Transcription performed by Leah Hervoly www.leahtranscribes.com
[START OF RECORDING]
JACK: Hackers in the Olympics? Yeah, it’s happened in the fencing competition of all places. Have you watched modern fencing lately? If you watch it, I have one tip for you; don’t blink. Fencing is extremely fast. The blades are whipping through the air. [MUSIC] As a spectator, you’re trying to see who hit who first, keeping your eyes on two different swords at once. It’s impossible to tell. In fact, it’s impossible for the judges to tell, too, so they’ve adopted technology to help. Now, I’m not talking about some high-speed camera. No, it’s more technical than that. There’s circuitry involved. In order to score a point, your foil or sword needs to apply 0.75 kilograms of pressure to the opponent’s target area which is their head or chest. You have to directly poke with the foil. Slashing or hitting the target with the side of the foil doesn’t count. To help the judges figure out who struck who first with enough force, they’ve added electronic components to the sword and protective gear.
Basically, there are wires going up the center of the sword and at the tip is a little pressure plate so when you push the tip of the sword with 0.75 kilograms of pressure, it completes the circuit of the sword. Each fencer has a helmet and chest protector which is wired to the same electronic circuit. Basically, to add it all up, when the sword is pressed into the opponent’s chest or helmet at 0.75 kilograms of pressure or more, an electronic circuit is complete and a point is scored. It’s a fairly simple but technical way of scoring in fencing, but this means electronics and computers are now the judges. You see where I’m going with this, right? In the 1976 Olympics in Montreal, Quebec, this got exploited. Fencing competitor Boris Onischenko, representing the Soviet Union, rigged his sword.
He hacked it and added a button on the grip so that he could push it and complete the circuit whenever he wanted. His plan was to swing at the opponent, push the button, and the computer judge would count it as a hit. He went up against a British opponent and did just that; he lunged, missed, pushed the button, and a point was scored for Boris. Genius. The judges didn’t catch it and he was now in the lead. But his British opponent protested and said he didn’t feel the hit at all, and asked the judges to inspect the sword. That’s when they found Boris’ button and disqualified him from the event for hacking. The British team that exposed him went on to win the gold medal. Yeah, hackers in the Olympics.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: For this episode, we’re gonna visit with our old friend Andy Greenberg. We had Andy on before to tell us the story of NotPetya back in Episode 54 and as you may recall, Andy wrote a book called Sandworm which went into great detail about the NotPetya attack. He’s an amazing investigative journalist and today Andy is going to talk to us about hacking the Olympics.
ANDY: My name is Andy Greenberg and I – did you ask me my title? My title is Senior Writer at Wired. But I guess for the purposes of this interview, I’m still the author of Sandworm because this is a story from Sandworm.
JACK: [MUSIC] The story takes place in the Winter Olympics in 2018 which was in South Korea in the city of Pyeongchang. The opening ceremony was on February 8th. The city was well below freezing at that time and volunteers donned face masks to protect themselves from the icy wind blowing through the stadium. Sang-jin Oh, the man running IT for the Olympics, was sitting in a plastic chair a few dozen rows above the stadium waiting for the opening ceremony to start. A lot of preparations took place to get to this point and you might not think about how many IT preparations there are for the Olympics, but there are a ton. Sang-jin Oh managed it all. Just to start out, he had 150 employees to manage the IT infrastructure for these Olympics.
That’s a pretty big IT staff. I mean, it’s bigger than the size of some Fortune 500 IT teams. It’s that big because there’s a ton of things to manage. There’s restricted areas which require electronic key cards to access, there are phone apps to help spectators enjoy their experience, there’s ticketing systems, WiFi in stadiums, fields, and around the villages, and a ton of other systems to help people get from one place to another. Of course, there’s many stadiums, courses, and buildings where all this IT infrastructure has to work. They set up a data center [00:05:00] with a 24/7 network operation center monitoring everything that was going on. Oh felt like everything was ready for the games to begin. He sat in the stadium to watch the opening ceremony. This was the pinnacle of his career, or so he thought. The lights dimmed, everyone went quiet. The ceremony was starting.
