Russia’s Other Battlefront

Listen to this episode

S1: Back in 2016, Andy Greenberg editors at Wired wanted him to write a story about Cyberwar. Their initial pitch was inspired by U.S. politics.

S2: They were thinking about the Russian interference in the 2016 election, which I didn’t really see as Cyberwar at all.

S1: Andy’s definition is more malevolent.

S2: Cyberwar, to me, is a campaign of cyber attacks with disruptive or destructive effects carried out by one state against an enemy state or its adversary. And often in the midst of an actual war. So I went looking for the real Cyberwar story and I found it in Ukraine.

Advertisement

S1: For the past six years, Andy has reported on the ongoing cyber campaign against Ukraine. The hacks that have disabled power plants, frozen government agencies and paralyzed hospitals, and the Russian military unit behind it all. On Thursday morning, as Russia officially invaded Ukraine, we called him up to try to understand the parallel digital war that’s taking place alongside the physical one.

S2: There are cyber attacks that are definitely happening now and have been happening for four weeks prior to the actual physical re invasion of Ukraine. And I think it’s really important to preface anything I say about cyber attacks at this moment, like a kind of caveat that they they just don’t matter as much as the actual physical attacks with mortars and bullets and fighter jets and helicopters that are truly killing people and putting many more people’s lives at risk. But it’s still it still matters.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

S1: Since January, government networks have been attacked, so have banks in the military.

S2: And then yesterday we saw reports of wiper malware again hitting Ukrainian targets this time. Hundreds of computers. We don’t know how many networks

S1: the malware seems to destroy everything it hits. It’s a digital playbook that looks awfully familiar to one that Russia has run before with terrible consequences. Today on the show, Andy walks us through the war in Ukraine that you can’t see one that started years ago and is still happening. I’m Lizzie O’Leary and you’re listening to what next? TBD a show about technology, power and how the future will be determined. Stick around. I think the average American knows that, you know, Russian hackers exist, maybe he about them in the context of the 2016 election, but it feels like this kind of nebulous bogeyman. I would love it if you could describe the Russian hacking ecosystem.

Advertisement

S2: There is really like a there’s a whole kind of array of these hacker groups that all work for the Kremlin. But the simplest way to split them up is probably among the three major intelligence agencies in Russia the FSB, which is the kind of intelligence but also domestic law enforcement agency, the successor to the KGB. Another successor to the KGB when it split up is the SVR. The Foreign Intelligence Agency sort of their equivalent to the CIA, I suppose. And then there is the agency that I am most focused on that are obsessed with the GRU, this military intelligence agency that can easily be said to be the most reckless and brazen and disruptive of the three in its hacking activities. The two most active hacking units I know of within the jury you are unit two six one six five, also known as Fancy Bear or APT28, who famously were the ones who kind of led the breach of the Democratic National Committee in the Clinton campaign in 2016 and and leaked those documents. And then there is Unit seven, four, four or five five of the GRU, also known as Voodoo Bear or most famously, Sandworm, who I think are, you could say are the most active cyber warfare hacker group in the world. They are responsible for everything from blackouts that they triggered twice in Ukraine, first in 2015 and then in 2016, the not Petya malware they released in Ukraine, which was a kind of self spreading worm that really carpet bombs the entire Ukrainian internet, but then spread to the rest of the world and did 10 billion dollars in damage. I mean, this is a group that specializes in in just inflicting maximum chaos globally.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

S1: I’m really curious in how directly Sandworm the Sandworm group is tied to the GRU and to the Kremlin, you know, can we say affiliated with, can we say, directed by who’s giving them their marching orders? Do we know?

S2: I think it’s fair to say that Sandworm is a part of the G.R.. These are hackers who wear military uniforms and sit in a government building a tower in the neighborhood of Khimki on the outskirts of Moscow. You know, we’ve with that I’ve been to I’ve seen from a distance I didn’t knock on the door. They they are soldiers.

