Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

The Vergecast


Everybody from the British. Ask this week's interview. Episode has any Greenberg senior writer at wired. He just SORTA book called Sand Worm New Era of cyber war in the hunt for the Kremlin's Miss, dangerous hackers, it is all about hacking group inside of the Russian government called San Worm. They were responsible for the most damaging cyber warfare attacks over the past year there behind not PECI. The hackers took out in the mayor shipping line hospitals across the U. K San has totally escalated. What we think of Cyber War, and he's book gets all into how they were discovered how they were flushed out the. The intricacies of these various hacks. It's super interesting. The book is a thrill ride. If you're looking for something that isn't the virus. This is like a thriller, a highly recommended. It was really fun to talk to her about the stuff. one thing I. WanNa know we're all at home so during this in every might hear some kids in the background. I asked you just be a little forgiving that we're all. We're all dealing with it and he was a great interview. Check Out Sandy Greenberg of sand worm, a new era of cyber war and the hunt for the Kremlin's most dangerous hack. Any Greenberg your senior writer at wired you're also the author of Sand Worm, new era of cyber war in the hunt for the Kremlin's most dangerous. Welcome glad to be here so even writing about cybersecurity frontier I think you just said two thousand six and writing about Cybersecurity, but this book sand worm as I was reading it. It seems like it's called the new era of cyber war. It seems like there's been a huge turn in sort of state-sponsored. Particularly Russians sponsored cyber attacks. How did you come onto that notion? How did you begin reading this book I'm I'm very curious how you see. See that turn happening well. In late twenty sixteen, my former colleague Kim Zetter she had been the one who really covered state sponsored hacking in cyber war stuff, but she left wired, and this was also at the time. When you know Russian hackers were meddling in the US election, they'd hacked the democratic. National Committee and the Democratic Congressional Campaign Committee and the Clinton Campaign, so my editors were really primes on face, mantra hacking all of a sudden, but what they? They really what they told me they wanted was a actually like a big takeover of the whole magazine. All about cyber war, but cyber war to me is different than those kinds of espionage election, meddling tactics so I went looking for no real cyber war story, which means to me like a actual disruptive cyber attacks, and as I looked around. It seemed like the place where that was really happening was in Ukraine not really in the US in fact maybe. Maybe what was happening in? Ukraine seemed to me like it was in some ways, the only real full blown cyber war that was actually occurring where Russian hackers were not just attacking the election which they had done, they tried this spoof the results of a presidential election, but they had also attacks media and destroyed their computers. They had attacked government agencies and tried to like destroy entire networks, and then they had turned off the power for the first time. In December of two thousand, fifteen, the the first actual blackout triggered by hackers, and just as I was look into this happened again the the effect, the seem hacker group caused a blackout this time in the capital of Kiev so I wince looking in Ukraine for this cyber war story that. Turned into a cover story for wired that kind of gave editors what they wanted, but then also kept unfolding This cyber war kept growing in scope and scale and. The original story written for wired was kind of about the fact that you could look to Ukraine to see the future of cyber war that will what was happening. There might soon spread to the rest of the world. And that is actually what happens to like just after we publish that cover story to same hackers released this climactic terrible cyber attack in Ukraine. Called Not Petiot that spread beyond Ukrainians became the worst cyberattack history cost ten billion dollars, so when that happened, that was when I saw that there was potential to do a book about this that it was not just a kind of case study about Ukraine or even kind of predictive story, but a an actual full story arc about this one group that had carried out the what I would say was not only the first. First Real Cyber War, but the worst cyberattack in history and the you know I wanted to capture the the Ark of that story in the effects, the real experience of cyber war. Yeah, so the group is called sand worm in this is just one of the the sort of opening arcs of the book is how they've come. They come to be named this because references and code walk people through just like it's so. relatable that like even these hackers are using using this language that leads them recalled Sandwich Tell people about it. So when I started to look into the origins of this group after that second blackout attack I I found that this this company called eyesight partners which have been acquired by fire I I, said partners was the first to find these hackers in twenty, fourteen, basically using fishing in kind of typical espionage tactics, plant malware in the networks of typical Russian hacking targets like groups across Eastern, Europe and NATO in a look like what they were doing was just kind of typical espionage. They were planning. This by wear calls lack energy buds will first of all they could see that they were