Without that analog baseload, humanity will have innovated itself onto the precipice of a new, dangerous era, where vast interdependencies decide our fate and the safety nets have been pulled away. Holding back a portion of society’s resources from that innovation will have a cost, Geer acknowledged. But the cost of jettisoning the past might be greater. “I don’t want to sound like Chicken Little, but I’m trying to thread a needle,” Geer insisted. “I want to at least choose whether we want to have irretrievable dependence on something.”
The time to make that choice is running out. “We will never have a more analog world than we have now,” Geer wrote in the concluding paragraphs of his “Rubicon” paper:
Countries that built complete analog physical plants have a signal advantage over countries that leapfrogged directly to full digitalization. The former countries have preservable and protective firebreaks in place that the latter will never have, but the former countries enjoy their resilience dividend if, and only if, they preserve their physical plant. That such preservation can deliver both resilience for the digitalized and continued freedom for those choosing not to participate in digitalization is unique to this historical moment.
We stand on the bank of our Rubicon.
EPILOGUE
Ukraine remains true to its namesake—“Ukraina,” or “borderland.” And few places have felt the pressures on Ukraine’s borders more acutely than Maryinka. The tiny town, with fewer than ten thousand people, is situated next to a picturesque lake, 350 miles southeast of Kiev in the war-torn region of the country known as Donbas. Maryinka’s grid of tree-lined streets and gray buildings, like so many Ukrainian towns, is dotted with ornate cathedrals and Soviet memorials. But toward the south and east edges of the town, the architecture seems to decay, displaying the scars of years of battles that have caught the town in their cross fire—blast marks, burned and abandoned buildings, and spectacularly exploded facades spilling bricks into empty frames.
Then, still within the town limits, a checkpoint appears, manned by soldiers and protected by a maze of concrete blocks. This is what locals call “point zero.” On the other side is no-man’s-land. The front line between the pro-Ukrainian and the pro-Russian forces cuts through the town itself.
Even so, less than half a mile from that front line, at Maryinka’s center, middle-aged ladies are working inside an orange-painted building that once housed a supermarket, baking bread and packing the warm loaves into patriotically colored blue-and-yellow plastic crates. This is the bakery of Oleg Tkachenko, a priest, entrepreneur, and refugee of the Russian invasion.
In Slovyansk, a city farther north in Donbas, Tkachenko had been building an eight-room house for his family in 2014 when soldiers led by a former Russian military official seized the local police station. They shot his neighbor on the balcony of her apartment—the first civilian killed in the city’s takeover. “When you live in the twenty-first century and suddenly a war comes to your town and someone is shooting and people are dying, it’s hard to believe it’s happening,” he reminisces. Today he lives with his wife and four of his children just north of Maryinka, squeezed into a two-room apartment covering less than five hundred square feet.
Oleg and his wife, Eugenia, spend much of their time traveling the region along Donbas’s front line. Tkachenko acts as a chaplain for Ukrainian soldiers, and the couple often distribute the fresh loaves of wheat and rye bread their bakery produces; the business generates more charity than profit. The local economy has largely collapsed since the war broke out and nearly half of Maryinka’s population fled west. “People don’t even have enough money to buy bread,” Tkachenko laments.
In their travels along Ukraine’s war zone, the Tkachenkos have witnessed countless scenes of a broken society. Villages pockmarked with fifteen-foot-deep craters from artillery. Shell-shocked families who have lived in their cellars for weeks or months. Village elders who have taken their own lives rather than face the desolation of war. A widow forced to bury her husband in her own backyard. One family who moved to Donbas from the town of Pripyat after the Chernobyl disaster in 1986, leaving behind all their possessions, only to have their house burned to the ground in the war, thirty years later.
But some of the most appalling conditions, Oleg and Eugenia say, can be found just south of their bakery, in Maryinka itself. In the ghost town on the other side of the army checkpoint, most buildings are deeply damaged, some obliterated to the point that only a chimney remains. Few journalists, aid workers, or even police dare to cross into that wasteland. But twelve families still live there, stubbornly unwilling to leave or simply lacking the means to start a new life elsewhere.
