Download high-resolution image Look inside
Listen to a clip from the audiobook
audio play button
0:00
0:00

Sandworm

A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

Look inside
Listen to a clip from the audiobook
audio play button
0:00
0:00
Sandworm is the true story of the desperate hunt to identify and track an elite team of Russian agents bent on digital sabotage.

In 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world’s largest businesses—from drug manufacturers to software developers to shipping companies. At the attack’s epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage—the largest, most devastating cyberattack the world had ever seen.

The hackers behind these attacks are quickly gaining a reputation as the most dangerous team of cyberwarriors in history: a group known as Sandworm. Working in the service of Russia’s military intelligence agency, they represent a persistent, highly skilled force, one whose talents are matched by their willingness to launch broad, unrestrained attacks on the most critical infrastructure of their adversaries. They target government and private sector, military and civilians alike.

A chilling, globe-spanning detective story, Sandworm considers the danger this force poses to our national security and stability. As the Kremlin’s role in foreign government manipulation comes into greater focus, Sandworm exposes the realities not just of Russia’s global digital offensive, but of an era where warfare ceases to be waged on the battlefield. It reveals how the line between digital and physical conflict, between wartime and peacetime, have begun to blur—with world-shaking implications.
 
Sandworm is a sobering examination of an underreported story: The menace Russian hackers pose to the critical infrastructure of the West. With the nuance of a reporter and the pace of a thriller writer, Andy Greenberg gives us a glimpse of the cyberwars of the future while at the same time placing his story in the long arc of Russian and Ukrainian history.”
—Anne Applebaum, Pulitzer Prize–winning author of Gulag and Red Famine

“A terrifying and infuriating look at a future in which cyberwar hawks and cyberwar deniers join forces to literally threaten our ability to continue civilization. Sandworm shows how, in our leaders’ focus on maintaining digital weapons to attack our enemies, they’ve left our own critical infrastructure defenseless.” —Cory Doctorow, author of Little Brother and Radicalized

Sandworm hits that sweet spot of being both informative and entertaining as hell. In a journey that hopscotches from war-torn Ukraine to shadowy chatrooms to the halls of the UN, Greenberg takes readers on the hunt for the network of Russian hackers behind the most damaging cyberattack to occur so far. It is well worth your read.” —P.W. Singer, author of Ghost Fleet and LikeWar

“The good news about Andy Greenberg’s Sandworm is that no one has ever dived so deeply into a major hack to illuminate the evolving crisis of a never-ending cyberwar. The bad news is when you finish this gripping narrative, you won’t be sleeping as soundly as you did before.” 
—Steven Levyauthor of In the Plex and Hackers

“Lucid and compelling, Sandworm shows us how high-tech warfare is waged today in Eastern Europe: battlefields of computer viruses, software vulnerabilities, and faked digital fingerprints. Where foreign hackers remotely black out cities and feed false election results to television networks. Where laptops become weapons and a word processor becomes a tool to invade a nation’s critical infrastructure. The first half of Greenberg’s meticulously researched book leaves us wondering: How long before it happens here? The second provides the chilling answer.” —Clifford Stoll, author of The Cuckoo's Egg

“An in-depth investigation of what the Russian military’s best cyber unit has already done to disrupt corporations, penetrate utilities, and prepare for cyberwar. Sandworm is a sword of Damocles over the US economy that any US president has to take into account when deciding on whether and how to counter the Kremlin.” —Richard Clarke, former White House counterterrorism coordinator, author of The Fifth Domain and Cyber War

“A taut inquiry. . . . Greenberg is an adroit investigator and gifted metaphorist. His lucid, dynamic exposé is a must-read for those worried about the vulnerabilities of the digital world.” 
—Publishers Weekly

“A credible, breathless account. . . . [Greenberg] effectively captures the disturbing nature of this new global threat.” —Kirkus

“An exceptional account.” —Library Journal (starred review)

“Loaded with original reportage, Greenberg’s urgent and clarifying book will inform and worry everyone concerned about national and cyber security. . . . Readers will revel in the details Greenberg provides.” —Booklist

Sandworm offers both a ripping narrative of a hack that broke the world and a worrying glimpse at cyberwar's rapidly evolving future.” —Wired
1

The Zero Day

Beyond the Beltway, where the D.C. intelligence-­industrial complex flattens out to an endless sea of parking lots and gray office buildings marked with logos and corporate names designed to be forgotten, there’s a building in Chantilly, Virginia, whose fourth floor houses a windowless internal room. The room’s walls are painted matte black, as if to carve out a negative space where no outside light penetrates.