rushing, because they had this server that they were using to administer some of these attacks and they. They left the server, so anybody could look at it in. There was a kind of Russian language to file for how to use black energy on the service, so these guys seem like they were rushing, but even more interesting in some ways. was that they to track each victim each instance of black energy? This malware has little campaign code in each campaign was a reference to the science fiction novel Dune and you know so like one of them was something about Iraq is, and then one of them is about the sutter cars, these like imperial soldiers in in that SCI FI universe so I said partners named this group sand worm, because well just because it's a cool. Name associated with doing, but it turned out to me. It became this very powerful because a sandwich miss this monster that lies beneath the surface, and occasionally arises from underground to do terribly destructive things. partners didn't know that at the time, they they soon afterward realized what sand. was doing was not just espionage, but they were actually doing reconnaissance for disruptive cyberattacks. They were also hacking power grids. They were planning black energy, not only in the European Eastern European targets in the US power grid networks as well. The Ultimately Syndrome was the first twenty fifteen to cross that line in use black energy as the first step in a multi step attack that led to a blackout. So this was not just espionage really was kind of like you know this monster that rises from under the ground to do terrible acts of mass destruction that came to pass so one of the things that comes up over in the book. Is this growing sense of dread from security researchers and analysts? Oh this is an imminent threat to the united. States just Ukraine, but like this is happening here and then there's a sense that the United States actually open the door to this kind of warfare with stuxnet. which was an attack on Iran? How how did those connect for you that it seemed like there's a new rule of engagement new set of rules of engagement for cyber warfare that actually the United States implicitly created with with stuxnet by attacking Iran. Yeah, I mean I tried to highlight. Clearly sand worm are the real bad guys in the story, they are the actual hacker group that did these terribly reckless destructive attacks that actually in some cases put people's lives at risk, the kind of in some parts of the story they actually shutdown medical record systems and I. Think may have cost people's lives with cyber attacks today they are the actual antagonist here, but I also want to highlight the ways that the US government is is partially responsible for the state of Cyber War, and there are a few ways that that's true. I The US! Open the Pandora's box of cyber war with stuxnet. This piece of now where that. That was used to destroy Iranian nuclear enrichment centrifuges that was the first piece of our that actually have caused that physical disruption destruction, and we now see Sandra doing the same thing in Ukraine. In in fact, in some ways around the world, also the the US hordes, these kind of zero day, secret hacking techniques, some of which were stolen and leaked and used by sand worm, but then I think the in fact, the biggest way that I tried to highlight that the US is responsible or complicit or negligent. Here is that we did not call allows what Santorum was doing in Ukraine and say to Russia. We know what you're doing. This is unacceptable. Nobody should be turning out the lights. Two civilians with cyber attacks. There wasn't a message like that I. mean the Obama White House sent a message to Russia over this kind of cyber hotline to say your election hacking is not okay. We see what you're doing and we want you to stop, but they said nothing about a tube blackout attacks in Ukraine, and that was kind of implicit signal to Russia. They could keep. Keep escalating, and even as all the cyber security, researchers and Ukrainians were warning that what was happening to Ukraine, would soon spread to the rest of the world, the US government ignore this both Obama, and then the trump administration until that prediction came to pass and a sand worm cyberattack did spread to the rest of the world, and it was too late, and we all suffered globally as a result, so let's talk about patch it. WAS CATASTROPHIC IN SCOPE, right? It took out the mayor shipping line, which is a massive business. It took out some hospitals in UK like it was huge in scope. I don't think people really put it all together. Talk about how it started and how big it grew. Yeah, so not too was kind of like big apotheosis sandwich, where all of these predictions of the terribly destructive things they were doing to the rest of the world came to pass but it did it started in Ukraine. They hijacked this. The the software updates of this accounting software called me doc that is basically used by everybody in Ukraine. The quicken turbo tax of Ukraine. If you do business in Ukraine, you have to have this installed, so sanborn hijack the updates of that news to push out this worm to thousands of victims mostly in Ukraine, but it was a worm, so it's spread the mmediately end quickly kind of carpet bombs. The entire Ukrainian Internet's every computer at spread to would encrypt permanently. You could not recover the computer, so it very quickly took down pretty much every. Every Ukrainian government agency twenty two banks multiple airports for hospitals in Ukraine that I. could count and in each of these cases. What is eight