ANDY: Ten seconds before 8:00 PM, this choir of Korean children begins to do this countdown, this ten-second countdown to the beginning of the opening ceremony. [CHILDREN COUNTING] Just as they’re counting down in Korean, and this is reverberating across the stadium, [PHONE NOTIFICATIONS] Sang-jin Oh looks down at his phone and sees that he has this flood of text messages telling him that all of the domain controllers in the Olympics’ data centers in Seoul are being wiped one by one.
JACK: [MUSIC] These domain controllers were incredibly important. They controlled authentication and authorization for everything from the WiFi onsite to the Olympic app. The app managed everything that athletes, visiting dignitaries, staff, and tens of thousands of attendees needed for finding their way around, handling their tickets and gaining access to secure locations, and even check-in to the hotels. Basically, all the stuff that would allow anyone to get access to anything was on the fritz.
ANDY: But he starts responding to his subordinates. He starts texting them back and then he realizes that he needs to get to the technology operation center in Gangneung, so he [MUSIC] gets up, he runs out of the opening ceremony. As he’s leaving, he can already hear journalists complaining that the WiFi isn’t working in the stadium, the IPTV systems are down across the facility and other facilities around the whole Olympic campus in Pyeongchang. The app seems to be failing as well; people are trying to get into the stadium and they’re unable to access tickets, it turns out. This is perhaps the worst possible news that you could get at this exact moment as you’re hoping to watch this event come to fruition that you’ve been working on for three years.
HOST1: One hundred medal events, so a little bit of history is being made during these games in 2018.
HOST2: I wonder how the organizers are feeling right at this moment. They have worked so hard to get to this stage; hours, days, years, and this is the culmination. This is it. This is the start. This is the big, big moment.
ANDY: As all of this is happening, Oh is running out of the stadium. He meets up with two of the people who work for him on his staff and they get into an SUV and they start this long drive to Gangneung, this neighboring town. [MUSIC] Well, when he arrives, the staff is in such a state of – I wouldn’t say panic but sort of disarray; that they’re standing up and talking to each other in clumps. They can’t even access their e-mail. All of their systems seem to be down.
JACK: When we say that all their systems seem to be down, you have to understand just how massive the infrastructure of these games were. We’re talking 10,000 PCs, 20,000 mobile devices, 6,300 WiFi routers, and 300 servers which existed in two different data centers in Seoul, all this being managed by a team of 150 IT staffers.
ANDY: We find out later, in fact, the ticketing system which is integrated into the Olympics app was broken too, and that some people had been locked out of the opening ceremony.
JACK: But that was later. In this particular moment, it was chaos. It’s hard to focus and troubleshoot one thing when there’s a million things going wrong at once. The pressure that the whole world is watching right now makes the stress so much worse. Now, Oh had followed best practices for setting up the IT infrastructure of the Olympics. His team had done its best to prepare in case something bad happened.
ANDY: Their cyber-security advisory group had met twenty times since 2015 and they had done drills for fires and earthquakes, and even cyber-attacks. But then when the actual moment hit, when the disaster actually came, it was still very shocking. No drills can prepare you for an actual destructive cyber-attack of this scale. They know that if they can’t fix all of this before the end of the opening ceremony in two hours, then a kind of chaos will unfold where 35,000 people leave the stadium and can’t figure out where to go next, that it’ll be this massive embarrassment in one of the world’s most wired countries.
JACK: The team frantically created a workaround to get the official Olympic app working which would allow visitors to get in and out of the opening ceremony. But their domain controllers and many other parts of the network remained down throughout the entire opening ceremony, causing a lot of problems. Embarrassing, yes. Frustrating, yes. But now that the opening ceremony was [00:10:00] over, a new clock started. The IT staff knew they had all night to evict the hackers, rebuild the systems, and try to get the network back up and operational again by the time the first competition started in the morning.