In 2014, just over a year before the outbreak of Ukraine’s cyberwar, this was what the small, private intelligence firm iSight Partners called the black room. Inside worked the company’s two-­man team tasked with software vulnerability research, a job that required focus intense enough that its practitioners had insisted on the closest possible office layout to a sensory-­deprivation chamber.

It was this pair of highly skilled cave dwellers that John Hultquist first turned to one Wednesday morning that September with a rare request. When Hultquist had arrived at his desk earlier that day in a far-­better-­lit office, one with actual windows on the opposite side of the iSight building, he’d opened an email from one of his iSight colleagues in the company’s Ukraine satellite operation. Inside, he found a gift: The Kiev-­based staff believed they might have gotten their hands on a zero-­day vulnerability.

A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about. The name comes from the fact that the company has had “zero days” to respond and push out a patch to protect users. A powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own code on a target computer, can serve as a kind of global skeleton key—­a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet.

The file Hultquist had been passed from iSight’s Ukraine office was a PowerPoint attachment. It seemed to silently pull off exactly that sort of code execution, and in Microsoft Office, one of the world’s most ubiquitous pieces of software.

As he read the email, Klaxons sounded in Hultquist’s mind. If the discovery was what the Ukrainians believed it might be, it meant some unknown hackers possessed—­and had used—­a dangerous capa­bility that would allow them to hijack any of millions of computers. Microsoft needed to be warned of its flaw immediately. But in a more self-­interested sense, discovering a zero day represented a milestone for a small firm like iSight hoping to win glory and woo customers in the budding security subindustry of “threat intelligence.” The company turned up only two or three of those secret flaws a year. Each one was a kind of abstract, highly dangerous curiosity and a significant research coup. “For a small company, finding a nugget like this was very, very gratifying,” Hultquist says. “It was a huge deal for us.”

Hultquist, a loud and bearish army veteran from eastern Tennessee with a thick black beard and a perpetual smile, made a point of periodically shouting from his desk into a room next door known as the bull pen. One side of that space was lined with malware experts, and the other with threat analysts focused on understanding the geopolitical motives behind digital attacks. As soon as Hultquist read the email from iSight’s Ukrainian staff, he burst out of his office and into the bull pen, briefing the room and assigning tasks to triage what would become, unbeknownst then to any of them, one of the biggest finds in the small company’s history.

But it was down the hall, in the black room, that the hacker monks within would start to grapple with the significance of iSight’s discovery: a small, hidden marvel of malicious engineering.



Working on computers whose glowing monitors were the room’s only light source, the reverse engineers began by running the Ukrainians’ malware-­infected PowerPoint attachment again and again inside a series of virtual machines—­ephemeral simulations of a computer housed within a real, physical one, each one of them as sealed off from the rest of the computer as the black room was from the rest of the iSight offices.

In those sealed containers, the code could be studied like a scorpion under an aquarium’s glass. They’d allow it to infect its virtual victims repeatedly, as the reverse engineers spun up simulations of different digital machines, running varied versions of Windows and Microsoft Office, to study the dimensions and flexibility of the attack. When they’d determined that the code could extract itself from the PowerPoint file and gain full control of even the latest, fully patched versions of the software, they had their confirmation: It was indeed a zero day, as rare and powerful as the Ukrainians and Hultquist had suspected. By late in the evening—­a passage of time that went almost entirely unmarked within their work space—­they’d produced a detailed report to share with Microsoft and their customers and coded their own version of it, a proof-­of-­concept rewrite that demonstrated its attack, like a pathogen in a test tube.