took them down. I mean it destroyed essentially all of their computers, which requires sometimes weeks or months to recover from, but then as you know, this is a worm that does not respect national borders. So even though it was, it seemed to be an attack intended to disrupt Ukraine. It immediately spread beyond Ukraine's borders. Borders to everybody who had this accounting software installed? That was doing business in Ukraine and some people who didn't so that includes Maersk. The world's largest shipping firm and Fedex and Mondelez, which owns cadbury, NABISCO and ranking manufacturing firm that makes tylenol in Merck. The Pharmaceutical Company in New Jersey on each of these companies lost hundreds of millions of dollars. The scale of this is kind of difficult to capture but I in the book I tried to. To I focused in part Maersk because it is just a good company to look at because you can. They had this gigantic global physical machine that is they have seventy six ports around the world that they own as well as these massive ships that have tens of thousands of shipping containers on them. And I told the story of how on this day seventeen of their terminals of were entirely paralyzed by this attack with ships arriving with just. Piles of containers on them. Nobody could unload. Nobody knew what was inside of nobody knew how to load or unload them with around the world of seventeen terminals, thousands of trucks, Semitrailers, carrying containers were lining up in Lyons miles long because the gates that were kind of checkpoints to check in the these trucks to drop something off or pick it up. They were paralyzed as well. This was a fiasco on a global scale is responsible for a fifth of the world's lable shipping capacity. They were truly just a rendered brain dead by this attack, but yeah displayed out at all of these different victims MERC had to borrow their own each vaccine from the Center for Disease Control because they're manufacturing. Manufacturing was disrupted by this, and it ultimately spread to a company called nuance, nate speech to text software. They have a service that does this for hospitals across the US to dozens of our possibly hundreds of American hospitals at this backlog of transcriptions to medical records that were lost because of this, and that resulted in patients, being do for surgeries or transfers, other hospitals in nobody knew their medical records were updated. I mean this was scale where hundreds of hospitals each of which has thousands of patients missing changes the medical records. We don't know what the effects of that work, but very well could've actually harmed people's health. Our lives I mean the scale of not petty is very difficult to. Get your mind around, but we do know that you know monetarily cost ten billion dollars, which is by far the biggest number we've ever seen, but it also had this this kind of harder to quantify toll on people's lives, so it it you know you read about it at length and wired. Obviously these companies go down of ripples in mainstream sort of general press, but I don't feel like people really not like Oh. This Russian group called San Worms sponsored by the Russian government. Unleash this attack in it caused this cascading effect of failure and disaster cost in that because we know what we can attribute it to the government, our government. I don't feel like that connection got made for people. What is the gap between other as a hack and Oh, this is actually a type of warfare engagement, because that that connection seems very tenuous. I think for a lot of people. Even as sort of the more general mainstream press covers this stuff. Yeah, you know. I don't think that that's is just like the nature of. Of Cyber War I think that was a failing that that lack of connection is a failing on our government's parts, and on you could say even on the part of some of these victims like these large companies I mean I at the time did not pitch it happened. I was fully on the trail of standard within days. I was talking to cyber security researchers who? Who had piece together? Some of the forensics to show the not petiot was Sandra that it was a Russian state-sponsored attack in yet none of those companies that I mentioned mercker Mondelez or Maersk or Fedex, or any of them wanted to say the Russia had done this to them and know governments were talking about either like the Ukrainian government was. They're always willing to point. Point the finger at Russia, but the US government was not, and you know that to me seemed to be just kind of I mean I felt like I was being gas. Let's at that point. I had watched Russia due to Ukraine for a long time at that point tonight. I sort of understood that NATO in the West. We had this kind of cruel logic that. Ukraine is not us. Russia can do what it likes to Ukraine because they're not NATO not e you. They are Russia's sphere of influence or something I think that that's very wrongheaded, but at least it made sense. You know to have that that viewpoints, but now this attack had spread from Ukraine to hit American soil American companies in many cases and yet still the US government was saying nothing I just thought this was bizarre and you know so i. For months I was like. Trying to get any of these companies to tell the story of of their experiences, not Peta I was trying to figure out why the US government wasn't talking about the fact that this was a Russian cyberattack and ultimately I. Think it was I. think it was kind of I know partly disorganization negligence. I think it may have something to do with the fact that the. The? Trump