The cyberattacks that crippled Ukraine’s public infrastructure a few years ago likely didn’t appear on many security teams’ radar screens at that time. And yet, over the past few years, detailed evidence has emerged about the Russian government-sponsored Sandworm hacker group, revealing why DevOps teams should be on high alert.
The Sandworm hacker group is allegedly responsible for unleashing Petya, NotPetya and other malware that have generated billions of dollars in damage worldwide, including targets in the U.S. This is in addition to documented Russian-sponsored hacks of the U.S. Democratic Party ahead of the U.S. elections in 2016 and other attacks.
Also concerning is how the U.S. government has created malware that once leaked, was also used by criminal hackers. Stuxnet, for example, which has been widely reported to have been created by U.S. and Israeli cyber operatives to thwart Iran’s nuclear research at Natanz, was later the source of malware variants used for ransomware and other attacks.
At the same time, as Wired writer Andy Greenberg discloses in his book “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers,” delays have occurred between the time when malware has been released and when the U.S. government even acknowledges cyber attacks and communicates patches. Only in October, for example, did the U.S. government formally acknowledge the existence of the Sandworm hacker group in a court of law by levying criminal charges by indicting its members — officers in the intelligence branch in the Russian army — in a U.S. federal court.
However, the U.S. government’s involvement and lack of action in the spread of malware are just a few of the themes in Greenberg’s book. The book also largely provides a very well-researched, well-written and comprehensive overview of the Sandworm hacking group and its attacks in Ukraine. The crux of the sources in “Sandworm” are analysts and threat incident responders. Chapters are also devoted to the geopolitical stakes the Ukraine holds for both Russia and the NATO ally block, spanning Russia’s often bloody and repressive involvement in the country’s internal affairs.
Greenberg spoke with The New Stack about the release of the paperback version of “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers” that has been updated with more information about Sandworm. The updated version of the book also provides more insights into Russian and U.S. government-created malware attacks and what the ongoing international cyber warfare, featuring malware as weaponry, means for DevSecOps.
What are the main takeaways your book offers for the software developer community?
The arc of the book is about how Sandworm was carrying out these unprecedented attacks in Ukraine, including two blackout attacks. Then, those alone were very interesting to me: they were making it clear that this group was willing to do attacks on civilian critical infrastructure that nobody else was doing anywhere else in the world. That’s when I started tracking Sandworm. But then, just after I published that first “Wired” cover story about these Sandworm attacks, they released this piece of malware called NotPetya in Ukraine that was an automated self-spreading worm that spread across Ukraine, and then the rest of the world, costing $10 billion in damages. It took some time to realize the scale of NotPetya and how it really was the worst cyberattack in history. And not only was it tied to Sandworm, but it was actually the same hackers that had done this.
Until then, it was kind of a story about Ukraine and it was sort of speculative like, would these Sandworm hackers do the same, what they did in Ukraine and somewhere else in the world, like the U.S. or Western Europe? But with NotPetya, the Ukrainian cyberwar literally did spill out into the rest of the world and cost the entire global Internet, huge monetary damages. That was what triggered me to write this book.
So, it appears that the U.S. government has remained aware of Sandworm’s and the Russian government’s involvement in cyberattacks against U.S. interests for years, which you detail in your book? Maybe more pressure should be placed on the government to give more protection and information for IT security teams to protect their organizations?
It might be helpful just to talk through NotPetya as an example because there were three different kinds of vulnerabilities that were all kind of packaged up together to make NotPetya effective that allowed it to spread and cause so much damage. One was Mimikatz, which is an open source hacking tool and is a good example because it’s a tool that was created by [French programmer] Benjamin Delpy to get Microsoft to fix a vulnerability in Windows. And, so, he successfully pressured Microsoft to make Windows more secure, but he’s constantly updating the Mimikatz with more hacking techniques that take advantage of issues in Windows authentication… Microsoft could have done more to try to make these vulnerabilities harder to scoop out. Basically, once you’ve got a foothold on a machine, or to scoop out the passwords from memory, you can then use to pivot around and access other machines on the network.
So, that’s one way where Microsoft probably could have done more. Then there’s another aspect: EternalBlue, this leaked NSA hacking tool [which was] a secret zero-day hacking technique that the NSA [U.S. National Security Agency] had — and there, Microsoft kind of did everything it could. EternalBlue exploited in Windows a secret vulnerability. And once it became clear that the tool had been stolen by this mysterious hacker group, the Shadow Brokers, the NSA warned Microsoft, and [Microsoft] put out a patch. And the problem is that patching is a kind of epidemiological problem, and it was hard to get everyone to patch, even a very severe vulnerability. And so, Microsoft didn’t really do anything wrong there. And if anything the fault, I think, lies at least in part with the NSA, for having kept this zero-day exploit secret for so long. Even when they helped Microsoft to release a patch, there wasn’t enough time to get that patch installed everywhere in the world.
So, EternalBlue did massive damage around the world, despite the NSA’s efforts to get it patched. So, there’s some fault there with the intelligence community — they have to balance their need to hold on to zero days for offensive purposes and their responsibility to protect Americans who could be victimized using those same secret vulnerabilities. And, ultimately, EternalBlue was a case that really shows the worst-case scenario of how those secret vulnerabilities held by our own intelligence communities can come back to bite us.
What role should the U.S. and other governments play? Who is to blame?
The blame is on governments around the world that have failed to try to deter these extremely aggressive and sophisticated nation-state hackers from doing these things. We cannot really lock every window and lock every door and keep out hackers who are this advanced and persistent. We have to try to make it to try to change their calculus and make them realize that they will be punished, they’ll be held accountable, that they’re red lines that they shouldn’t cross. And I don’t mean Sandworm, as much as I mean, Sandworm’s bosses in the Russian military intelligence agency in the Kremlin, and as a whole, I think they need to understand that they should feel that it’s not worth it for them to do these terribly destructive things. That is ultimately how you control this problem.
The story of “Sandworm” the book is the story of how global governments in the West, like the United States and Western Europe, just totally ignored this cyberwar unfolding in Ukraine. One attack after another that Sandworm was carrying out should have been condemned, from the get-go. Sandworm was doing things in Ukraine that were obviously unacceptable, that crossed every red line we’ve ever tried to set in terms of norms for acceptable use of hacking on the global stage. They were attacking one piece of civilian critical infrastructure after another, with total recklessness, including blackout attacks, these kinds of quintessential acts of cyberwar against civilian targets — and nobody said anything. No Western governments ever said anything about Sandworm, never condemned them, never imposed sanctions… never even put out a press release.