Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

“It’s clear where the world is going. We’re entering a world where every thermostat, every electrical heater, every air conditioner, every power plant, every medical device, every hospital, every traffic light, every automobile will be connected to the Internet. Think about what it will mean for the world when those devices are the subject of attack.” Then he made his pitch. “The world needs a new, digital Geneva Convention.”

“If you want to play well, you can’t afford to hate your opponent.”

“It’s clear where the world is going. We’re entering a world where every thermostat, every electrical heater, every air conditioner, every power plant, every medical device, every hospital, every traffic light, every automobile will be connected to the Internet. Think about what it will mean for the world when those devices are the subject of attack.” Then he made his pitch. “The world needs a new, digital Geneva Convention. It needs new rules of the road,” Smith said, intoning the words slowly for emphasis. “What we need is an approach that governments will adopt that says they will not attack civilians in times of peace, they will not attack hospitals, they will not attack the electrical grid, they will not attack the political processes of other countries.”

“Distributed across the world, and in a far more concentrated sense for Ukraine itself, NotPetya was the “electronic Pearl Harbor” that John Hamre had first warned of in 1997.”

“the midst of that fog of confusion and misdirection, a leak to The Washington Post’s Ellen Nakashima cut through with an unequivocal statement. Her headline: “Russian Spies Hacked the Olympics and Tried to Make It Look Like North Korea Did It, U.S. Officials Say.” Again, the Post cited anonymous U.S. intelligence sources—two of them—who claimed that the GRU’s Main Center for Special Technology was behind the attack, the same hackers responsible for NotPetya. Olympic Destroyer, it seemed to follow, was the work of Sandworm, or at least its colleagues at the same agency.”

“Sandworm was not some aberrant or rogue element in the Russian armed forces. It was a direct expression of the strategy of its most senior leaders.”

“Somehow, he argued, societies need to build or maintain backup systems that are disconnected from interdependent, fragile modern networks. Often, that means an analog alternative.”

“But the largest of those blind spots, perhaps, can be found in the West’s attitude to Ukraine and silence in the face of the cyberwar afflicting it. For a decade, the United States had treated Russian cyberattacks on its neighbors—Estonia, Georgia, and Ukraine, above all—as a “distant” problem. The Obama administration had watched since 2015 as Ukraine became a helpless victim and a nation-sized laboratory for Russia’s cruelest hacking techniques. It allowed those hackers to cross one red line after another, including not one but two unprecedented blackout attacks.”

“The story of Sandworm shows how that geography helped make Ukraine a beachhead for cyberwar, too; there’s little chance the West would have tolerated the same scale of digital attacks if they had been inflicted beyond Ukraine’s embattled borders, against NATO or the”

“It is simply good military practice. War is war. It sounds simple, but many Americans seem to believe that there should be a gentlemen’s code, that war should be fought by soldiers in remote battlefields. Americans believe that war should be sterile, because it has never hit their home soil since the Civil War of 130 years ago, and even then, only in the south-eastern part of the country. Russia has been rampaged for centuries by every would-be world conqueror. Millions of Russians have died on their homeland during wars. This is a feeling Americans do not know. The only way you get an enemy to submit is by bringing the war to its people.”

“But as the Olympics began, the North had seemed as if it were experimenting with a friendlier approach. The North Korean dictator, Kim Jong Un, had sent his sister as a diplomatic emissary to the games and had invited South Korea’s president, Moon Jae-in, to visit the North Korean capital of Pyongyang. The two countries had even taken the surprising step of combining their Olympic women’s hockey teams in a show of friendship. Why would North Korea launch a disruptive cyberattack in the midst of that charm offensive?”

“Nakashima’s report didn’t merely suggest that the U.S. government strongly believed the Russian state was behind the attack. It also went on to name the exact organization NotPetya’s programmers worked for: the Main Center for Special Technology, or GTsST, a part of Russia’s military spy agency known as the Main Intelligence Directorate, or Glavnoye Razvedyvatel’noye Upravleniye, commonly referred to by its Russian acronym. The GRU.”

“The White House would never publicly back up its statement with evidence. But it had promised consequences, and a month later those consequences arrived: The U.S. Treasury announced new sanctions against nineteen people and five organizations.”