administration doesn't like talking about Russian hackers for obvious reasons, but eight months after it took eight months ultimately for the US government to finally say not that it was a was Russia it was the worst cyberattack in history, and then a month later. The White House impose consequences in put new sanctions on Russia and response, but it took nine months and more importantly it took. Multiple years this without was the first time this was twenty eighteen, and the Russian cyber war in Ukraine had started around the fall of Twenty fifteen, so that's just incredible span of negligence when the US government said nothing about these escalating unfolding. Acts, of Cyber Award that there should have been unacceptable from the very beginning I mean these are the kind of quintessential acts of state sponsored cyber attacks on civilians, trying out the lights. You know that's the kind of thing that I believe that the US government should have called out and drawn a red line across at the very beginning took ears, so I do think it was a big failing. Of of diplomacy, it just seemed like that part of the problem, and this is kind of an expression is it's so hard to describe like if the Russian government sent fighter jets to America and live their support. Okay, like everyone understood, you can see it. You can understand what happened there. In the you know, there's like a however many decades of movies about how to fight that war. This is a bunch of people in a room typing. Like it there's just an element of this where the dangerous Oh federal where the attack is invisible, and while the effects might be very very tangible, the causes are still sort of mysterious people so. My question is who is sandwich. What what do we know about them? Where do they work? What are they like? Do we have a sense of how this operation actually operates? In some ways the the biggest challenge of reporting this book, and I spent essentially the third act of the book, the last third of the reporting of the book, trying to answer the question of who is in worm, who are these people? Where are they located? What motivates them and I guess to partially spoil the ending here. They are a unit of the year you. They are a part of Russia's military intelligence agency, which is responsible for you know, this is not a coincidence. They are responsible for election meddling responsible for the attempted assassination of You. chemical weapons in the United Kingdom they're responsible for the downing of a seventeen as commercial passenger jet over Ukraine were three hundred innocent people died on the G. R.. You are this incredibly reckless callous out military intelligence agency, but they act like kind of almost just cut through mercenaries around the world. Doing Russia's bidding in ways that are very scary, so I threw essentially like a combination of excellent work of a bunch of security researchers who I was speaking to combined with some confirmation from US intelligence agencies, and then ultimately some other clues from the investigation of Robert Muller into meddling all these things combined created the trail that led to one group within the JERE. You that were you know I? Eventually had some names and faces even address of this this group, and all that was actually only finally fully confirms After the book came out Justin in recent months when the White House finally actually was the State Department's. End as well as the UK on Australian and other governments together finally said yes, sand worm is in fact that this unit of the year you so this theory that I developed in positive near the end of the book was finally basically confirmed by governments just in recent months. So one thing that strikes me at that is I, think of the Russian military things. Gru is being foreboding being obviously, they're very very good at this other a buttoned up in then they have like a incredible social media presence that kind of POPs up throughout the book that distracts from what doing. They set up Gucci for two point Oh when they were doing the DNC hacks that fed to wikileaks in the. That account insisted it was just guy. They set up the shadow brokers which was. I read. It is just like your some goof-balls like they wanted to seem a lot dumber and a lot smaller than they were. They were very effective at it to people I. Talk About those that strategy, and then I guess my question have is like a re better at seeing that strategy for what it is well. You make a really interesting point. The uses these false flags like throughout their recent history that we I should say we don't know that they were responsible for shadow brokers. In fact, nobody knows who shot a brokers. The shadow brokers truly are, and they are in some ways the biggest mystery in this whole story, this one group that hacked the NSA apparently and leaked a bunch of their zero day hacking techniques, or maybe they were even say insiders. We still don't know the answer to that question, but the other other incidents you mentioned. That are you are responsible for this Guja for two point zero fake hacktivists leaked a bunch of the Clinton documents. They're responsible for other false flags like they at one point to call themselves the Cyber Caliphate pretended to be Isis. They've a pretended to be like patriotic pro. Russian Ukrainians at some point they they're always like wearing different masks ends. They're very deceptive. in the a later chapter of the book, some of the biggest one of the biggest attacks they. They did was this attack on the twenty thousand Olympics where they not only wore a false