PowerPoint possesses “amazing powers,” as one of the black room’s two reverse engineers, Jon Erickson, explained to me. Over years of evolution, it’s become a Rube Goldberg machine packed with largely unnecessary features, so intricate that it practically serves as its own programming language. And whoever had exploited this zero day had deeply studied one feature that allowed anyone to place an information “object” inside a presentation, like a chart or video pulled from elsewhere in the PowerPoint file’s own bundle of data, or even from a remote computer over the internet.

In this case, the hackers had used the feature to carefully plant two chunks of data within the presentation. The first it loaded into a temporary folder on the target computer. The second took advantage of PowerPoint’s animation feature: PowerPoint’s animations don’t merely allow speakers to bore audiences with moving text and cartoons but actually execute commands on the computer on which the presentation is running. In this case, when the presentation loaded that animation file, it would run an automated script that right-­clicked on the first file the presentation had planted on the machine and click “install” on the resulting drop-­down menu, giving that code a foothold on the computer without tipping off its user. The result was something like a harmless-­looking package left on your doorstep that, after you bring it inside, sprouts an arm, cuts itself open, and releases tiny robots into your foyer. All of this would happen immediately and invisibly, the instant the victim double-­clicked the attachment to open it.

Erickson, the reverse engineer who first handled the zero day in iSight’s black room, remembers his work disassembling and defusing the attack as a somewhat rare, fascinating, but utterly impersonal event. In his career, he’d dealt with only a handful of real zero days found in the wild. But he’d analyzed thousands upon thousands of other malware samples and had learned to think of them as specimens for study without considering the author behind them—­the human who had rigged together their devious machinery. “It was just some unknown guy and some unknown thing I hadn’t seen before,” he said.

But zero days do have authors. And when Erickson had first begun to pull apart this one in his blacked-­out workshop that morning, he hadn’t simply been studying some naturally occurring, inanimate puzzle. He was admiring the first hints of a remote, malevolent intelligence.

2

BlackEnergy

Once iSight’s initial frenzy surrounding its zero-­day discovery had subsided, the questions remained: Who had written the attack code? Whom were they targeting with it, and why?

Those questions fell to Drew Robinson, a malware analyst at iSight whom John Hultquist described as a “daywalker”: Robinson possessed most of the same reverse-­engineering skills as the black room’s vampire crew but sat in the sunlit bull pen next to Hultquist’s office, responsible for a far wider angle analysis of hacking campaigns, from the personnel who carried them out to their political motives. It would be Robinson’s job to follow the technical clues within that PowerPoint to solve the larger mysteries of the hidden operation it represented.

Minutes after Hultquist had walked into the bull pen to announce the all-­hands-­on-­deck discovery of the PowerPoint zero day that Wednesday morning, Robinson was poring over the contents of the booby-­trapped attachment. The actual presentation itself seemed to be a list of names written in Cyrillic characters over a blue-­and-­yellow Ukrainian flag, with a watermark of the Ukrainian coat of arms, a pale blue trident over a yellow shield. Those names, Robinson found after using Google Translate, were a list of supposed “terrorists”—­those who sided with Russia in the Ukrainian conflict that had begun earlier that year when Russian troops invaded the east of the country and its Crimean peninsula, igniting separatist movements there and sparking an ongoing war.

That the hackers had chosen an anti-­Russian message to carry their zero-­day infection was Robinson’s first clue that the email was likely a Russian operation with Ukrainian targets, playing on the country’s patriotism and fears of internal Kremlin sympathizers. But as he searched for clues about the hackers behind that ploy, he quickly found another loose thread to pull. When the PowerPoint zero day executed, the file it dropped on a victim’s system turned out to be a variant of a piece of notorious malware, soon to become far more notorious still. It was called BlackEnergy.

BlackEnergy’s short history up to that point already contained, in some sense, its own primer on the taxonomy of common hacking operations, from the lowliest “script kiddies”—­hackers so unskilled that they could generally only use tools written by someone more knowledgeable—­to professional cybercriminals. The tool had originally been created by a Russian hacker named Dmytro Oleksiuk, also known by his handle, Cr4sh. Around 2007, Oleksiuk had sold BlackEnergy on Russian-­language hacker forums, priced at around $40, with his handle emblazoned like a graffiti tag in a corner of its control panel.