Those families, as the Tkachenkos described it to me, have turned their homes into bunkers, with sandbags piled up outside their windows and religious icons painted inside their walls as a last, desperate form of protection. One man was recently killed by a land mine, and the fighting remained so dangerous he couldn’t be buried for two weeks. A twelve-year-old boy living in the neighborhood was hit with shrapnel in the head and, after several surgeries, remains brain damaged.
But like most of the Ukrainians stranded in their country’s war zone, the families continue to eke out an existence. “In the first stage, there was fear and panic. Those never go away, but people get used to them. They live in the stress,” Tkachenko says, blinking back tears. “People get used to absolutely anything.”
* * *
■
Low-grade, endless war remains the dystopian reality of a country that straddles the fault line between civilizations. Ukraine has yet to escape the cruelty of its geography.
The story of Sandworm shows how that geography helped make Ukraine a beachhead for cyberwar, too; there’s little chance the West would have tolerated the same scale of digital attacks if they had been inflicted beyond Ukraine’s embattled borders, against NATO or the EU. But unlike Russia’s grinding, centuries-old oppression of its neighbor, there’s no reason to believe this new form of conflict will be confined by the contours of geography. Cyberwar, unlike so many other faraway atrocities the West has turned a blind eye to for centuries, takes place not at a comfortable remove but on a global network that reaches into our homes, companies, governments, and infrastructure.
In 2010, Michael Hayden, the former director of the NSA and CIA, made a darkly prescient point in a keynote at the Black Hat security conference in Las Vegas, speaking to a crowd of programmers, security engineers, and hackers. “You guys made the cyber domain look like the north German plain. Then you bitch and moan when you get invaded,” he said. “On the Internet, we are all Poland. We all get invaded on the Web. The inherent geography of this domain is that everything plays to the offense.”
Nearly a decade later, Hayden’s cynical words still ring true—even if he was off by a few hundred miles. On the internet, we are all Ukraine. In a dimension of conflict without borders, we all live on the front line. And if we fail to heed the borderland’s warnings, we may all share its fate.
APPENDIX
SANDWORM’S CONNECTION TO FRENCH ELECTION HACKING
The links Michael Matonis made between Olympic Destroyer and the attacks on the U.S. state boards of elections in 2016 represent the most publicly verifiable proof of the GRU’s responsibility for that Olympic sabotage. But around the same time, Matonis would find another distinct—if convoluted—link between Sandworm and a different election-focused operation, one that deserves its own explanation.
In May 2018, three months after he’d started looking at Olympic Destroyer, Matonis had begun to dig into another clue in the backdoors Sandworm had used in its run-up to NotPetya. ESET had found that one of those backdoors, the VBS tool that had helped it tie NotPetya back to Sandworm’s earlier attacks, had been controlled via a certain server in Bulgaria. And that computer’s setup had always struck Matonis as strange. It ran a piece of software called Tor, designed to h
ide the source of internet traffic by triple-encrypting it and bouncing it through three randomly chosen volunteer servers around the world, known as Tor nodes. The Sandworm command-and-control server was also volunteering as one of those Tor nodes, bouncing strangers’ traffic around the internet. Perhaps it was an attempt to create a confusing flood of cover traffic, like a pickpocket trying to get lost in a crowd.
But as Matonis examined the configuration of Sandworm’s Tor server, he found that its setup could serve as a kind of fingerprint—not to identify the hackers behind it, but to spot the other, similar servers they had set up for different operations. Instead of allowing the servers to melt away into anonymity, their use of Tor had made them stand out in stark relief.
Matonis refused to reveal to me the details of that fingerprint, just as he’d refused to detail the clues that led him to Olympic Destroyer’s connection to the Malicious Macro Generator software. But using that Tor fingerprint as a kind of template, he dug up more than twenty similar servers across the internet that seemed to share its traits, all of which had been brought online in 2017. It seemed to him as if someone within Sandworm or working in its service had been tasked with creating a fresh new collection of back-end servers for the group’s attacks.