mask, but they actually had layers of false flags where as cyber security researchers W. This melwert was used to destroy the entire back end of the two thousand eighteen winter Olympics. Just as the opening ceremony began, this was a catastrophic events. The aware had all of these fake clues made look like it was Chinese or North Korean or maybe Russian. Nobody could tell it was like. It was this kind of confusion bomb almost designed to to just make researchers throw up their hands. Give up on attributing mallards. Any particular actor was only through some amazing detective work by some of the analysts that I spoke to the able to cut through those false flags identify that sand was behind this essentially, but yeah, it's it is a one very real characteristic of the jury you that they are almost they seem to almost take pleasure or like be showing off their deception capabilities to and their evolving those capabilities they are getting more deceptive over time as fake gets more, destructive aggressive. Advertising content when I say Utopia what comes to mind? Birds Chirping lush natural beauty dialed up and vibrant technicolor. Is it within reach. Your world. World. explained. You are an essential part of the Pathak social body. Everybody in that place. Everybody happy now. While the peacock original series brave new world takes place in a scientific futuristic utopia. The concept is nothing new Sir Thomas more. I introduced the theory five hundred years ago, but we keep looking for that community identity stability of aldous. Huxley's Utopia and not finding it. Americans are the unhappiest they've been in decades and we're increasingly lonely. whereas in a utopia, everyone belongs to everyone else. In nineteen, forty-three, the psychologist Abraham Maslov developed a theory of Yoga. One that allows total self determination in basic terms. maslow's theory says that in a utopia we decide for ourselves what we need and how we're going to get it in Huxley's Utopia. Citizens always get what they want and don't want what they can't get. Sounds pretty good right then. Why can't we make it happen? For a Utopian Society, to work, we might need to disband some of the things we hold dearest marriage government privacy individualism, even family. See for yourself if a utopian world is as perfect as it seems watch, brave new world now streaming only on peacock. This is advertising content. Hey. This is bowes I'm a podcast or By, I, a Gamer Five G. is changing the gaming world in really unexpected exciting ways with the help of Samsung Five G. I'm getting a peek at how gaming is getting faster smoother and can even improve our lives well. Let's dish some secrets about the future gaming. Dr Jean Mechanical Direct Route Game Research and development at the Institute of the future. She's also a bestselling author game inventor. She's optimistic about gaming impact on us and our minds. The biggest thing that we've seen in research is that. We need to be able to game in the moment wherever we are. So, what happens when when you're playing when your favorite games is that it fires up than her logical pathways, it's kind of like having a of caffeine and a pet dog from your favorite coach, and you've just meditated for an hour. This emotional neurological power up is called the game transfer effect, and that effect is heightened when using five. Five G. The game transfer fact requires you to be totally immersed in the game, so you want to have the most amazing graphics and the most immersive audio and with five G. to do that anywhere anytime, be one of the first to harness the game transfer effect with Samsung Galaxy Five G. now available on Galaxy, S Twenty-five g and a seventy one five G. feels good to be I with Samsung. I love to play the game of like. Imagine the meeting and imagine that the one set of meeting which is like the actual hackers finding the vulnerabilities figuring out how to jump from Windows, eight computer to some sort of physical hardware controller that actually runs like that. That's a very hard problem in and of itself, and then the other meeting. They're like what we're GONNA do is claim to be a guy called Gucci for two point, Oh and like those are. Not Connected Right, but the way they throughout the book the way they execute East campaigns they're deeply connected, and that seems like not only just a new kind of warfare, and you kind of craft, but some just consistently seems to work in surprising ways like the tech press is GonNa. Be Like Gucci. I says this and we're. There's never that next step of also we think it's Russian government, and that seems like first of all I'm dying. I imagine the meeting right. I would love to be a fly on the wall of the meeting where they decide what their twitter name is going to be today. I'm very curious how they evolve those attacks in such a way that it just seems to be more and more effective time. Yeah, I mean. I also love to have been those meetings in. It's my one kind of regret in this book that I never actually got. Interviews, it's almost an impossible thing to do. They liked find defectors from the R., you or something. He will tell those stories at a knock it murdered I mean. It's kind of a possible, but but. In some cases? I think your earlier points. They almost seem kind of bumbling in these things they do them in a very improvisational way. for two point Oh seemed almost like it was a justice thing they invented on the spot, tried to cover up some of the the accidental ups like they had left russian-language formatting errors in the documents that they had leaked from the