The tool was designed for one express purpose: so-­called distributed denial-­of-­service, or DDoS, attacks designed to flood websites with fraudulent requests for information from hundreds or thousands of computers simultaneously, knocking them off-­line. Infect a victim machine with BlackEnergy, and it became a member of a so-­called botnet, a collection of hijacked computers, or bots. A botnet operator could configure Oleksiuk’s user-­friendly software to control which web target its enslaved machines would pummel with spoofed requests as well as the type and rate of that digital bombardment.

By late 2007, the security firm Arbor Networks counted more than thirty botnets built with BlackEnergy, mostly aiming their attacks at Russian websites. But on the spectrum of cyberattack sophistication, distributed denial-­of-­service attacks were largely crude and blunt. After all, they could cause costly downtime but not the serious data breaches inflicted by more penetrating hacking techniques.

In the years that followed, however, BlackEnergy had evolved. Security firms began to detect a new version of the software, now equipped with an arsenal of interchangeable features. This revamped version of the tool could still hit websites with junk traffic, but it could also be programmed to send spam email, destroy files on the computers it had infested, and steal banking usernames and passwords.

Now, before Robinson’s eyes, BlackEnergy had resurfaced in yet another form. The version he was looking at from his seat in iSight’s bull pen seemed different from any he’d read about before—­certainly not a simple website attack tool, and likely not a tool of financial fraud, either. After all, why would a fraud-­focused cybercrime scheme be using a list of pro-­Russian terrorists as its bait? The ruse seemed politically targeted. From his first look at the Ukrainian BlackEnergy sample, he began to suspect he was looking at a variant of the code with a new goal: not mere crime, but espionage.
© © Joe Pugliese
Andy Greenberg is an award-winning senior writer for Wired, covering security, privacy, information freedom, and hacker culture. He's the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His previous book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, as well as excerpts from it published in Wired, won awards including a Gerald Loeb Award for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. Before coming to Wired, Greenberg worked as a senior reporter for Forbes magazine. He lives in Brooklyn with his wife, filmmaker Malika Zouhali-Worrall. View titles by Andy Greenberg

About

Sandworm is the true story of the desperate hunt to identify and track an elite team of Russian agents bent on digital sabotage.

In 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world’s largest businesses—from drug manufacturers to software developers to shipping companies. At the attack’s epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage—the largest, most devastating cyberattack the world had ever seen.

The hackers behind these attacks are quickly gaining a reputation as the most dangerous team of cyberwarriors in history: a group known as Sandworm. Working in the service of Russia’s military intelligence agency, they represent a persistent, highly skilled force, one whose talents are matched by their willingness to launch broad, unrestrained attacks on the most critical infrastructure of their adversaries. They target government and private sector, military and civilians alike.

A chilling, globe-spanning detective story, Sandworm considers the danger this force poses to our national security and stability. As the Kremlin’s role in foreign government manipulation comes into greater focus, Sandworm exposes the realities not just of Russia’s global digital offensive, but of an era where warfare ceases to be waged on the battlefield. It reveals how the line between digital and physical conflict, between wartime and peacetime, have begun to blur—with world-shaking implications.
 
Sandworm is a sobering examination of an underreported story: The menace Russian hackers pose to the critical infrastructure of the West. With the nuance of a reporter and the pace of a thriller writer, Andy Greenberg gives us a glimpse of the cyberwars of the future while at the same time placing his story in the long arc of Russian and Ukrainian history.”
—Anne Applebaum, Pulitzer Prize–winning author of Gulag and Red Famine

“A terrifying and infuriating look at a future in which cyberwar hawks and cyberwar deniers join forces to literally threaten our ability to continue civilization. Sandworm shows how, in our leaders’ focus on maintaining digital weapons to attack our enemies, they’ve left our own critical infrastructure defenseless.” —Cory Doctorow, author of Little Brother and Radicalized

Sandworm hits that sweet spot of being both informative and entertaining as hell. In a journey that hopscotches from war-torn Ukraine to shadowy chatrooms to the halls of the UN, Greenberg takes readers on the hunt for the network of Russian hackers behind the most damaging cyberattack to occur so far. It is well worth your read.” —P.W. Singer, author of Ghost Fleet and LikeWar