ANDY: [MUSIC] Then these poor IT staffers spend the entire night battling to rebuild the entire backbone of the Olympics. They initially bypass all of their domain controllers which are down. That allows them to bring some services back online but they know that that’s not a stable or a secure way to maintain a network. Then they spend hours and hours trying to rebuild everything, but they find that as they’re rebuilding domain controllers, for instance, they’re being wiped again by some piece of malware in their system. They are able to figure out that it’s this one malicious file called winlogon.exe.
JACK: Ugh, I hate it when hackers do this. The malware was called winlogon.exe which is also the name of a real process within Windows; a normal, benign, critical process that’s required for your operating system to work. I hate it because when you’re going through the computer looking for malware, you’re not gonna notice that’s the malware because it has the same name of a process that should be running. But this malicious winlogon.exe was a worm that would first try to spread itself to as many other machines as it could and then begin wiping the entire system it infected; deleting configurations, settings, applications, files, and it would even screw up the operating system, rendering the core servers of the Winter Olympics unusable.
ANDY: There’s this kind of fog of war where they don’t know what is erasing their work as they go. Their domain controllers are being wiped repeatedly so eventually they resort to actually taking their whole network offline around midnight which results in even their website going down. This is a pretty extreme measure because they think that the hackers somehow are still maintaining remote access to their systems. [MUSIC] Only around 5:00 AM are they able to – with the help of this Korean security company AhnLab – isolate and create a signature for this automated piece of malware. At 6:30 AM, they think that they’ve essentially eradicated this malware and they reset every staffer’s password in the hopes of locking out the hackers from any further access. Just before 8:00 AM, twelve hours after the cyber-attack began, they finally finish reconstructing the entire IT back end, rebuilding all the servers from backups and restarting everything. Amazingly, this works. This is kind of a feat of IT heroics.
JACK: They just barely got the network back up in time for visitors, competitors, and staffers to pour into the stadiums and fields and Olympic villages that morning. But what happened here? Malware ripped through the IT infrastructure of the Winter Olympics in South Korea at the exact moment the opening ceremony started. Was this sabotage? A targeted attack? Some teenage hacktivists making a statement? It was unclear but there was no time to stop and think about that. The IT teams were exhausted and they had to make sure the games continued without any more problems. The heroic effort of the IT teams that put in to keeping that network stable paid off. For the rest of that Olympic games, there were no more cyber-attacks.
ANDY: But when I spoke to Sang-jin Oh, the director of the Olympics’ IT staff, he remains today almost traumatized by these events. He knows that they were just minutes or hours, at the very least, from disaster and that it took a kind of enormous effort to save these Pyeongchang Olympics from utter digital chaos and he’s still very angry that someone would dare to launch this cyber-attack against an actual global and peaceful event. It’s always a kind of test of a country’s organizational capabilities to run an event this big. It would have been a kind of black mark on the Olympics forever that it had been digitally broken.
JACK: [MUSIC] We have a major attack on a major sporting event the world is all watching. Who are the usual suspects here? Who would want to attack the Olympics like this?
ANDY: I guess this was maybe my first thought, was that this was probably North Korea because North Korea has a history of these kind of wanton, irrational cyber-attacks against South Korea in particular. They might be incentivized just to try to embarrass their neighbors who they’re always – they remain, actually, formally at war with South Korea. This is an opportunity to throw a wrench in the works and humiliate their South Korean neighbors.
JACK: Okay, that makes sense. North Korea definitely has a motive. They’ve attacked South Korea numerous times and have the capability to do such a thing like this. But it’s just shocking to me to think that this is a nation state-sponsored attack because the Olympics are supposed to be a peaceful event where we can celebrate the world coming together for a friendly sporting competition. [00:15:00] But North Korea was not the only suspect. There was one country that didn’t get invited to the Winter Olympics that year, a country who’s highly competitive and always wins gold medals every Olympics. [MUSIC] See, the Winter Olympics just before this was in Sochi, Russia.
There, a bunch of Russians won gold medals and were tested for using steroids and other illegal drugs to enhance their performance. But the tests all came back negative for the Russians. They were all clean. But an investigation years later discovered that some of the tests and samples were swapped before being sent to the lab which returned a negative result even if the athlete was doping. The Worldwide Anti-Doping Agency and the International Olympic Committee discovered that Russia was doping and faking the drug tests. Because of that, they banned Russia from competing in the 2018 Olympics in South Korea. Russia denied that any doping took place and was furious with this ban.