“But by the beginning of 2018, they were adding up to something remarkable: A single agency within the Russian government was responsible for at least three of the most brazen hacking milestones in history, all in just the past three years. The GRU, it now seemed, had masterminded the first-ever hacker-induced blackouts, the plot to interfere in a U.S. presidential election, and the most destructive cyberweapon ever released. A larger question now began to loom in my mind: Who are the GRU?”

“Anyone who thinks this was accidental is engaged in wishful thinking,” Williams said. “This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.”

“The inherent geography of this domain is that everything plays to the offense.” Nearly a decade later, Hayden’s cynical words still ring true—even if he was off by a few hundred miles. On the internet, we are all Ukraine. In a dimension of conflict without borders, we all live on the front line. And if we fail to heed the borderland’s warnings, we may all share its fate.”

“He meant that Sandworm was Unit 74455 of the GRU.”

“Even so, Oh still smoldered when he thought back to the night of the opening ceremony. “For me, the Olympics are about peace. It still makes me furious that without any clear purpose, someone hacked this event,” he told me months later. “If we hadn’t solved it, it would have been a huge black mark on these games of peace. I can only hope that the international community can figure out a way that this will never happen again.”

“Americans ignored Ukraine’s escalating cyberwar in the face of repeated warnings that the attacks there would soon spread to the rest of the world. Then, very suddenly, exactly that scenario played out, at an immense cost.”

“now, deep in the folds of false flags wrapped around the Olympic malware, Soumenkov had found one flag that was provably false. It was now perfectly clear that someone had tried to make the malware look North Korean and only failed due to a slipup in one instance and through Soumenkov’s fastidious triple-checking. “It’s a completely verifiable false flag. We can say with 100 percent confidence this is false, so it’s not the Lazarus Group,” Soumenkov would later say in a presentation at the Kaspersky Security Analyst Summit, using the name for the hackers widely believed to be North Korean. Still,”

“That seeming indifference, particularly on the part of the United States, was maddening. Was President Trump’s unwillingness to acknowledge the Russian hacking that had aided his campaign now extending to all Russian hacking, no matter how destructive? Or was his administration simply incompetent or misinformed? “They’ve never even named the actor,” Rob Lee told me in late 2017, marveling at the government’s continued nonresponse to Sandworm’s provocations. “NotPetya tested the red lines of the West, and the result of the test was that there are no red lines yet,” Johns Hopkins’s Thomas Rid said. “The lack of any proper response is almost an invitation to escalate more.”

“The Soviet regime manufactured a famine in Ukraine that would kill 3.9 million people, a tragedy of unimaginable scope that’s known today as the Holodomor, a combination of the Ukrainian words for “hunger” and “extermination.” The”

“Along with its unprecedented devastation, Sandworm’s NotPetya worm left in its wake six months of inexplicable silence. For the rest of the summer, the fall, and into the winter of 2017, no victim of NotPetya outside Ukraine would name Russia as the perpetrator of the attack. Nor did any government other than Ukraine’s speak out to name the Kremlin. Russia seemed to have launched a cyberwar weapon that had crossed countless borders, violated practically every norm of state-sponsored hacking imaginable, and yet earned not a single reproach from the West. Three”

“If they’d wished to, they could have carefully avoided the vast majority of collateral damage, instead coordinating a campaign of precision-guided missile strikes.”

“With those four sentences displayed on a page of the White House website, the U.S. government had finally, publicly acknowledged Russia’s cyberwar in Ukraine. That acknowledgment had come nearly three and a half years after the siege had begun and almost eight months after it exploded out to the rest of the world.”

“But that soldier mentality also meant GRU hackers had fewer qualms about carrying out high-risk or even highly destructive campaigns, Galeotti said. The agency maintains a macho, military culture that rewards risk taking, even to the point of shortsightedness.”

“In fact, the evidence of Russia’s responsibility was already clear enough for me. Anton Cherepanov at ESET had published his analysis of the meshed lines of forensic clues showing that Sandworm was very likely behind NotPetya. Reams of other public reporting showed that the same group was responsible for the escalating cyberwar in Ukraine, including its two blackouts, all signs pointing to the Kremlin’s culpability.”

“Yes, they seemed to be Russian and almost certainly controlled by the Russian government. But I wanted more.”

“Cyberattacks on nonmilitary, physical infrastructure, Lee believed, were a class of weapon that ought to be considered, along with cluster bombs and biological weapons, simply too dangerous and uncontrollable for any ethical nation to wield.”

“Russia? North Korea? China? The deeper forensic analysts looked, the further they seemed to be from a definitive conclusion.”