Speakers at this year’s CyberwarCon conference dissected a new era of cyber warfare, as nation-state actors turn to a host of new advanced persistent threat (APT) strategies, tools and tactics to attack adversaries and spy on domestic dissidents and rivals. The highest profile example of this new era of nation-state digital warfare is a Russian military intelligence group called Sandworm, a mysterious hacking initiative about which little has been known until recently. The group has nevertheless launched some of the most destructive cyberattacks in history.[ Learn what you need to know about defending critical infrastructure . | Get the latest from CSO by signing up for our newsletters. ]
Wired journalist Andy Greenberg has just released a high-profile book about the group, which he said at the conference is an account of the first full-blown cyberwar led by these Russian attackers. He kicked off the event with a deep dive into Sandworm, providing an overview of the mostly human experiences of the group’s malicious efforts.
Sandworm first emerged in early 2014 with an attack on the Ukrainian electric grid that “was a kind of actual cyberwar in progress,” Greenberg said. The grid operators in Ukraine watched helplessly as “phantom mouse attacks” on their screens as Sandworm locked them out of their systems, turned off the back up power to their control rooms, and then turned off electricity to a quarter-million Ukrainian civilians, the first ever blackout triggered by hackers.[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]
In late 2016, Sandworm struck the Ukrainian grid again. “It was a quintessential example of a nation-state disruptive attack on an adversary in the midst of a kinetic war,” Greenberg said. If it hadn’t been for a configuration error in Sandworm’s malware, the attack could have been far more devastating. It could have burned down lines or blown up transformers, as Joe Slowik at Dragos recently discovered in his research of the incident, Greenberg pointed out.
Assume what happened in Ukraine will happen elsewhere
This was “the kind of destructive act on the power grid we’ve never seen before, but we’ve always dreaded.” Even more concerning, “what happens in Ukraine we’ll assume will happen to the rest of us too because Russia is using it as a test lab for cyberwar. That cyberwar will sooner or later spill out to the West,” Greenberg said. “When you make predictions like this, you don’t really want them to come true.”
Sandworm’s adversarial attacks did spill out to the West in its next big attack, the NotPetya malware, which swept across continents in June 2017 causing untold damage in Europe and the United States, but mostly in Ukraine. NotPetya, took down “300 Ukrainian companies and 22 banks, four hospitals that I’m aware of, multiple airports, pretty much every government agency. It was a kind of a carpet bombing of the Ukrainian internet, but it did immediately spread to the rest of the world fulfilling [my] prediction far more quickly than I would have ever wanted it to,” Greenberg said.
The enormous financial costs of NotPetya are still unknown, but for companies that have put a price tag on the attack, the figures are staggering. Shipping giant Maersk, which struggled for months to get back on its feet after watching all its computer screens turn “black, black, black, black, black,” in the words of one Maersk employee, pegged the price of the attack at $300 million. Drug company Merck suffered even greater consequences, with an estimated cost of the attack at $870 million. These and other known financial losses, which to date are estimated at $10 billion, should be considered a floor, a minimum measure of the impact of the consequences of NotPetya, Greenberg said, citing former US Department of Homeland Security advisor Tom Bossert.
Global News 
Leave a comment