Experts largely agreed the profit motive: Ibid.
“Circumstantial evidence and conventional wisdom”: Edward Snowden, Twitter post, Aug. 16, 2016, twitter.com, archived at bit.ly/2RdZGwc.
This time they offered up: Shadow Brokers, “Message#5—Trick or Treat?” Medium, Oct. 30, 2016, Medium.com, archived at bit.ly/2MvthQW.
“We’re sending a message”: William M. Arkin, Ken Dilanian, and Robert Windrem, “CIA Prepping for Possible Cyber Strike Against Russia,” NBC News, Oct. 14, 2016, www.nbcnews.com.
“TheShadowBrokers is trying”: Shadow Brokers, “REPOST: TheShadowBrokers Message#6,” Steemit, Dec. 2016, Steemit.com, archived at bit.ly/2FPu4vt.
“So long, farewell”: Shadow Brokers, “Message Finale,” TheShadowBrokers.bit, Jan. 12, 2017, archived at bit.ly/2CJn4wv.
Some in the security industry speculated: Kevin Poulsen, “Mystery Hackers Blow Up Secret NSA Hacking Tools in ‘Final F——k You,’ ” Daily Beast, Jan. 13, 2017, www.thedailybeast.com/.
“The fun is over”: Joseph Cox, “NSA Exploit Peddlers the Shadow Brokers Call It Quits,” Motherboard, Jan. 12, 2017, www.motherboard.vice.com.
“We recognize Americans’ having more in common”: Shadow Brokers, “Don’t Forget Your Base,” Medium, April 8, 2017, medium.com, archived at bit.ly/2CKzBQ5.
“Russia is likely using the latest”: Jake Williams, “Russia ‘Crosses the Rubicon’ with Newest Shadow Brokers Dump,” Peerlyst, April 9, 2017, www.peerlyst.com, archived at bit.ly/2CJTlDG.
“@malwarejake You having big mouth”: Shadow Brokers, Twitter post, twitter.com, April 9, 2017, archived at bit.ly/2B38u2T.
CHAPTER 22 ETERNALBLUE
“Last week theshadowbrokers be trying”: Shadow Brokers, “Lost in Translation,” Steemit.com, April 14, 2017, www.steemit.com, archived at bit.ly/2FQ7Auy.
Or, as my Wired colleague Lily Hay Newman: Lily Hay Newman, “The Leaked NSA Spy Tool That Hacked the World,” Wired, March 7, 2018, www.wired.com.
The Washington Post would later confirm: Ellen Nakashima and Craig Timberg, “NSA Officials Worried About the Day Its Potent Hacking Tool Would Get Loose. Then It Did,” Washington Post, May 16, 2016, www.washingtonpost.com.
They immediately received tens of thousands: Dan Goodin, “>10,000 Windows Computers May Be Infected by Advanced NSA Backdoor,” Ars Technica, April 21, 2017, arstechnica.com.
Within a week of the Shadow Brokers’ release: “DoublePulsar,” Binary Edge (blog), April 21, 2017, blog.binaryedge.io, archived at bit.ly/2RNPiAq.
Researchers were calling the new ransomware WannaCry: Jakub Křoustek, “WannaCry Ransomware That Infected Telefonica and NHS Hospitals Is Spreading Aggressively, with over 50,000 Attacks So Far Today,” Avast (blog), May 12, 2017, blog.avast.com, archived at bit.ly/2FXxbRz.
Thousands of people had their doctors’: Amyas Morse, “Investigation: WannaCry Cyber Attack and the NHS,” U.K. National Audit Office, Oct. 24, 2017, www.nao.org.uk.
The Spanish telecommunications firm: Agamoni Ghosh and India Ashok, “WannaCry: List of Major Companies and Networks Hit by Ransomware Around the Globe,” International Business Times, May 16, 2017, www.ibtimes.co.uk.
“I picked a hell of a fucking week”: Marcus Hutchins, Twitter post, May 12, 2017, twitter.com, archived at archive.is/9CkQn.
