But Hultquist had continued to work on his nonfictional hacker hunting, too. He’d asked me to come down from New York because he and his team of researchers had made new connections he wanted to map out for me in person—significant ones and, he’d warned me, very, very complicated. I turned on the voice recorder on my phone.
“I think…7-4-4-5-5,” Hultquist suddenly said without preamble. “I think that’s your man.”
I paused, dumbstruck. “What does that mean?” I asked slowly, puzzling over what sort of code this series of numbers might represent.
“I think 7-4-4-5-5 is Sandworm,” he said matter-of-factly.
“What is 7-4-4-5-5?” I asked, still entirely confused and wondering if Hultquist was enjoying this game.
“That’s the unit,” Hultquist spelled out patiently, as if speaking to one of his children. “I think Unit 74455 is your boys.”
It took me a moment longer still to understand what Hultquist was telling me: an answer, in some sense, to the mystery that had dogged me for more than a year, and Hultquist far longer. He meant that Sandworm was Unit 74455 of the GRU.
Before Hultquist had even explained the evidence behind his claim, hearing this number alone felt like an epiphany. Those five digits themselves didn’t immediately tell me anything about Sandworm that I didn’t already know. But they held the promise of representing the secret name Sandworm calls itself. That unit number might also hold the key to understanding the hidden human beings behind that code name, sitting on the other end of the internet.
When I asked Hultquist to explain how he’d come to that connection, he opened his laptop and pulled up a report from FireEye dated June 2018, which he said the company had distributed to some of its intelligence clients but hadn’t shared publicly. It was titled “Targeting of US and French Elections Connected to Olympics Incident and Others.” I could see at a glance it contained pages and pages of charts and graphed links among technical data points. For the next two hours, Hultquist would walk me through a series of connections that would thoroughly redefine how I thought of Sandworm, its place within the GRU, and its mission.
“Basically you can get from NotPetya to the Olympics to hacking election infrastructure,” Hultquist summarized as we got started. “You’ve got yourself quite a web here, my friend.”
* * *
■
When Hultquist’s researcher Michael Matonis found the loose thread that would unravel that web in February 2018, it wasn’t by searching for clues in the code of the Olympic Destroyer payload. Instead, in the days immediately following the news of the Olympic cyberattack, Matonis had looked at a far more mundane element of the operation: the fake, malware-laced Word document that had served as the first step in the nearly disastrous Olympic sabotage.
When Matonis pulled the infected document from VirusTotal, he saw that the bait had been sent to staff at the International Olympic Committee more than two months before the Olympics began, in late November 2017. The Word file spoofed a list of VIP delegates to the games but hid inside it a malicious macro script, the same simple program-in-a-document trick Hultquist’s team had first seen Sandworm using in 2014 and that it had continued to deploy as late as its first blackout attack.
Just as Drew Robinson had done when he was working in iSight’s office on another investigation for Hultquist’s team, three years earlier, Matonis began combing FireEye’s historical collection of malware and VirusTotal, looking for matches to that code sample. On a first scan, he found none. But Matonis did notice that a few dozen malware-infected documents from the archives corresponded to his file’s rough characteristics: They similarly carried embedded Word macros and, like the Olympic-targeted file, had been built to launch a certain common set of hacking tools called PowerShell Empire.
The malicious Word macro traps, however, looked very different from one another. Each one had layers of obfuscation—just like that first piece of Sandworm malware Robinson had unpacked in iSight’s office—and that encoded layer of noise seemed altogether distinct for each sample.
But as Matonis compared the malware specimens, scouring their noise for clues, he struck upon a connection. Matonis refused to tell me the pattern he’d pulled out of that randomness; like a good gambler, he wanted to keep the hackers’ “tell” secret so he could use it again in the future. But the result, in the most abstract sense, was that while the files looked different, the way they looked different looked uniform. In fact, like teenage punks who all pinned just the right obscure band’s buttons to their jackets and styled their hair in the same shapes, their attempt to look unique had made them part of a distinctly recognizable group.