Once he had identified that collection of Sandworm’s back-end machines, Matonis started the same process of scouring the internet’s domain name system for domains that had been hosted at those servers’ IP addresses. And when he googled one of the first domains that process turned up, the Google-spoofing phishing link drive.googlmail.com.verification.security.login-service.ml, a single, remarkable result appeared. It was a message within the dump of emails hacked from the political party of the French president, Emmanuel Macron.
Just before the 2017 French election, WikiLeaks had published that collection of stolen emails, just as it had with Hillary Clinton’s campaign in the U.S. election the year prior. The message that contained the fake “googlmail” domain was a phishing email—likely the same one that the hackers had used to breach the Macron campaign’s servers and leak their contents. The hackers appeared to have forgotten to remove that lure email before dumping the whole collection of stolen messages. By leaking the full email trove with the phishing domain included—a domain Matonis had now linked to NotPetya—Sandworm’s hackers seemed to have spilled their own secrets along with the now-elected French president’s. And they’d definitively revealed they were involved in that 2017 election-hacking incident.
ACKNOWLEDGMENTS
This book would not have been possible without the help of the late Mike Assante, who passed away in July 2019 after battling leukemia. Assante was unparalleled not only in his technical knowledge and analysis, but in the deep generosity with which he shared it. Even in his final months, Assante never hesitated to answer questions about the minutiae of his postmortem of the Ukrainian blackouts or the mechanics of his Aurora research. With both of those contributions and many, many others, Assante made the world a safer place for all of us. I hope that, in sharing those chapters of his life, this book helps honor his memory.
All of Sandworm’s central subjects spent countless hours telling me their stories, for which I’ll always be grateful. But many other sources spoke to me only to share a single anecdote or experience, often on the condition that their names would never appear in print. In many cases, they were telling me about highly sensitive situations in which they or their employer suffered the consequences of a disastrous cyberattack. I repeatedly heard the refrain that despite the risks to their career or the potential embarrassment of sharing the details of their victimization, they felt that this story “deserved to be told”—that its historical value or lessons for the security of other people and organizations was too great not to share. In an era marked by those in positions of power telling shameless, blatantly self-promotional lies, that sort of selfless truth telling is more admirable and important than ever.
My four translators and fixers from Ukraine to Russia to Korea—Grigory Kuznetsov, Margarita Minasyan, Daria Mykhaylova, and James Yoo—all did crucial work, helping to find many of those sources, allowing me to hear their stories, and shaping the narrative with their own reporting ideas. The amazing Chelsea Leu took on the even more involved and difficult task of retracing that reporting as a fact-checker. Thank you in particular, Chelsea, for the thankless months of work correcting my mistakes and misunderstandings.
My colleagues at Wired were all very generous in giving me the time and flexibility to write. They include Jahna Berry, Katie Davies, Erica Jewell, Nick Thompson, and Andrea Valdez. My Wired web editor, Brian Barrett, not only signed off on my book leave without hesitation but took on a new workload to help cover for me, writing more stories in my absence than I ever could have. He and Susan Murcko also edited many of the news stories whose events became chunks of the book’s narrative. Rob Capps deserves credit for first suggesting that I find the big story of cyberwar. John Gravois deftly and thoughtfully edited both the Wired piece that inspired this book and the early magazine excerpt adapted from it. Above all, my fellow Wired security writer Lily Hay Newman not only took on a huge amount of newswriting to keep Wired’s security channel buzzing during my leave but also helped me to think about the book’s narrative and ideas, gave the first draft an intensely thorough reading, and most heroically spent a day on Plum Island in the pouring rain to report on a DARPA black start exercise while I comfortably typed at home.
A big thank-you to my agent, Eric Lupfer, who has listened to plenty of half-baked ideas over the years before this one came to fruition and who first suggested the title Sandworm. This book’s editor at Doubleday, Yaniv Soha, was as patient, critical, and insightful a guide through this process as I could possibly have hoped for. Doubleday’s editorial assistant Cara Reilly also gave the book several invaluable rounds of edits. Thanks to both of you—and to Bill Thomas and Edward Kastenmeier—for so quickly seeing the potential of the proposal and choosing to work with me on this. Thanks to Kathy Hourigan for standing outside Yaniv’s office door to keep him editing quickly. Extra thanks to Dan Novack for his steel backbone as legal counsel, and others at Doubleday/Penguin Random House, including Sean Yule, Beth Pizio, Kate Hughes, Todd Doughty, Michael Goldsmith, Hannah Engler, and Ingrid Sterner.