The entire scheme generated: Samuel Gibbs, “WannaCry: Hackers Withdraw £108,000 of Bitcoin Ransom,” Guardian, Aug. 3, 2017, www.theguardian.com.
Perhaps its creators had been testing: Andy Greenberg, “The WannaCry Ransomware Hackers Made Some Real Amateur Mistakes,” Wired, May 15, 2017, www.wired.com.
Within days, security researchers at Google: Andy Greenberg, “The WannaCry Ransomware Has a Link to North Korean Hackers,” Wired, May 15, 2017, www.wired.com.
By December 2017, the Trump White House: “Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea,” Whitehouse.gov, Dec. 19, 2017.
He’d later tell a Maryland court: Sean Gallagher, “NSA Employee Who Brought Hacking Tools Home Sentenced to 66 Months in Prison,” Ars Technica, Sept. 25, 2018, arstechnica.com.
The contractor, the report stated: Gordon Lubold and Shane Harris, “Russian Hackers Stole NSA Data on U.S. Cyber Defense,” Wall Street Journal, Oct. 5, 2017, www.wsj.com.
It had, the company: “Preliminary Results of the Internal Investigation into Alleged Incidents Reported by US Media (Updated with New Findings),” Kaspersky blog, Oct. 25, 2017, www.kaspersky.com, archived at bit.ly/2B4xnLn.
Aside from Nghia Hoang Pho: Josh Gerstein, “Suspect’s Twitter Messages Played Role in NSA Hacking-Tools Leak Probe,” Politico, Dec. 31, 2018, www.politico.com; and Kim Zetter, “Exclusive: How a Russian Firm Helped Catch an Alleged NSA Data Thief,” Politico, Jan. 9, 2019, www.politico.com.
CHAPTER 23 MIMIKATZ
DigiNotar was blacklisted: Kim Zetter, “Diginotar Files for Bankrupty in Wake of Devastating Hack,” Wired, Sept. 20, 2011, wired.com.
CHAPTER 24 NOTPETYA
When he stopped at an intersection: “Car Bomb Kills Senior Intelligence Officer in Central Kyiv,” NTD, June 27, 2017, mb.ntd.com.
He was killed instantly: Christopher Miller, “Colonel in Ukrainian Military Intelligence Killed in Kyiv Car Bombing,” Radio Free Europe/Radio Liberty, June 27, 2017, www.rferl.org.
Parts of his vehicle flew dozens: Alec Luhn, “Ukrainian Military Intelligence Officer Killed by Car Bomb in Kiev,” Guardian, June 27, 2017, www.theguardian.com.
Instead, its extortion messages seemed: Matt Suiche, “Petya.2017 Is a Wiper Not a Ransomware,” Comae blog, June 28, 2017, blog.comae.io/, archived at bit.ly/2UjSdxI.
It crippled multinational companies: Eduard Kovacs, “NotPetya Attack Costs Big Companies Millions,” SecurityWeek, Aug. 17, 2017, www.securityweek.com.
It even spread to Russia: “Информационная система Evraz подверглась хакерской атаке,” РИА Новости, June 27, 2017, www.rbc.ru/; Yuri Zoria, “Ukrainian Banks, Enterprises, Media and Energy Companies Under Powerful Cyber Attack, Including Chornobyl NPP—LiveUpdates,” Euromaidan Press, June 27, 2017, euromaidanpress.com/; “Malicious Malware: Lessons Learned and What to Expect from Cyber Crime in 2018,” Tass, Jan. 1, 2018.
CHAPTER 25 NATIONAL DISASTER
The monumental mission of the Chernobyl facility’s staff: “The New Safe Confinement Made Simple,” Chernobyl NPP website, chnpp.gov.ua/.
According to ISSP: Raphael Satter, “Ukraine Official: Worm Likely Hit 1 in 10 State, Company PCs,” Associated Press, July 6, 2017, dailyherald.com.
CHAPTER 27 THE COST
“We overcame the problem”: Richard Chirgwin, “IT ‘Heroes’ Saved Maersk from NotPetya with Ten-Day Reinstallation Bliz,” Register, Jan. 25, 2018, www.theregister.co.uk.