Matonis soon put together that the source of that signal in the noise was a common tool used to create each one of the booby-trapped documents. It was an open-source program, easily found online, called Malicious Macro Generator. Matonis speculated that the hackers had chosen the program to blend in with other malware authors. But beyond their shared tools, the malware group was also tied together by the author names Matonis pulled from the files’ metadata: Almost all had been written by someone named either “AV,” “BD,” or “john.” When he looked at the command-and-control servers that the malware connected back to—the strings that would control the puppetry of any successful infections—all but a few of the IP addresses of those machines overlapped, too.
The fingerprints were hardly exact. But over several weeks, he had assembled a loose mesh of clues that added up to a solid net, tying the fake Word documents together.
When he had established those connections, it was the actual, visible content of those Word files, not their hidden malware, that got Matonis’s blood pumping. Two documents from the collection, which stretched back to the spring of 2017, seemed to target Ukrainian LGBT activist groups, using infected files that pretended to be a gay rights organization’s strategy document and a map of a Kiev Pride parade. Others targeted Ukrainian companies and government agencies with a tainted copy of draft legislation.
In Matonis’s mind, all other suspects for the Olympic attack fell away. Only one country would have been targeting Ukraine in the same hacking campaign, nearly a year earlier, and it wasn’t China or North Korea.
Strangely, other infected documents in the collection Matonis had unearthed seemed to target victims in the Russian business and real estate world. Had a team of Russian hackers been tasked with spying on some Russian oligarch on behalf of their intelligence taskmasters? Were they engaged in profit-focused cybercrime as a side gig? Regardless, Matonis felt that he was on his way to finally, definitively cutting through the Olympic cyberattack’s false flags to reveal its true origin: the Kremlin.
* * *
■
After Matonis had made those first, thrilling connections from Olympic Destroyer to a very familiar set of Russian hacking victims, he wanted to see how far those new links would take him. He told Hultquist that he wouldn’t be coming into the FireEye office for the foreseeable future. Instead, he locked himself in his basement-level apartment in the D.C. neighborhood of Capitol Hill. For the next three weeks, he barely left that four-hundred-square-foot box, instead working on his laptop from a folding chair, with his back to the only window in his home that produced sunlight, poring over every data point that might reveal the next cluster of the hackers’ targets.
A pre-internet-era detective might start a rudimentary search for a person by consulting phone books. Matonis started digging into the online equivalent, the directory of the web’s global network known as the domain name system, or DNS. DNS servers translate human-readable domains like “facebook.com” into the machine-readable IP addresses that actually describe the location of a networked computer that runs that site or service, like 69.63.176.13. Matonis began painstakingly checking every IP address his hackers had used as a command-and-control server in the campaign of malicious Word documents he’d just uncovered, tr
anslating those domains into any IP addresses that had ever hosted them. At the same time, he’d use a reverse-lookup tool to flip the search, finding every domain that had been hosted on any single IP address to assemble a branching graph.
Once he’d created these treelike maps for dozens of the IP addresses and domain names connected to the Olympic attack, one branch of that exploration led to a domain that lit up like neon in Matonis’s mind. Three links down his daisy chain of IP addresses and domains, there it was: account-loginserv.com.
A photographic memory is a helpful trick for an intelligence analyst. As soon as Matonis saw the account-loginserv.com domain, he instantly knew that he had seen it nearly a year earlier in an FBI “flash,” a short alert sent out to U.S. cybersecurity practitioners and potential victims. This one had offered a new detail into the hackers who in 2016 had breached the Arizona and Illinois state boards of elections: The same intruders had also spoofed emails from a voting technology company, VR Systems, in an attempt to trick more election-related victims into giving up their passwords.*
Matonis drew up a jumbled map of the connections on a piece of paper that he slapped on his refrigerator with an Elvis magnet and marveled at what he’d found. Based on the FBI flash—and Matonis told me he confirmed the connection with another human source he declined to reveal—the fake VR Systems emails were part of a phishing campaign that had also used a spoofed login page at the account-loginserv.com domain he’d found in his Olympic Destroyer map. At the end of his long chain of IP addresses and domains, Matonis had found a fingerprint that linked the Olympic attackers back to a hacking operation that directly targeted the 2016 U.S. election.
