7 minute read
ENERGY SECTOR STRATEGIC REVIEW
CASE: SANDWORM
Sandworm, also known as CyberBerkut, APT28, or Fancy Bear among others, is a moniker for a hacker group tied to Russian military intelligence agency, the GRU (GU) #1 , or as it is known officially The Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Гла ́ вное управле ́ ние Генера ́ льного шта ́ ба Вооружённых сил Росси ́ йской Федера ́ ции). Within the GRU’s organization, Sandworm has been associated to Unit 74455 #2 , which has also been listed as one of the GRU linked entities that took part in the U.S. presidential elections interference back in 2016. #3
Advertisement
Looking into the key events
that Sandworm has been associated with since 2014, the first event in this timeline took place in May 2014 at the time of Ukraine’s Presidential elections, the first after unfolding of Maidan events between late 2013 and early 2014. A hacker group calling themselves CyberBerkut, a now-known Sandworm alias #4 , attacked routers, software and hard drives at Ukraine’s National Election Commission with the objective of hobbling the release of the official vote count and producing false results. #5
In December 2015 and again in December 2016,
a Russian hacker group already identified as Sandworm, was responsible for power blackouts in Ukraine; the first publicly recorded electric outage blamed explicitly on a cyber-attack. #6 Reports from the U.S. intelligence community and security companies describe Russian cyber-probing of U.S. electric utilities, and experts saying that the United States may be vulnerable to an attack similar to two that took place in Ukraine.
In June 2017, NotPetya,
first presumed to be a ransomware program, then later tied to Sandworm, crippled several Ukrainian ministries and private companies including shipping and logistics giant Maersk. #7, #8 The estimated costs of NotPetya have raised to several hundreds of millions per affected company, and more than 10 Billion dollars worth of damage globally. #9
In February 2018, during the 2018 Winter Olympics in Pyeongchang,
Russian cyber operatives, namely Sandworm, disguised as North Korean hackers in a manner of classic false flag operation, breached several hundreds of computers in use of 2018 Winter Olympics Games organizers. Russian operatives managed to cause some minor disruptions to the Games’ internet connectivity, broadcast systems, and ticketing systems. #10
LESSONS LEARNED FROM SANDWORM ACTIVITIES FROM THE CRITICAL INFRASTRUCTURE PROTECTION PERSPECTIVE
1. Nation states are interested in gaining a permanent foothold in computer systems that allow them to control the parts of adversary’s critical infrastructure that they are interested in, and that offer them an avenue for tactical or strategic level impacts. According to sources, at the moment there are at least ten nation states with proven interest and capability to penetrate such systems.
2. While there are initiatives, such as Digital Geneva Convention driven by Microsoft, there is little evidence to support an idea that nations would refrain from targeting parts of critical infrastructure in support of preparing the battle space for their potential future operations. On the contrary, looking critical infrastructure and other key targets from the military planner’s perspective, striking parts of critical infrastructure offers an interesting way to hamper adversary’s war preparations, cause additional logistical and other friction in target society, and cause physical and psychological effects.
3. As of now the cyber-attacks against critical infrastructure and particularly against electric grid have been limited by their geographic reach and relatively short by their duration. While this is the case now, according to expert estimations, a dedicated and well-prepared attacker could cause wider and lengthier effects. Such attack with major consequences might be more probable in highly developed and widely automatized Western systems, which have limited analog back-up systems available for operating the system manually.
4. Probing, penetrating, establishing foothold, and finally attacking critical infrastructure, such as national or regional electric grid or elections systems, serves a number of purposes, only one being causing a temporary or more prolonged black-out or a glitch in vote counting. Mere probing can serve a political purpose of a warning and signaling to the adversary about their vulnerabilities. Establishing a more permanent foothold, and announcing it either in back-channel communications with an adversary or even publicly, may serve as a deterrent trying to influence adversary’s cost-benefit calculations. Lastly, causing physical effects, in addition to their tactical or operational impacts, serve also as a tool for influencing the psyche of citizens and decision makers both in the targeted society, but also elsewhere, as attacks are often being observed and evaluated by external parties, such as partners and allies, but also private sector companies.
5. Protection of critical infrastructure from cyber-attacks demands wide co-operation both nationally and internationally. Private sector companies play a key role in protection of the critical infrastructure, as in most cases the ownership and operational responsibility is with private sector companies. Nevertheless, private sector efforts need support from public sector entities and the government, for example in the form of information exchange covering the latest threat information. Second area of cooperation comes in the form of exercises, where the readiness of the critical infrastructure entities can be tested and improved in a controlled environment. International cooperation plays also an important role, as many of the threats and patterns of operation emerge in one place prior making their way elsewhere. Furthermore, heavily interconnected and interdepended systems demand all parts of the system to be protected with the same vigilance for all to stay safe and operational.
6. Lastly, the sheer number of publicly known successful cyberattacks targeting critical infrastructure, yearly warnings from intelligence community, and public investigations by private sector cyber security companies suggest that there are actors with necessary capabilities in place to launch a successful attack against critical infrastructure targets, should there be an intent for it in place. Thus, in addition to protecting critical infrastructure from attacks, a special attention should be put on improving the resilience and quick-recovery-from-attack capacity of critical infrastructure.