ANDY: Russia had been banned from these Olympics for doping. Russia had, in fact, already been carrying out a hacking campaign against the Worldwide Anti-Doping Agency, stealing and leaking documents that were designed to embarrass the agency and to show that they were biased and that their investigation of Russia’s doping efforts – which were very real and organized – to show that that investigation was somehow fraudulent or unfair.
JACK: For Russia to be banned from the Olympics and then hack into the Worldwide Anti-Doping Agency and International Olympic Committee to publish private e-mails as retaliation; yeah, it’s definitely sounding like Russia has the motive, capability, and know-how to wage an attack on the Winter Olympics like this.
ANDY: But once we look at the forensics, then that’s where it starts to get weirder ‘cause China comes up as well. There’s all three.
JACK: [MUSIC] Oh great, now China’s a suspect, too. Why can’t it ever be easy to figure out who’s behind these attacks? As people began analyzing this malware, they saw that parts of the code were written by Chinese hackers. Specifically, this section of the code appeared in previous attacks done by China and no other attacking team used code like that. Now, when Oh’s IT team was busily trying to defeat this malware, someone uploaded it to VirusTotal. VirusTotal is a website where you can upload malware and it’ll tell you information about that malware. It’s a great tool to help you understand what you’re dealing with. But this malware was new and VirusTotal had no information on it. Now, when new malware gets uploaded to VirusTotal, premium members can get a copy of it to analyze it. When Oh’s team uploaded it, a bunch of threat research companies downloaded it and started analyzing it. One of those teams who took a look was Cisco Talos. This is a threat intelligence team within Cisco which is a company that makes networking equipment. Cisco Talos analyzed winlogon.exe, that malicious file that wiped the computers, and it was Talos that gave this worm a name; Olympic Destroyer.
ANDY: [MUSIC] The basic components of Olympic Destroyer were a password-stealing tool and then a component that would use those stolen passwords with remote access features to spread among computers and destroy all of the data on them essentially by deleting the boot configuration from infected machines and then disabling all of their Windows services and shutting the computer down so it couldn’t be rebooted. In some ways, those components looked very familiar. Their basic form resembled two other pieces of disruptive malware; NotPetya and Bad Rabbit, both of which were these worms released in Ukraine and very widely believed to be Russian in origin. Both of those attacks also had contained password-stealing tools to spread and then a destructive wiper as their payload.
JACK: Interesting that this resembled NotPetya. [MUSIC] If you don’t know about NotPetya, I highly recommend listening to Episode 54 because NotPetya was a major cyber-attack waged on Ukraine, knocking a huge portion of Ukraine’s network offline which could absolutely be seen as an act of cyber-war. Once again, that’s an indicator that this could have been a state-sponsored attack from Russia but strangely enough, Russia denied this cyber-attack on the South Korean Olympics before it happened.
ANDY: The Russian government had actually made a statement about the fact that they had not done a cyber-attack against the Olympics before the Olympics began. They said that we will be accused of doing a cyber-attack against the Olympics but there will be no evidence which was a very weird thing, and everybody who saw that I think was like, what? We haven’t even said anything yet. Why are you trying to deny having done an attack that has not even occurred yet? It was very weird.
JACK: Yeah, who knows what to make of that? [00:20:00] It’s certainly fishy, but then you look at the code and there’s one big problem.
ANDY: Although it kind of had that same shape, it was also rewritten from scratch. Olympic Destroyer didn’t seem to actually share any code with NotPetya or Bad Rabbit.
JACK: Cisco Talos published their analysis and it was not what the forensic researchers were expecting.