Matonis had, since his teenage years, been a motorcycle fan. When he was just barely old enough to ride one legally, he had scraped together enough money to buy a 1975 Honda CB750. Then one day a friend let him try riding his 2001 Harley-Davidson with an 1100 EVO engine. In three seconds, he was flying along a country road in upstate New York at sixty-five miles an hour, simultaneously fearing for his life and laughing uncontrollably.
When Matonis had finally drawn his forensic web, outsmarting the most deceptive malware in history, he says he felt that same feeling, a rush that he could only compare to taking off in that Harley-Davidson in first gear. He sat alone in his D.C. apartment, staring at his screen and laughing.
* The whistle-blower Reality Winner, working at a contractor firm, had leaked documents to the news site The Intercept revealing that the same hackers had breached VR Systems, too.
37
THE TOWER
When Matonis reported his findings to his boss, John Hultquist, they agreed there was no longer any doubt: The hackers behind Olympic Destroyer were Russian. But was this the work of their favorite rampaging team of cyberwarriors, Sandworm?
Matonis had made some solid, but not quite definitive, connections between the new nexus of operations he’d uncovered and Sandworm’s older activity: The Olympic hackers had placed their command-and-control servers in data centers run by specific companies like Fortunix Networks and Global Layer, most likely chosen because those firms accepted Bitcoin payments that made any follow-the-money forensics far more difficult. And in a handful of cases, he could see that those hosting companies overlapped: Fortunix had been used for some of the original BlackEnergy attacks, and then again by the Olympic hackers. Other attacks in the Olympics cluster seemed to have been hosted with Global Layer, just like the command-and-control servers Sandworm had used to control its hijacked M.E.Doc servers.
Soon, Matonis made an even more remarkable connection: One of the same set of command-and-control servers Sandworm had used in its smaller-scale destructive attacks ahead of NotPetya was also tied to the hacking-and-leaking operation targeting the campaign of the French presidential candidate Emmanuel Macron.* The same group of back-end servers Sandworm was using for its pre-NotPetya experiments had doubled as the infrastructure for another election-targeted hack-and-leak operation. NotPetya was connected to French election interference, just as Olympic Destroyer was linked to U.S.-focused election meddling. The lines of FireEye’s vast web of analysis violated any clean boundary I might have imagined between political information warfare and destructive cyberwar.
The first time I’d spoken to Matonis about Sandworm in early 2018, he had described it to me as the hammer in the Russian hacker tool kit. “You call on them when you want to fuck shit up,” he’d told me over breakfast at a conference. But his notion of Sandworm’s mission was changing—as would mine. Any simple concept of Sandworm as the arm of the GRU focused purely on sabotage now seemed incomplete. The GRU’s hacker teams, it was becoming clearer, worked hand in hand.
* * *
■
By June, FireEye had assembled Matonis’s findings into the intricate report for its clients that Hultquist would later show me in his kitchen. In the meantime, Matonis had made one more connection: The same campaign of infected Word documents that targeted Ukrainian activists, Russian real estate businesses, and the Olympics had also targeted the Organisation for the Prohibition of Chemical Weapons, a Spiez, Switzerland–based chemical weapons research group that was investigating the poisoning of the GRU defector Sergei Skripal and his daughter. The arrows pointing to Russian involvement were clearer than ever.