DNC, so they admitted this guy who appeared the next day and started. Talking about being a Romanian. Friends as motherboard Lorenza, Franceschi decry he started this conversation. Align with with Guja for two point, oh basically proved at the guy could not actually properly speak Romanian. BE Russian speaker. In fact, it was. It was almost comical at the same time. They're using very sophisticated hacking techniques doing destructive attacks on a massive scale, but they're also. They seem like they're kind of making it up as they go along. They do things that don't actually seem very kind of strategically smart. They kind of seem like they're trying to impress their boss for the day. Sometimes with just like some sometimes, it's just seems like the Jere. You wakes up in asks themselves. Like what can we blow up today? Rather than thinking like? How can we accomplish the greater strategic objectives of the Russian Federation? So they are fascinating in that way and very stringent colorful group. That's I think one of the biggest questions I have here is. We spend a lot of time trying to imagine what flat and Mirror Putin wants. You know when he grows up, but it. None of this seems targeted like what is the goal for Russia to disrupt the Winter Olympics right like. Is there a purpose to that? Is that just a strike fear? Is it just to? EXPAND THAT SUV influenced. Is it just to say we have the capability furious is there? has there ever really been the stated goal for this kind of cyber warfare? That one is particularly mystifying. I mean you can imagine why Russia would want to attack the Olympics. They were banned from the two thousand Eighteen Olympics doping, but then you would think that they might want to attack the Olympics and send a message maybe like eight deniable message a message that you know if you continue to ban us. We're GONNA. Continue to attack you like like any terrorists would do, but instead they attacked the winter. Olympics in this way, that really seemed like they were trying not to get caught, and instead like make it look like the was Russia North Korea? And then you have to like what is the point of that was? The could kind of. Sit there in Moscow and kind of like rub their hands together in gleefully. Watch this chaos unfolds. It almost really does seem like it was petty vindictive thing that they just for their own emotional needs wanted to make sure that nobody could enjoy the Olympics if they were not going to enjoy them I that was, but that one is i. think outlier in some ways for the most part you can kind of see. The Russia is advancing. The G. R. You that sand worm is advancing something that does generally make sense which is that. In Ukraine for instance, they're trying to make Ukraine look like a failed state. They're trying to make Ukrainians. Lose faith in their security. Services are trying to prevent investors globally from funneling money into Ukraine trying to create a kind of frozen conflict, as we say in Ukraine where there's this constant perpetual state of degradation. They're not trying to conquer the country, but they're trying to create a kind of permanent war in Ukraine and would cyber war. You can do that beyond the traditional front end. It is in some ways the same kind of tactic that they used in other places like the US which. which here we saw more than influence operation that they were hacking leaking organizations like democratic campaign organizations and anti doping organizations to kind of so confusion to embarrass on their targets. They're trying to influence like the international audiences opinion these people, but in Ukraine, it is in some ways, just a different kind of influence operation where they're trying to influence the world's view of Ukraine. Influence Ukrainians view of their themselves under government to make them feel like they are in a war zone even when their kid hundreds of miles from the actual fighting. That's happening on the eastern fronts in the eastern region of. Of Ukraine so in a book you you you go to Kiev. You spent time in Ukraine. Is there a sense in that country that while sometimes light goes out sometimes our TV stations. Their computers don't boot anymore. Because they got rewritten, the Hydros got Zeros like. Is there a sense that this is happening? Is there a sense the defy back is there does Microsoft deploy you know dozens of engineers to to help fight back. How does that play out on the ground there? Yeah, I mean to be fair. Ukrainians are very stoic about these things and regular. Ukrainian citizens were not bothered by you know. Know a short blackout. They didn't particularly care you know. This blackout was the first ever. Hacker induced blackout in history but Ukrainian cyber security. People were very unnerved by this end, people in these actual utilities were traumatized I mean these attacks were truly like relentless sins very kind of scary for the actual operators at the controls I mean in the first blackout attack. These poor operators Ukrainian control room in western Ukraine they were locked out of their computers, and they had to watch their own mouse cursor. Click through circuit breakers, turning off the power in front of them I. Mean They watched it happen? At these kind of Phantom hands to control of their mouse movements, so they took this very very seriously, but yet Ukrainians as a whole I mean they have seen a lot. They are going through an actual physical war. They've seen the seizure of Crimea and the invasion of the east of the country. You know the the date hits. A Ukrainian general was assassinated with a car