ANDY: [MUSIC] Researchers are always looking for answers to this attribution problem; who is behind this cyber-attack, because it’s often very difficult. But there are fingerprints, there are code links, like similar code used in different pieces of malware or infrastructure links. Like, they’re using the same servers as the command and control infrastructure for the attack, that sort of thing. Here, it wasn’t that there were no clues to provide those answers; it was that there were too many and they pointed in every different direction. There were, for instance, code matches with malware from the North Korean group called Lazarus that’s responsible for the Sony attack and lots of other high-profile attacks. This Olympic Destroyer malware had some of the same wiper code as had been used by those Lazarus hackers. Both wiping components, for instance, deleted files by destroying the first 4,096 bytes, for instance, which seems like a real giveaway that this was North Korea.
JACK: Oh, I see; the technique the Koreans used to wipe systems in previous attacks were the same techniques used in the Olympic Destroyer malware. Nobody else used that technique, so that shifts the focus back to North Korea. Threat research groups continued to analyze this malware to look for clues.
ANDY: But then at the same time, a security firm called Intezer pointed out that a chunk of the password-stealing code in Olympic Destroyer matched with a different hacker group called APT3 which is widely understood to be Chinese. So, was it North Korea or was it China? Meanwhile, the security firm CrowdStrike found similarities in parts of Olympic Destroyer with a piece of ransomware that Russian hackers had used called XData. [MUSIC] It was just a kind of tingle of forensics with clues pointing in every direction and as soon as you thought that you had come to a conclusion, there was another hypothesis to undermine it. There was just a kind of unprecedented scenario where it seems like the hackers, instead of trying to simply cover their tracks, they had built-in tracks pointing in every direction at once.
JACK: What a wild concept; to build in tracks which leads to many different sources of who this attacker could be. Were all these false flags? Red herrings? Distractions from the truth?
ANDY: There was a whole collection of them. At first glance at least, it was impossible to figure out what was a real clue and what was a false flag.
JACK: As you can imagine, this type of thing happens a lot; hackers typically don’t like being discovered and will hide their tracks with distracting clues and false evidence all the time. Like, they’ll use another foreign language in the code to throw people off, make them think they’re from a different country than they’re actually from. But what was different about this was just the sheer number of false flags and the sophistication of it.
ANDY: One researcher, Silas Cutler at CrowdStrike at the time, described it to me as psychological warfare on reverse-engineers, that it was like every researcher has one clue that they look for as the tell about who is truly responsible for a piece of malware. In this case, you would find that thing and it would still be a lie. There were false clues planted far deeper than anyone had ever seen before.
JACK: How do you find a real clue in a haystack of planted clues? Kaspersky, a Russian cyber-security firm, started looking at the file’s Rich Headers, the part of the files metadata that tells you what kind of programming tools were used to make it. That finally got researchers on the right track.
ANDY: Kaspersky tried comparing the Olympic Destroyer header with its database of other malware samples and their headers. It found that there was a perfect match with North Korea’s Lazarus hackers and one of their pieces of data-wiping malware. At first, that seemed like confirmation; this really was North Korea.
JACK: Or was it? One Kaspersky researcher, Igor Sumenkov, happened to have an expertise in these types of Rich Headers, and he took the analysis a step further.
ANDY: [MUSIC] He checked whether this header actually made sense with the contents of the malware and he could see pretty quickly that no, it – this metadata didn’t actually match the data. Someone had forged the Rich Header which is kind of remarkable because it’s like hiding a fake fingerprint in the most obscure possible place in the hopes that some extremely [00:25:00] diligent detective is gonna look in that corner and find it. It almost worked. What Igor Sumenkov had found though was that this means someone was trying to make it look like North Korea. Underneath all of these layers of false flags, he had found one false flag that was provably false, that was clearly forged, and that was an indication that it probably was not North Korea because it would just be too bizarre to imagine that North Korea had forged their own Rich Header to implicate themselves. In some ways, this was the first clue about who might really be responsible.
JACK: Gosh, this is a mind game. North Korea has been known to do some pretty bizarre stuff but I think this is still a little too bizarre even for them to do. This made researchers believe this probably wasn’t North Korea. But who was it? To figure that out, researchers would have to look beyond the malicious file.