S1: Essentially, the first big Russian cyber attack in Ukraine happened just before Christmas in 2015. The previous few years had been tumultuous, with Russia’s annexation of Crimea and fighting throughout eastern Ukraine, which also led to the downing of a Malaysian passenger plane. By this point, a series of ceasefire agreements had been signed, but the situation was still tense.

Advertisement

S2: So just before Christmas in 2015, in the midst of Russia’s physical invasion of the country, we saw this first ever black air attack and it hits a group of Ukrainian electric utilities. It wasn’t just that Sandworm went in and switch the lights off and left. They used a piece of wiper malware of the kind that we’re still seeing Russia using in Ukraine today to first wipe a bunch of computers in the facility. The kind of initially throw them into a state of chaos. They also bombarded the facility with fake phone calls just to kind of add an extra layer of confusion. But then they actually took over the I.T. helpdesk software to take over the actual mouse movements of the operators in the control room of this Western Ukrainian power grid utility and locked them out of their computers. And these poor operators were forced to watch as their own mouse movements clicked through circuit breakers and turned off the lights to tens of thousands of Ukrainians.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

S1: I was really struck reading your story. You have a little video that one of the guys in this power facility has taken, and you can just see the mouse. You know, the cursor move around and the video pans down and the mouse isn’t moving. They must have felt so helpless.

S2: I think that there are definitely there. You know, there probably were easier ways to turn off the lights to Ukrainian civilians. But I think that this was, yes, it was designs. You know, all of these cyber attacks are designed to as a kind of terrorism to make Ukrainians feel like they are under attack, like they’re in a war zone, like their government is not keeping them safe, like they are not in control. And to make the rest of the world feel that way about Ukraine as well to, you know, to keep the West’s hands off Ukraine to prevent investment from coming into the country, to make it look like a failed state. This is, I think, cyber war, but it’s also cyber terrorism.

Advertisement

S1: Roughly a year and a half later, Sandworm attacked on a new scale. If 2015 was scary and embarrassing, this was an all encompassing whirlwind. The malware that Sandworm use this time was called not Petya. Andy describes it as a bug that infected systems and then metastasized.

S2: Well, in 2017, Sandworm essentially hijacked the software updates of this Ukrainian accounting software called Murdoc that Murdoch has basically used by everyone in Ukraine to file taxes. It is the TurboTax or Quicken of Ukraine. It’s also used by people outside of Ukraine who do business with Ukraine or who have a Ukrainian satellite office. And Sandworm essentially corrupted those updates so that if you had a copy of Murdoch installed, you suddenly had a copy of Not Petya. This malicious software installed too, and it immediately took down by some measures hundreds of companies in Ukraine. But of course, as I was saying, like, you know, Murdoch is used outside of Ukraine and a cyber attack like this, a self spreading piece of code doesn’t respect national borders. So very quickly we began to see not Petya infections around the world, and I sort of reported this out in most detail at Maersk,

Advertisement
Advertisement
Advertisement
Advertisement

S1: the big shipping company.

S2: Yes. Yes. And inside of Maersk, you know, I talked to one I.T. administrator, for instance, who was working that day, June 27, 2017, in the afternoon, and he just saw his screen go black and kind of, you know, stood up and looked around the room to see if anybody else was having a problem. And he saw a wave of black screens across the room just black, black, black, black, black as not Petya infected and destroyed every computer in masks, global headquarters. And within minutes, you know, people were running down hallways, yelling at each other to turn their computers off. They were going into conference rooms and unplugging machines in the middle of meetings. They were actually they were jumping over the turnstiles between different parts of the building because even those those physical security systems had been paralyzed already by not Petya to try to warn other parts of the building. But of course, Maersk is not just one building in Copenhagen. You know this this has infected their global network, and very soon that meant that tens of thousands of trucks were lining up outside of Maersk terminals and in ports around the world. Meanwhile, ships are arriving at these terminals with tens of thousands of cargo containers on them, and nobody knows what is in them. I mean, nobody knows how to to load or unload these like ships the size of the Empire State Building on its side. And that’s just one company. I mean, this also hit Merck shut down their pharmaceutical manufacturing. They had to borrow their own HPV vaccine from the CDC because they couldn’t make enough of it. Has the company that owns Cadbury and the Pisco, you know, it’s shut down medical record systems and in dozens of U.S. hospitals. I could go on and on. I mean, I still kind of boggles my mind to think that this happens. And I don’t really ever think that Russia was fully held accountable for it.