bomb in the middle of Kiev, so they have a lot of problems, and I'm not sure that cyber war is one of the top of their minds, but not patio I. Did, actually reach Ukrainians normal. Ukrainian civilians to it. It shook them as well. I talked to two regular Ukrainians. who found that they couldn't swipe into the Kiev Metro. They couldn't use their credit card at the grocery store. All the ATM's were down The Postal Service was taken out for every computer that the postal service had was taken out for more than a month. I mean these things really did affect people's lives, but it kind of. A until that kind of climactic worm. Not Patio for I think for this to really reach home for Ukrainians. who have kind of seen so much. How do you fight back? I, mean I one of things that struck me as I was reading. The book is so many of the people you talked to people who are identifying the threat. They're actually private companies. Eyesight was the first even detect it. they are contractors to intelligence agencies the military in some cases, but they're not necessarily the government right like it's not necessarily Microsoft. Who has to issue the patches from the software not necessarily GE which makes simplicity, which is the big industrial controls talk about a lot. How does all that come together into a defense because that seems like harder problem of coordination? Yeah, I mean defense in Cyber. Security is in an eternal problem. It's incredibly complicated, and when you have a really sophisticated determined adversary, it know they will win eventually ends I. think that they're absolutely lessons for defense in this book about you know. Maybe you need to really really think about software updates for instance like the kind that were hijacked to a with this medoc accounting software. As a vector for terrible cyber-attacks. Imagine that like. Any of your insecure apps that have kind of updates can be become a a piece of Malware, really unique to signature networks need to think about patching on. There are just an endless kind of checklist of things to every organization needs to do to protect themselves so. In some ways that just like a Sisyphean task and I don't. I don't try to answer that question in the book because it's too big, and it's kind of boring as well, but what I do really hammer on is the thing that the government's really could've done here. which is to try to establish norms tried to control attackers through diplomacy through kind of disciplinary action through things like kind of Geneva Convention for Cyber War if. If you think about a kind of analogy to say like chemical weapons, we could just try to give everyone in the world a gas mask that they have to carry around with them at all times, or we could create a Geneva. Convention norm that chemical weapons should not be used in if they are than crime, and you get pulled in front of the Hague. Hague and we've done the ladder and I think that in some ways should be part of the the answer to cyber war as well we need to establish norms and make countries like Russia or like organizations like the G. Are you understand that there will be consequences for these kinds of attacks, even when the victim is not the US or NATO or the? The EU and I think we're only just starting to think about that. One of the questions I had as reading is it seems like a very clear red line for almost everyone you talk to is attacks on the power grid right? That is just unacceptable. You should not do it if you do it. You've crossed a line and there should be some consequence. Is, that clear to governments. Is that something that our government says? It's something that the says it has been established. It seems like it's it's the conventional wisdom wants to salvage, but I'm not unclear whether that is actually the line that exists. It definitely has not been established, and when I kind of did these I managed to get sort of interviews with the top cyber security officials in the Obama ends trump administration Jay Michael Daniel was the cyber. Cyber Coordinator for the administration was the kind of cyber coordinator boss in the The Homeland Security Adviser for trump and both of them when I asked him about like wiped. Why didn't you know to put it bluntly like? Why didn't you respond? When Russia caused blackouts in Ukraine? Both of them essentially said well. You know that's not actually the rule that we want to set. We want to be able to cause blackouts in our adversaries networks. In their power grids when we are in a war situation or when we believe it's in our national interest, so you know that's the thing about these cyber war capabilities. This is part of the problem that every country. Absolutely the US among them isn't really interested in controlling these weapons, because we in this kind of Lord of the rings fashion, we are drawn to them to like we want to maintain the ability to use those weapons ourselves and nobody wants to throw this ring in the fires, of Mount Doom. We all wanted maintain the ring and imagine that we can use it for good in out. So that's why neither administration called that Russia for doing this because they want that power to. Make the comparison to to nuclear weapons but Negotiated drawdown and treaties with Russia in the past we count warheads where aware that the United States stockpiles can destroy the world. Fifty Times over today maybe tomorrow one hundred hundred like what we have a sense of the the measure of force that we can. Put on the world when it comes to nuclear weapons, there's a sense that Oh, we should never use these right like we have them as a