text: PASI ERONEN International security analyst and consultant
Sources: [1] Meduza. (2018) What is the GRU? Who gets recruited to be a spy? Why are they exposed so often? https://meduza.io/en/feature/2018/11/06/what-is-the-gru-who-gets-recruited-to-be-a-spy-why-are-they-exposed-so-often. [1] Greenberg, Andy (2019) Sandworm A New Era of Cyberwar and the Hunt for the Kremlin's Most DangerousHackers. Doubleday, New York, NY, USA.; Greenberg, Andy (2019) Here’s theEvidence That Links Russia’s Most Brazen Cyberattacks. November 15, 2019. https://www.wired.com/story/sandworm-russia-cyberattack-links/. [1] Mazzetti, Mark; Benner, Katie (2018) 12 Russian Agents Indicted in Mueller Investigation. The New York Times,July 13, 2018. https://www.nytimes.com/2018/07/13/us/politics/mueller-indictment-russian-intelligence-hacking.html. [1] GOV.UK (2018). UK exposes Russian cyber attacks. October 4, 2018. Accessible athttps://www.gov.uk/government/news/uk-exposes-russian-cyber-attacks. [1] Clayton, Mark (2014) Ukraine election narrowly avoided 'wanton destruction' from hackers. The ChristianScience Monitor, June 17, 2014. https://www.csmonitor.com/World/Passcode/2014/0617/Ukraine-election-narrowly-avoided-wanton-destruction-from-hackers. [1] Greenberg, Andy (2019) Sandworm A New Era of Cyberwar and the Hunt for the Kremlin's Most DangerousHackers. Doubleday, New York, NY, USA.; [1] Nakashima, Ellen. “Russian Military Was behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes.” TheWashington Post. January 12, 2018. https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html, Andy Greenberg (2018) The Untold Story of NotPetya, the Most Devastating Cyberattack inHistory. August 22, 2018. Accessible at https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. [1] Nicole Perlroth, Mark Scott, and Sheera Frenkel, “Cyberattack Hits Ukraine ThenSpreads Internationally,” The New York Times, June 27, 2017, https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html. [1] Forrest, Conner. “NotPetya Ransomware Outbreak Cost Merck More than $300M per Quarter.” TechRepublic,October 30, 2017. https://www.techrepublic.com/article/notpetya-ransomware-outbreak-cost-merck-more-than-300m-per-quarter/; “The Global Risks Report 2018.” World Economic Forum, January 17, 2018. http://www3.weforum.org/docs/WEF_GRR18_Report.pdf; CBS News (2019)What can we learn from the "most devastating" cyberattack in history?August 22, 2018. https://www.cbsnews.com/news/lessons-to-learn-from-devastating-notpetya-cyberattack-wired-investigation/. [1] Nakashima, Ellen. “Russian Spies Hacked the Olympics and Tried to Make It Look like North Korea Did It,U.S. Officials Say.” The Washington Post. February 24, 2018. https://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html. Greenberg, Andy (2019) The Untold Story of the 2018 Olympics Cyberattack, the Most DeceptiveHack in History. Wired, October 17, 2019. https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/. [1] Meduza. (2018) What is the GRU? Who gets recruited to be a spy? Why are they exposed so often? https://meduza.io/en/feature/2018/11/06/what-is-the-gru-who-gets-recruited-to-be-a-spy-why-are-they-exposed-so-often. [1] Greenberg, Andy (2019) Sandworm A New Era of Cyberwar and the Hunt for the Kremlin's Most DangerousHackers. Doubleday, New York, NY, USA.; Greenberg, Andy (2019) Here’s theEvidence That Links Russia’s Most Brazen Cyberattacks. November 15, 2019. https://www.wired.com/story/sandworm-russia-cyberattack-links/. [1] Mazzetti, Mark; Benner, Katie (2018) 12 Russian Agents Indicted in Mueller Investigation. The New York Times,July 13, 2018. https://www.nytimes.com/2018/07/13/us/politics/mueller-indictment-russian-intelligence-hacking.html. [1] GOV.UK (2018). UK exposes Russian cyber attacks. October 4, 2018. Accessible athttps://www.gov.uk/government/news/uk-exposes-russian-cyber-attacks. [1] Clayton, Mark (2014) Ukraine election narrowly avoided 'wanton destruction' from hackers. The ChristianScience Monitor, June 17, 2014. https://www.csmonitor.com/World/Passcode/2014/0617/Ukraine-election-narrowly-avoided-wanton-destruction-from-hackers. [1] Greenberg, Andy (2019) Sandworm A New Era of Cyberwar and the Hunt for the Kremlin's Most DangerousHackers. Doubleday, New York, NY, USA.; [1] Nakashima, Ellen. “Russian Military Was behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes.” TheWashington Post. January 12, 2018. https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html, Andy Greenberg (2018) The Untold Story of NotPetya, the Most Devastating Cyberattack inHistory. August 22, 2018. Accessible at https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. [1] Nicole Perlroth, Mark Scott, and Sheera Frenkel, “Cyberattack Hits Ukraine ThenSpreads Internationally,” The New York Times, June 27, 2017, https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html. [1] Forrest, Conner. “NotPetya Ransomware Outbreak Cost Merck More than $300M per Quarter.” TechRepublic,October 30, 2017. https://www.techrepublic.com/article/notpetya-ransomware-outbreak-cost-merck-more-than-300m-per-quarter/; “The Global Risks Report 2018.” World Economic Forum, January 17, 2018. http://www3.weforum.org/docs/WEF_GRR18_Report.pdf; CBS News (2019)What can we learn from the "most devastating" cyberattack in history?August 22, 2018. https://www.cbsnews.com/news/lessons-to-learn-from-devastating-notpetya-cyberattack-wired-investigation/. [1] Nakashima, Ellen. “Russian Spies Hacked the Olympics and Tried to Make It Look like North Korea Did It,U.S. Officials Say.” The Washington Post. February 24, 2018. https://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html. Greenberg, Andy (2019) The Untold Story of the 2018 Olympics Cyberattack, the Most DeceptiveHack in History. Wired, October 17, 2019. https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/.