Advertisement
Advertisement
Advertisement
Advertisement

S1: That’s what I was going to ask you because the attack was so big. It was so brazen. It went to so many different places. But the international community’s response did not feel particularly loud. People were indicted, but not until 2020.

S2: Right? I mean, this is what I what drove me crazy, as I reported in all of this. I mean, first, Russia caused blackouts in Ukraine. They actually attacked the power grid before we even get to not Petya. That was supposed to be a red line where you can do all sorts of state sponsored hacking and get away with it. But if you touch the power grid that was supposed to be an act of Cyberwar and it would be treated as such, you know, with real consequences. And yet nothing happens. I mean, no government around the world even said that that was Russia that had done this, except Ukraine, of course. And then, you know, that kind of invited Russia to just keep going to go further. And when that Petya hits, it still took eight months for anyone to say that this was Russia that had carried out the worst cyber attack in history. There’s $10 billion in damage, cyber attack and then not. Months for there to be any kind of sanctions, so I think that’s part of why the average person is not aware, I don’t think of of NotPetya or that it was a Russian state sponsored attack by this military intelligence agency because the response was so slow.

Advertisement

S1: As you’ve described, these attacks have caused tremendous chaos and cost, but that doesn’t seem like their entire goal. I mean, this has all been occurring sort of set against the backdrop of this long simmering conflict between Russia and Ukraine. Or we should say Russian aggression. I wonder what the political goal is here, too. Is it just to render the physical infrastructure useless? Or is it to inflict economic pain, to make Ukraine look foolish, to disrupt everyday lives? You describe this as cyber terrorism, and I’m wondering what you see the goal as

Advertisement
Advertisement
Advertisement
Advertisement

S2: the goal of these cyber attacks shifts over time, you know, given based on what Russia needs to accomplish, like what they’re the kind of tactical aims of the moment are in. I would say 2014, 2015, 2016, 2017 Russia was waging this. This war they had, they had sort of sparked a war in the east of Ukraine. But that was a limited war kind of a frozen conflict, as people say, designed to to weaken Ukraine, but not to reach the capital. And so these cyber attacks, I think, were a way to to send a message to the rest of Ukraine that you too are vulnerable. You know, even though you’re hundreds of miles away from the fronts, we can reach you too. We can cause a blackout in the capital in the west of France, the furthest reaches of the country. You’re all subject to our sphere of influence.

S1: You talk to a Ukrainian cybersecurity consultant. And he said that essentially the Sandworm was was training that they were using Ukraine as a training ground training ground for what

S2: when they caused a blackout for the second time in the capital of the country. It did seem that they were trying out new techniques. They weren’t just repeating themselves from the year before. They weren’t just doing this the simplest possible way they were trying to innovate. And it seems like they had understood that they can get away with whatever they wanted to in Ukraine, and they might as well try live fire exercises to develop capabilities that they could use in Ukraine, but also elsewhere in the world.

S1: When we come back, where else might that be? Andy says that part of what makes these cyber so frightening and so effective is the sense of disorientation they inflict even before physical conflict begins

Advertisement
Advertisement
Advertisement

S2: with this most recent ongoing invasion of Ukraine. And you know, things are changing so fast it’s hard to to know what’s what is happening or will happen next. It’s seems like cyber attacks have been designed to kind of prepare the battleground in the sense of like creating confusion as Ukraine tries to figure out what is going on to scare people. But then once the physical invasion starts, I imagine, and it does seem like it is more kind of a tactical accompaniments of physical war, like we’re seeing attacks on organizations that support the military to maybe just actually confuse their command and control. Today, I’m seeing reports of a distributed denial of service attack against the Ukrainian media, who may be reporting on the events of this war. So, of course, these cyber attacks also kind of slip into the background. I mean, they are no longer the center of events. If you want to cause a blackout in Ukraine now, you hit a power station with the missile, which is absolutely happening. Instead of trying to reach in with some IP helpdesk software.