“The good news about Andy Greenberg’s Sandworm is that no one has ever dived so deeply into a major hack to illuminate the evolving crisis of a never-ending cyberwar. The bad news is when you finish this gripping narrative, you won’t be sleeping as soundly as you did before.” 
—Steven Levyauthor of In the Plex and Hackers

“Lucid and compelling, Sandworm shows us how high-tech warfare is waged today in Eastern Europe: battlefields of computer viruses, software vulnerabilities, and faked digital fingerprints. Where foreign hackers remotely black out cities and feed false election results to television networks. Where laptops become weapons and a word processor becomes a tool to invade a nation’s critical infrastructure. The first half of Greenberg’s meticulously researched book leaves us wondering: How long before it happens here? The second provides the chilling answer.” —Clifford Stoll, author of The Cuckoo's Egg

“An in-depth investigation of what the Russian military’s best cyber unit has already done to disrupt corporations, penetrate utilities, and prepare for cyberwar. Sandworm is a sword of Damocles over the US economy that any US president has to take into account when deciding on whether and how to counter the Kremlin.” —Richard Clarke, former White House counterterrorism coordinator, author of The Fifth Domain and Cyber War

“A taut inquiry. . . . Greenberg is an adroit investigator and gifted metaphorist. His lucid, dynamic exposé is a must-read for those worried about the vulnerabilities of the digital world.” 
—Publishers Weekly

“A credible, breathless account. . . . [Greenberg] effectively captures the disturbing nature of this new global threat.” —Kirkus

“An exceptional account.” —Library Journal (starred review)

“Loaded with original reportage, Greenberg’s urgent and clarifying book will inform and worry everyone concerned about national and cyber security. . . . Readers will revel in the details Greenberg provides.” —Booklist

Sandworm offers both a ripping narrative of a hack that broke the world and a worrying glimpse at cyberwar's rapidly evolving future.” —Wired

Excerpt

1

The Zero Day

Beyond the Beltway, where the D.C. intelligence-­industrial complex flattens out to an endless sea of parking lots and gray office buildings marked with logos and corporate names designed to be forgotten, there’s a building in Chantilly, Virginia, whose fourth floor houses a windowless internal room. The room’s walls are painted matte black, as if to carve out a negative space where no outside light penetrates.

In 2014, just over a year before the outbreak of Ukraine’s cyberwar, this was what the small, private intelligence firm iSight Partners called the black room. Inside worked the company’s two-­man team tasked with software vulnerability research, a job that required focus intense enough that its practitioners had insisted on the closest possible office layout to a sensory-­deprivation chamber.

It was this pair of highly skilled cave dwellers that John Hultquist first turned to one Wednesday morning that September with a rare request. When Hultquist had arrived at his desk earlier that day in a far-­better-­lit office, one with actual windows on the opposite side of the iSight building, he’d opened an email from one of his iSight colleagues in the company’s Ukraine satellite operation. Inside, he found a gift: The Kiev-­based staff believed they might have gotten their hands on a zero-­day vulnerability.

A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about. The name comes from the fact that the company has had “zero days” to respond and push out a patch to protect users. A powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own code on a target computer, can serve as a kind of global skeleton key—­a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet.

The file Hultquist had been passed from iSight’s Ukraine office was a PowerPoint attachment. It seemed to silently pull off exactly that sort of code execution, and in Microsoft Office, one of the world’s most ubiquitous pieces of software.

As he read the email, Klaxons sounded in Hultquist’s mind. If the discovery was what the Ukrainians believed it might be, it meant some unknown hackers possessed—­and had used—­a dangerous capa­bility that would allow them to hijack any of millions of computers. Microsoft needed to be warned of its flaw immediately. But in a more self-­interested sense, discovering a zero day represented a milestone for a small firm like iSight hoping to win glory and woo customers in the budding security subindustry of “threat intelligence.” The company turned up only two or three of those secret flaws a year. Each one was a kind of abstract, highly dangerous curiosity and a significant research coup. “For a small company, finding a nugget like this was very, very gratifying,” Hultquist says. “It was a huge deal for us.”