deterrent, but we've gained out that actually leads to his mutually assured destruction like there's an entire body of academics. There's entire body of researchers. Entire body is got scenario planning with that kind of weapon. Does that same thing exist for for cyber weapons. There are absolutely. Know community is of academics. Policymakers who are thinking about this stuff now, but I don't think it's kind of gotten through to actual government decision. that. There needs to be kind of cyber deterrence in how that would work. In in the comparison to nuclear weapons is like instructive, but not exactly helpful. In fact, it's kind of counter-productive because we cannot deter cyber-attacks with other cyber-attacks i. don't think that's GonNa work in part because we haven't even tried to establish it yet. There are no kind of rules or read lines, but then I think more importantly. Everybody thinks that they can get away with cyberattacks that they can. They're going to create a false flag. That's clever enough that that when they blow up a power grid, they can blame their neighbor instead, so they think they're. They're gonNA. Get Away with it, and that causes them to do it anyway. A not fear the kind of assured destruction so I think that the the right response, the way to to deter cyber attacks is not with the promise of a cyber attack in return. It's with all the other kind of tools we have, and they've been used sometimes, but but they were not in the case of Sand Werman. Those tools include like sanctions which came far too late in the story indictments of hackers. In some cases, we still haven't really seen syndrome. Hackers indicted for the things that they did in Ukraine or or even not petty. And then ultimately just kind of messaging like calling out naming and shaming bad actors, and that has happened to some degree with Sandra, but in some cases there have still been massive failures there there has still been no public attribution of the Sandwich attack on the twenty eighteen Olympics I mean. My Book has been out for months. I think show pretty clear evidence that syndrome is responsible for this attack. The very least it was Russia and yet the US and Korean War, These Olympics took place at UK, none of these governments have named Russia as having done that. That attack which almost just invites them to do it again whenever our next Olympics are going to be, I guess maybe not this year, but if you don't send that message than you're just essentially inviting Russia to try again so I think might my big question is what happens now? I mean right we you write about. The NSA has tailored access operations, which is their elite hacking group. We are obviously interested in maintaining some of these capabilities. We've come to a place where people are writing books about how it works. What is the next step? What is the next? does it just keep getting worse or does this kind of diplomacy you're talking about? Is that beginning to happen I? Think there is some little glimmers of hope about the diplomacy beginning to happen I mean this year in February I think it was the State Department's called out a sand worm attack on Georgia, where a worms hackers basically took down a ton of Georgian websites by attacking the hosting providers as well as a couple of TV's broadcasters in the US. State Department with a few other governments not. said this was sand. Worm named the unit of the GRU. That's is that was confirmation that I've been looking for for a long time, but they also made a point of saying that we're calling this out is unacceptable, even though Georgia. Georgia is not part of NATO or the U. so that's that's progress. That's essentially creating a new kind of rule. That's state-sponsored. Hackers can't do certain things, no matter who the victims and that's really important. Also, it was kind of interesting because federal officials like gave me a heads up about that announcement before happened, which they have very very rarely do and I think they were trying. To say was in we. We read your book and we. Got The message okay like Stop attacking us about this like we're trying. We're doing something different here I. Don't want flatter myself that I actually changed their policy, but it did seem interesting that they wanted to tell me personally about this so i. I think that like maybe our stance on this kind of diplomacy is evolving, and we're learning lessons, but at the same time we also see the attacks evolving to. To and their new innovations in these kinds of disruption happening, we've seen since some of these terrible Sandra attacks. You know other very scary things like this piece of our called Triton or crisis that was used to disabled safety systems in a oil refinery in Saudi Arabia on that was you know that could have caused an actual physical explosion of petrochemical facility? The the attacks are evolving to okay final last real question. Tell people where they can get your book. You can find all kinds of places by on indie Greenberg Dot net. Written another book as well previously, yes. That's right. I wrote a book about wikileaks. Cypher punks and things like that. That's right well. I'm a huge fan. It was an honor to talk to you. Thank you so much for coming on I know it's. It's a weird time to be talking about anything, but the coronavirus I was very happy to talk about something else, which is that it seems a little bit more in control Even if it is quite dangerous, a thank you for the time. I appreciate it. Yeah, I'm glad to provide people with a different kind of apocalypse as a distraction.

Coming up next