“Without computers these days”: Hamza Shaban and Ellen Nakashima, “Pharmaceutical Giant Rocked by Ransomware Attack,” Washington Post, June 27, 2017, www.washingtonpost.com.
In its financial report: “Merck & Co. (MRK) Q3 2017 Results—Earnings Call Transcript,” Seeking Alpha, Oct. 17, 2017, seekingalpha.com.
Two congressmen would write: Alex Keown, “Recent Cyberattack on Merck & Co. Could Lead to Drug Shortage,” Biospace.com, Sept. 25, 2017, www.biospace.com.
Reckitt Benckiser, the British manufacturer: Chelsea Leu, “The Cost of NotPetya,” sidebar to “The Code That Crashed the World,” Wired, Aug. 2017, www.wired.com.
To get a sense of what: Kate Fazzini, “The Landmark Ransomware Campaign That Crippled Atlanta Last March Was Created by Two Iranians, Says DoJ,” CNBC, Nov. 28, 2018, www.cnbc.com/.
One woman, fifty-six-year-old: “Heritage Valley Health, Drugmaker Merck Hit by Global Ransomware Cyberattack,” Associated Press, June 27, 2017, www.post-gazette.com.
He points to a New England Journal of Medicine: Anupam B. Jena et al., “Delays in Emergency Care and Mortality During Major U.S. Marathons,” New England Journal of Medicine, April 13, 2017, www.nejm.org.
CHAPTER 29 DISTANCE
At the same time, Trump: Philip Bump, “What Trump Was Saying About Russia and Putin—and What the Campaign Was Doing,” Washington Post, Dec. 14, 2017, www.washingtonpost.com/.
“Why should U.S. taxpayers”: Nick Wadhams and John Follain, “Tillerson Asks Why U.S. Taxpayers Should Care About Ukraine,” Bloomberg, April 11, 2017, www.bloomberg.com.
Serper, ESET, and Cisco’s Talos: David Maynor et al., “The MeDoc Connection,” Talos (blog), Cisco, July 5, 2017, blog.talosintelligence.com, archived at bit.ly/2S6UpuU.
CHAPTER 30 GRU
“NotPetya was probably launched”: “NotPetya and WannaCry Call for a Joint Response from International Community,” NATO Cooperative Cyber Defence Centre of Excellence, June 30, 2017, ccdcoe.org.
In late 2018: Steve Evans, “Mondelez’s NotPetya Cyber Attack Claim Disputed by Zurich: Report,” Reinsurance News, Dec. 17, 2018, www.reinsurancene.ws.
“Russian Military Was Behind”: Ellen Nakashima, “Russian Military Was Behind ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes,” Washington Post, Jan. 12, 2018, www.washingtonpost.com/.
CHAPTER 31 DEFECTORS
The military spy agency’s mission: Suvorov, Inside Soviet Military Intelligence, 8.
Nor did it ever take the public blame: Ibid., 39.
Vladimir Rezun, a GRU captain: Ibid., 3.
On another occasion, he writes: Ibid., 162.
The twenty-nine-year-old had grown up: Hart, CIA’s Russians, 18.
Over the next six years: Richard C. S. Trahair and Robert L. Miller, Encyclopedia of Cold War Espionage, Spies, and Secret Operations (New York: Enigma Books, 2009), 342.
Then, in 1959, after a botched: Hart, CIA’s Russians, 51.
His father had been killed: Schecter and Deriabin, Spy Who Saved the World, 59.
He also hoped to make enough: Ibid., 87.
He’d pass the materials: Ibid., 179.
By some accounts, it was that warning: Jerrold Schechter, “A Very Important Spy,” New York Review of Books, June 24, 1993, www.nybooks.com.
Exactly how he was caught: Hart, CIA’s Russians, 123.
At the Brits’: Schecter and Deriabin, Spy Who Saved the World, 75.
As he later described it: Suvorov, Inside the Aquarium, 241.