Other miscellaneous but heartfelt thanks go out (in no particular order) to Mike Assante, Sam Chambers, James Lewis, Kenneth Geers, Alan Paller, Oleh Derevianko and the staff of ISSP in Kiev, Anne Applebaum, Cliff Stoll, Steven Levy, Alex Gladstein, Maryna Antonova, Khatuna Mshvidobadze, Zurab Akhvlediani, Elena Ostanina, Autumn Maison, Roman Dobrokhotov, Fyodor Mozgovoy, Adrian Chen, Joshua Corman, Trevor Timm, Ben Wizner, Edward Snowden, Patrick Neighorn, Cristiana Brafman Kittner, Marina Krotofil, Ben Miller, Anna Keeve, Ranson Burkette, Ilina Cashiola, Jessica Bettencourt, Sarah Kitsos, Jaime Padilla, Mike Smith, Walter Weiss, Nadya and Stephan Wasylko, Natalie Jaresko, Tom Mayer, Jasmine Lake, Bryan Fogel, Sarahana Shrestha, Sabrina Bezerra, Sam Greenberg, Naima Zouhali, and Steve Worrall, and a very big, special thank-you to Bertha Auquilla.
Thanks to Bilal Greenberg for keeping me entertained and for taking the epic naps that allowed me to write. And the last, immeasurable thank-you goes to my wife, Malika Zouhali-Worrall, my partner in this work and in everything else.
SOURCE NOTES
Many chapters of this book, particularly the historical ones, relied significantly on secondary sources, and I’m especially grateful to the authors of the works I’ve listed in the bibliography. The central story of Sandworm, however, was largely based on hundreds of hours of interviews, whose subjects I’ve tried to name in the text itself whenever possible. With the exception of stray facts I might have mistakenly failed to cite—my apologies in advance for any omissions—anything not included in the following endnotes should be attributed to my own reporting.
The epigraphs for each part of the book are from Frank Herbert’s Dune, pages 469, 11, 462, and 45
1.
CHAPTER 2 BLACKENERGY
Around 2007, Oleksiuk had sold: Jose Nazario, “BlackEnergy DDoS Botnet Analysis,” Arbor Networks, Oct. 2007, archived: bit.ly/2D0qzQ0.
By late 2007, the security firm Arbor Networks: Ibid.
CHAPTER 3 ARRAKIS02
Companies from Northrop Grumman to Dow Chemical: Ariana Eujung Cha and Ellen Nakashima, “Google China Cyberattack Part of Vast Espionage Campaign, Experts Say,” Washington Post, Jan. 14, 2010, www.washingtonpost.com.
CHAPTER 4 FORCE MULTIPLIER
Thirteen days after Trend Micro: “Ongoing Sophisticated Malware Campaign Compromising ICS,” ICS-CERT website, Dec. 10, 2014, ics-cert.us-cert.gov/.
CHAPTER 6 HOLODOMOR TO CHERNOBYL
The nation’s name itself: Reid, Borderland, 1.
By the beginning of the twentieth century: Ibid., 13.
Even after Bolshevism swept Russia: Ibid., 97.
In total, about 1.5 million Ukrainians: Ibid., 99.
The Soviet regime manufactured: Applebaum, Red Famine, xxvi.
“For God’s sake, use all energy”: Ibid., 25.
The secret police force: Ibid., 31.
When American Relief Administration: Ibid., 64.
At the same time, the most prosperous peasants: Ibid., 123.
They searched systematically: Ibid., 223.
The Soviet regime simply starved: Ibid., 236.
The Soviet government restricted travel: Ibid., 202.
The historian Anne Applebaum’s book: Ibid., 257.
Sandworm Page 33