Hultquist, a loud and bearish army veteran from eastern Tennessee with a thick black beard and a perpetual smile, made a point of periodically shouting from his desk into a room next door known as the bull pen. One side of that space was lined with malware experts, and the other with threat analysts focused on understanding the geopolitical motives behind digital attacks. As soon as Hultquist read the email from iSight’s Ukrainian staff, he burst out of his office and into the bull pen, briefing the room and assigning tasks to triage what would become, unbeknownst then to any of them, one of the biggest finds in the small company’s history.

But it was down the hall, in the black room, that the hacker monks within would start to grapple with the significance of iSight’s discovery: a small, hidden marvel of malicious engineering.



Working on computers whose glowing monitors were the room’s only light source, the reverse engineers began by running the Ukrainians’ malware-­infected PowerPoint attachment again and again inside a series of virtual machines—­ephemeral simulations of a computer housed within a real, physical one, each one of them as sealed off from the rest of the computer as the black room was from the rest of the iSight offices.

In those sealed containers, the code could be studied like a scorpion under an aquarium’s glass. They’d allow it to infect its virtual victims repeatedly, as the reverse engineers spun up simulations of different digital machines, running varied versions of Windows and Microsoft Office, to study the dimensions and flexibility of the attack. When they’d determined that the code could extract itself from the PowerPoint file and gain full control of even the latest, fully patched versions of the software, they had their confirmation: It was indeed a zero day, as rare and powerful as the Ukrainians and Hultquist had suspected. By late in the evening—­a passage of time that went almost entirely unmarked within their work space—­they’d produced a detailed report to share with Microsoft and their customers and coded their own version of it, a proof-­of-­concept rewrite that demonstrated its attack, like a pathogen in a test tube.

PowerPoint possesses “amazing powers,” as one of the black room’s two reverse engineers, Jon Erickson, explained to me. Over years of evolution, it’s become a Rube Goldberg machine packed with largely unnecessary features, so intricate that it practically serves as its own programming language. And whoever had exploited this zero day had deeply studied one feature that allowed anyone to place an information “object” inside a presentation, like a chart or video pulled from elsewhere in the PowerPoint file’s own bundle of data, or even from a remote computer over the internet.

In this case, the hackers had used the feature to carefully plant two chunks of data within the presentation. The first it loaded into a temporary folder on the target computer. The second took advantage of PowerPoint’s animation feature: PowerPoint’s animations don’t merely allow speakers to bore audiences with moving text and cartoons but actually execute commands on the computer on which the presentation is running. In this case, when the presentation loaded that animation file, it would run an automated script that right-­clicked on the first file the presentation had planted on the machine and click “install” on the resulting drop-­down menu, giving that code a foothold on the computer without tipping off its user. The result was something like a harmless-­looking package left on your doorstep that, after you bring it inside, sprouts an arm, cuts itself open, and releases tiny robots into your foyer. All of this would happen immediately and invisibly, the instant the victim double-­clicked the attachment to open it.

Erickson, the reverse engineer who first handled the zero day in iSight’s black room, remembers his work disassembling and defusing the attack as a somewhat rare, fascinating, but utterly impersonal event. In his career, he’d dealt with only a handful of real zero days found in the wild. But he’d analyzed thousands upon thousands of other malware samples and had learned to think of them as specimens for study without considering the author behind them—­the human who had rigged together their devious machinery. “It was just some unknown guy and some unknown thing I hadn’t seen before,” he said.

But zero days do have authors. And when Erickson had first begun to pull apart this one in his blacked-­out workshop that morning, he hadn’t simply been studying some naturally occurring, inanimate puzzle. He was admiring the first hints of a remote, malevolent intelligence.

2

BlackEnergy

Once iSight’s initial frenzy surrounding its zero-­day discovery had subsided, the questions remained: Who had written the attack code? Whom were they targeting with it, and why?

