant. I think we are learning as a society, our governments are learning that they do have to respond immediately—if not to come up with a fully fleshed-out package of sanctions, then just to call out the rogue hackers and the rogue agencies that do this. To send a message to them that we know what you’ve done, there will be consequences, you need to cut it out right away.
President Biden alluded to the possibility for Russia to retaliate against international sanctions with cyberwarfare outside Ukraine on Thursday. Does that seem like a possible next step for Russia?
When Western countries implement new, crushing sanctions against Russia, they will lash out. I would not be at all surprised to see cyberattacks that don’t just spread from Ukraine semi-accidentally as NotPetya did, but are targeted at the West and that are designed to punish us for what we do to Russia in retaliation for its invasion.
Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.