One month after FireEye privately published those findings, the U.S. government provided another, final piece of the puzzle Matonis and Hultquist were assembling. On July 14, the U.S. Department of Justice released an indictment targeting twelve GRU hackers for their role in interfering in the 2016 U.S. election. Those criminal charges would demonstrate the penetrating level of detail that can be revealed about even faraway, state-sponsored hackers when the full investigative powers of American intelligence agencies are brought to bear.
The indictment, filed by Special Counsel Robert Mueller as part of the independent investigation created to suss out Russia’s full role in the 2016 election, went so far as to name exactly which GRU staffers had played which role in the hacking operation: A GRU agent named Aleksey Viktorovich Lukashev, for instance, was charged with sending the phishing emails that targeted the Democratic Party and the Clinton campaign staff. Sergey Aleksandrovich Morgachev had allegedly supervised the team that built and ran the malware used to spy on the DNC staff for months. Another GRU officer, Ivan Sergeyevich Yermakov, was accused of stealing the emails from the DNC server that were later leaked to disastrous effect. The document even named the specific GRU unit most of the hackers worked for—26165—and the address of its building in Moscow: 20 Komsomolsky Prospekt.
Like most indictments of foreign governments’ hackers, the alleged perps would almost certainly never face those charges in court. Instead, they were designed to send a message—to name and shame the individual hackers involved—and to impose draconian restrictions on their lives. They’d never again be able to set foot in a country that had an extradition treaty with the United States without facing arrest.
When I first read the indictment, as revelatory as it might have been about Russia’s election-focused hacking—the initiative led by the team known as Fancy Bear—I saw it as irrelevant to the search for Sandworm’s more destructive hackers. But Hultquist, with the secrets of Matonis’s findings fresh in his brain, read it differently. He instead homed in on the accusations against one GRU hacker among the twelve in particular: Anatoliy Sergeyevich Kovalev.
Kovalev was singled out in the document for having hacked into at least one of the state boards of elections in 2016, allegedly stealing data for about 500,000 voters, including names, addresses, dates of birth, driver’s license numbers, and partial Social Security numbers. The indictment went on to blame Kovalev for the breach of a company whose software was used to verify voter registration information.
These breaches, Hultquist could see, were part of the web Matonis had drawn: In the infrastructure that had enabled those attacks on the boards
of elections, Matonis had found forensic clues that linked strongly to the attack against the Olympics and, more circumstantially, to NotPetya and Sandworm. This election-hacking indictment revealed culprits who were connected to that far wider network of chaos.
Kovalev, the indictment against him detailed, wasn’t part of the same Unit 26165 as most of the hackers it charged. He and two other GRU staffers—Aleksandr Vladimirovich Osadchuk and Aleksey Aleksandrovich Potemkin—were instead part of Unit 74455, based in a different location just outside Moscow: 22 Kirova Street in the neighboring city of Khimki, a building identified in the indictment as “the Tower.”
Unit 74455 had provided back-end servers for Unit 26165’s intrusions into the Democratic National Committee and the Clinton campaign, the indictment stated. But more surprisingly, the indictment accused 74455 of “assisting in” the operation to leak the emails stolen in those operations. Unit 74455, the charges stated, had helped to set up DCLeaks.com and even Guccifer 2.0, the fake Romanian hacker persona that had claimed credit for the intrusions and given the Democrats’ stolen emails to WikiLeaks.
A new theory crystallized in Hultquist’s mind. Unit 26165 was Fancy Bear. Unit 74455 was Sandworm. The operations of those two teams were tightly intertwined, different sides of the same GRU coin. And the addresses where they worked were now on full public display.
* * *
■
The FBI had provided photographs of eleven of the twelve indicted hackers on its website, and after meeting with Hultquist, I stared at the pictures of the three members of Unit 74455. Aleksandr Osadchuk, the colonel who led the unit, was a fifty-six-year-old man with brown eyes and the broad, blocky features of a Dick Tracy character. In his photograph, he wore a navy-blue-colored Russian military uniform weighed down with medals and pins.
Sandworm Page 28