S1: It as I got ready to come in and talk to you, I was reading a blog from Symantec saying that they had seen destructive malware attacks being used, you know, kind of preceding the Russian ground attack, but then also in Lithuania. And I wonder what that says to you.

S2: Reports so far seem to indicate that those victims, those targets in Lithuania and Latvia, were actually organizations supporting the Ukrainian government. They just happened to be based in Latvia and Lithuania. So, you know, Russia doesn’t care. They’re going to hit them wherever they may be to just kind of bolster, prepare for their physical ground invasion.

Advertisement
Advertisement
Advertisement

S1: One thing that I have been struck by is in the past week, the U.S. and other kind of international allies have been much quicker to call out Russian cyber activity than we’ve seen in the past. There were some attacks February 15th, 16th, and the White House turned around a few days later and said GRU infrastructure was doing this. Why do you think the U.S. has been more willing to make this public so quickly? Is it just because we’re in this, you know, heightened conflict situation?

S2: I think you’re pointing to a huge sea change that is really significance. And it’s, as you say, it’s like almost the polar opposite of what I was just kind of complaining about this, this like situation that was driving me insane in 2015 through 2017, when Russia would get away with blackout attacks in Ukraine, the worst cyber attack in history, with no comments from any Western governments. Now, yeah, as you said, we saw these distributed denial of service attacks, which, by the way, are the equivalent of like throwing rocks versus, you know, a surgical drone strike or, you know, releasing a biological weapon or something. And yet, you know, we saw within days the White House calling out not only Russia, but actually be the specific agency down to the agency level. You know, this name and shame for in this very crude attacks, we

S3: have technical information that links the Russian Main Intelligence Directorate, or GRU. As known GRU infrastructure was seen transmitting high volumes of communication to Ukraine based IP addresses and domains.

S2: We are learning, you know, I think we are learning as a society. Our governments are learning that they do have to respond immediately, if not to come up with like a fully fleshed out package of sanctions or something, just to call out the the rogue hackers that and the rogue agencies that do this to send a message to them that we know what you’ve done. There will be consequences. You need to cut it out right away.

Advertisement
Advertisement
Advertisement

S1: One thing Andy is watching is whether Russia will retaliate against international sanctions with cyber warfare outside Ukraine, something President Biden alluded to at the White House on Thursday.

S4: If Russia pursues cyber attacks against our companies are critical infrastructure, we are prepared to respond. For months, we’ve been working closely with our prime with the private sector to harden our cyber defenses, sharpen our ability to respond to Russia’s cyber attacks as well.

S2: If we really want to talk about high impact cyber attacks at this point, I would not be looking at Ukraine itself, but rather the after effects of sanctions. For instance, when Western countries implement new crushing sanctions against Russia, they will lash out, and I would not be at all surprised to see cyber attacks that don’t just spread from Ukraine, you know, semi accidentally as. Not that you did, but are targeted at the West and that are designed to punish us for what we do to Russia in retaliation for its invasion.

S1: Andy Greenberg, thank you very much.

S2: Thanks, Lizzie.

S1: Andy Greenberg is a senior writer at Wired and the author of the book Sandworm A New ERA of Cyberwar and The Hunt for the Kremlin’s Most Dangerous Hackers. All right, that is it for the show today. TBD is produced by Ethan Brooks were edited by Jonathan Fischer and Tori Bosch. Alicia Montgomery is the executive producer for Slate Podcast. TBD is part of the larger What Next family, and it’s also part of Future Tense, a partnership of Slate, Arizona State University and New America. And I want to take a minute and recommend that you listen to Thursday’s episode of What Next? It’s a story about an anti-government movement in California of all places. All right, we will be back on Sunday with another episode. I am Lizzie O’Leary. Thank you for listening.