In his new life: Dimitri Simes, “A Soviet Defector Cashes In on His Story,” Washington Post, May 11, 1986, www.washingtonpost.com.
His most revelatory books: “The Aquarium GRU Headquarters,” Federation of American Scientists Intelligence Resource Program, fas.org.
He describes a weeklong: Suvorov, Inside the Aquarium, 92, 131, 148.
Rezun went on to detail: Suvorov, Inside Soviet Military Intelligence, 105, 124.
According to Rezun: Suvorov, Inside the Aquarium, 143.
Space, too, was the GRU’s: Suvorov, Inside Soviet Military Intelligence, 60.
Rezun’s own innovation: Suvorov, Inside the Aquarium, 193.
“This company, which numbers 115”: Ibid., 33.
In some cases, he wrote: Ibid., 38.
(While that description): “Torture and Ill-Treatment—Comments on the Second Periodic Report Submitted to the United Nations Committee Against Torture,” Amnesty International, Oct. 1, 1996, www.refworld.org.
In that volume: Viktor Suvorov, Spetsnaz: The Inside Story of the Soviet Special Forces (New York: Norton, 1987), 98.
“One likely target would be”: Lunev, Through the Eyes of the Enemy, 32.
After congressional hearings: Nicholas Horrock, “FBI Focusing on Portable Nuke Threat,” UPI, Dec. 21, 2001, bit.ly/2TiKvDO.
But other Soviet defectors confirmed: Alexander Kouzminov, “False Flags, Ethnic Bombs, and Day X,” California Literary Review, April 25, 2005, archived at bit.ly/2B7yn1w.
“It should not be shocking”: Lunev, Through the Eyes of the Enemy, 32.
By most accounts: Luke Harding, “The Skripal Files by Mark Urban: Review—the Salisbury Spy’s Story,” Guardian, Oct. 17, 2018, www.theguardian.com.
Reporting by the BBC: Richard Galpin, “Russian Spy Poisoning: Why Was Sergei Skripal Attacked?,” BBC, Oct. 25, 2018, www.bbc.com.
The father and daughter: John Lauerman and Caroline Alexander, “Novichok, Russian Nerve Agent Spooking Britain,” Bloomberg QuickTake, Washington Post, July 5, 2018, www.washingtonpost.com.
Tragically, two British: Vikram Dodd and Stephen Morris, “Novichok That Killed Woman Came from Bottle, Police Believe,” The Guardian, July 13, 2018, theguardian.com.
CHAPTER 32 INFORMATSIONNOYE PROTIVOBORSTVO
The GRU’s spies had missed: S.J., “What Is the GRU?” Economist, Sept. 11, 2018, www.economist.com.
Attempts to intercept: Mark Galeotti, “Putin’s Hydra: Inside Russia’s Intelligence Services,” European Council on Foreign Relations Policy Brief, May 2016, 6, www.ecfr.eu.
Moscow came to see: Mark Galeotti, “Putin’s Secret Weapon,” July 7, 2014, foreignpolicy.com.
(The GRU was even threatened): Mark Galeotti, “We Don’t Know What to Call Russian Military Intelligence and That May Be a Problem,” War on the Rocks, Jan. 19, 2016, warontherocks.com.
One clue: “What Is the GRU? Who Gets Recruited to Be a Spy? Why Are They Exposed So Often?” Meduza, Nov. 6, 2018, meduza.io/.
“seemed more comfortable accompanying”: Galeotti, “Putin’s Secret Weapon.”
Korabelnikov was eventually replaced: Galeotti, “Putin’s Hydra,” 6.
It was the GRU that led: Galeotti, “Putin’s Secret Weapon.”
“shown the rest of the world”: Ibid.
In the spring: “MH17—Russian GRU Commander ‘Orion’ Identified as Oleg Kannikov,” Bellingcat, May 25, 2018, www.bellingcat.com; and “Third Suspect in Skripal Poisoning Identified as Denis Sergeev, High Ranking GRU Officer,” Bellingcat, Feb. 24, 2019, bellingcat.com.