Those questions fell to Drew Robinson, a malware analyst at iSight whom John Hultquist described as a “daywalker”: Robinson possessed most of the same reverse-­engineering skills as the black room’s vampire crew but sat in the sunlit bull pen next to Hultquist’s office, responsible for a far wider angle analysis of hacking campaigns, from the personnel who carried them out to their political motives. It would be Robinson’s job to follow the technical clues within that PowerPoint to solve the larger mysteries of the hidden operation it represented.

Minutes after Hultquist had walked into the bull pen to announce the all-­hands-­on-­deck discovery of the PowerPoint zero day that Wednesday morning, Robinson was poring over the contents of the booby-­trapped attachment. The actual presentation itself seemed to be a list of names written in Cyrillic characters over a blue-­and-­yellow Ukrainian flag, with a watermark of the Ukrainian coat of arms, a pale blue trident over a yellow shield. Those names, Robinson found after using Google Translate, were a list of supposed “terrorists”—­those who sided with Russia in the Ukrainian conflict that had begun earlier that year when Russian troops invaded the east of the country and its Crimean peninsula, igniting separatist movements there and sparking an ongoing war.

That the hackers had chosen an anti-­Russian message to carry their zero-­day infection was Robinson’s first clue that the email was likely a Russian operation with Ukrainian targets, playing on the country’s patriotism and fears of internal Kremlin sympathizers. But as he searched for clues about the hackers behind that ploy, he quickly found another loose thread to pull. When the PowerPoint zero day executed, the file it dropped on a victim’s system turned out to be a variant of a piece of notorious malware, soon to become far more notorious still. It was called BlackEnergy.

BlackEnergy’s short history up to that point already contained, in some sense, its own primer on the taxonomy of common hacking operations, from the lowliest “script kiddies”—­hackers so unskilled that they could generally only use tools written by someone more knowledgeable—­to professional cybercriminals. The tool had originally been created by a Russian hacker named Dmytro Oleksiuk, also known by his handle, Cr4sh. Around 2007, Oleksiuk had sold BlackEnergy on Russian-­language hacker forums, priced at around $40, with his handle emblazoned like a graffiti tag in a corner of its control panel.

The tool was designed for one express purpose: so-­called distributed denial-­of-­service, or DDoS, attacks designed to flood websites with fraudulent requests for information from hundreds or thousands of computers simultaneously, knocking them off-­line. Infect a victim machine with BlackEnergy, and it became a member of a so-­called botnet, a collection of hijacked computers, or bots. A botnet operator could configure Oleksiuk’s user-­friendly software to control which web target its enslaved machines would pummel with spoofed requests as well as the type and rate of that digital bombardment.

By late 2007, the security firm Arbor Networks counted more than thirty botnets built with BlackEnergy, mostly aiming their attacks at Russian websites. But on the spectrum of cyberattack sophistication, distributed denial-­of-­service attacks were largely crude and blunt. After all, they could cause costly downtime but not the serious data breaches inflicted by more penetrating hacking techniques.

In the years that followed, however, BlackEnergy had evolved. Security firms began to detect a new version of the software, now equipped with an arsenal of interchangeable features. This revamped version of the tool could still hit websites with junk traffic, but it could also be programmed to send spam email, destroy files on the computers it had infested, and steal banking usernames and passwords.

Now, before Robinson’s eyes, BlackEnergy had resurfaced in yet another form. The version he was looking at from his seat in iSight’s bull pen seemed different from any he’d read about before—­certainly not a simple website attack tool, and likely not a tool of financial fraud, either. After all, why would a fraud-­focused cybercrime scheme be using a list of pro-­Russian terrorists as its bait? The ruse seemed politically targeted. From his first look at the Ukrainian BlackEnergy sample, he began to suspect he was looking at a variant of the code with a new goal: not mere crime, but espionage.

Author

© © Joe Pugliese
Andy Greenberg is an award-winning senior writer for Wired, covering security, privacy, information freedom, and hacker culture. He's the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His previous book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, as well as excerpts from it published in Wired, won awards including a Gerald Loeb Award for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. Before coming to Wired, Greenberg worked as a senior reporter for Forbes magazine. He lives in Brooklyn with his wife, filmmaker Malika Zouhali-Worrall. View titles by Andy Greenberg