It was based on a speech: Valery Gerasimov, “The Value of Science Is in the Foresight: New Challenges Demand Rethinking the Forms and Methods of Carrying Out Combat Operations,” Military-Industrial Courier, Feb. 27, 2013, translated and reprinted in Military Review, Jan./Feb. 2016, usacac.army.mil/.
The article was little noticed: Mark Galeotti, “The ‘Gerasimov Doctrine’ and Russian Non-linear War,” In Moscow’s Shadow, Feb. 27, 2013, inmoscowsshadows.wordpress.com, archived at bit.ly/2G2NsEK.
CHAPTER 33 THE PENALTY
“In June 2017, the Russian military”: Sarah Huckabee Sanders, “Statement from the Press Secretary,” Whitehouse.gov, Feb. 15, 2018, www.whitehouse.gov.
By that night: “Russian Military ‘Almost Certainly’ Responsible for Destructive 2017 Cyber Attack,” National Cyber Security Centre website, Feb. 15, 2018, www.ncsc.gov.uk; “CSE Statement on the NotPetya Malware,” Communications Security Establishment website, Feb. 15, 2018, www.cse-cst.gc.ca; “New Zealand Joins International Condemnation of NotPetya Cyber-attack,” Government Communications Security Bureau, Feb. 16, 2018, www.gcsb.govt.nz; “NotPetya Malware Attributed,” CERT Australia website, Feb. 16, 2018, www.cert.gov.au [inactive].
“We strongly reject such accusations”: “Kremlin Slams ‘Russophobic’ Allegations That Pin NotPetya Cyber Attack on Russia,” TASS, Feb. 15, 2018, tass.com/.
The U.S. Treasury announced: “Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections and Malicious Cyber-attacks,” U.S. Department of the Treasury website, March 15, 2018, home.treasury.gov.
In an announcement made: “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” US
-CERT website, March 15, 2018, www.us-cert.gov.
Kirstjen Nielsen would explain: Blake Sobszak, “DHS on Russian Grid Hackers: ‘They Are Doing Research,’ ” EnergyWire, Oct. 3, 2018, www.eenews.net.
The security firm Symantec had first detailed: Andy Greenberg, “Hackers Gain Direct Access to U.S. Power Grid Controls,” Wired, September 6, 2017, wired.com.
CHAPTER 34 BAD RABBIT, OLYMPIC DESTROYER
It contained fully 67 percent: Dan Raywood, “The Rabid Ransomware Bunnies Behind #BadRabbit,” Infosecurity, Oct. 25, 2017, www.infosecurity-magazine.com.
CHAPTER 35 FALSE FLAGS
In the run-up to the Olympics: Andy Greenberg, “Hackers Have Already Targeted the Winter Olympics—and May Not Be Done,” Wired, Feb. 1, 2018, www.wired.com.
The North Korean dictator, Kim Jong Un: Joe Sterling, Sheena McKenzie, and Brian Todd, “Kim Jong Un’s Sister Is Stealing the Show at the Winter Olympics,” CNN, Feb. 10, 2018, www.cnn.com.
The two countries had even taken: Ivan Watson, Stella Ko, and Sheena McKenzie, “Joint Korean Ice Hockey Team Plays for First Time Ahead of Olympics,” CNN, Feb. 5, 2018, www.cnn.com.
Russian athletes could compete: Rebecca R. Ruiz and Tariq Panja, “Russia Banned from Winter Olympics by I.O.C.,” New York Times, Dec. 5, 2017, www.nytimes.com.
“We know that Western media are planning”: “Olympics Officials Confirm There Was a Cyber Attack During the Opening Ceremony—and Russia’s Already Denying They Did It,” Reuters, Business Insider, Feb. 11, 2018, www.businessinsider.com.
The data-wiping portion of Olympic Destroyer: Juan Andres Guerrero-Saade, Priscilla Moriuchi, and Greg Lesnewich, “Targeting of Olympic Games IT Infrastructure Remains Unattributed,” Recorded Future blog, Feb. 14, 2018, www.recordedfuture.com, archived at bit.ly/2CXNGdd.
Sandworm Page 35