ANDY: The real unraveling of Olympic Destroyer only began when an analyst named Michael Matonis, who worked for FireEye, began to look into it. He took a different approach still. Rather than looking at the code or the header or the malware at all, he looked at the delivery mechanism for it. He looked at the infected Word documents that he pulled from VirusTotal that had been used as the vehicle to initially infect the Olympic targets. It turns out that as early as November of 2017, prior to the Olympics, months earlier, the hackers behind Olympic Destroyer were seeding out the malware.
They were doing the typical thing that state-sponsored hackers do to gain a foothold; sending out infected Word documents, attachments designed to give them some sort of code execution on a computer inside a target network. Matonis was able to pull one of those malware-laced Word documents from VirusTotal and examine it. [MUSIC] As researchers typically do, he started searching through his own archive of malware trying to find anything that matched it, and he couldn’t find anything. There was nothing; no kind of clear match, but he did find that there was a collection of files that roughly resembled it that used some of the same hacking tools that seemed to be obfuscated in the same way. When he started to pull apart how that obfuscation worked for each of these suspicious attachments, he saw that they had been created with the same tool called Malicious Macro Generator.
JACK: It looked like the initial infection of the Olympic network began with a phishing e-mail. There was a document sent to a bunch of staffers and if you opened that document, it ran a malicious script or set of macros. Antivirus and operating systems should have stopped the macros from running but these macros were created with a tool called Malicious Macro Generator which tricks the computer into thinking the commands are perfectly fine and allowed and not dangerous. Matonis examined these phishing e-mails and attachments in further detail.
ANDY: He was able to narrow down this big pile of attachments to just a few that all shared these characteristics. Once he started to look at those documents, they began to look rather familiar in their targeting. One seemed to target Ukrainian LGBT activist groups. Others were targeting Ukrainian companies and Ukrainian government agencies. That was the first real red alert moment, something very ominously familiar for him because I think we all know by now that Ukraine is the favorite hacking target of Russia, that Ukraine, in fact, has been digitally and physically abused by Russia for years now since the beginning of the Russian invasion in Ukraine in 2014. Matonis was beginning to find some solid evidence that whoever was behind the Olympic attack had targeted these Ukrainians in the months prior. That is probably not North Korea and it’s probably not China.
JACK: [MUSIC] Matonis was getting closer to figuring out who did this, but the clue that finally closed the case appeared when Matonis started looking at the IP addresses that these malicious Word documents used to communicate with their command and control servers.
ANDY: He would check the domains that these Word documents were designed to phone home to, but then also check every IP address that domain had ever lived at to kind of create this branching forensic chart. A few steps down that tree of connections, he found this one domain, account-loginserve.com. For Matonis who has a kind of photographic memory, this immediately just lit up for him like neon. He recognized that domain immediately.
HOST3: Russian hacking of the 2016 campaign went a lot deeper than previously known. That’s what current and former counterintelligence officials [00:30:00] told congress today.
HOST4: As of right now, we have evidence of twenty-one states or election-related systems in twenty-one states that were targeted.
JACK: In 2016, Russians hacked the US State Board of Elections in a number of states including Arizona and Illinois. The hackers accessed voter rolls for hundreds of thousands of voters. A year later, the FBI put out an alert for this group.
ANDY: The FBI was warning, in this case, that those same hackers were now sending out phishing e-mails and that the domain that they were using was account-loginserve.com. Matonis immediately remembered this and that was the moment for him when all of this came together.
JACK: Both hacks had used the same domain; account-loginserve.com. This meant that whoever owned that domain was responsible for both the hacks on the US State Boards of Election and the 2018 Winter Olympics. This was the smoking gun that tied it all together.
ANDY: Now he could see that the same hackers had shared infrastructure with the attackers who had targeted the 2016 US presidential election.
JACK: This seemed to tip the evidence in one direction; the Russian government was responsible for creating Olympic Destroyer. There may have been clues implicating North Korea and China like IP addresses routed through North Korean servers and code and functionality linked to the Chinese hacking groups, [MUSIC] but fingerprints that matched the targeting of Ukrainian LGBT groups and voter rolls in the US elections; this means more fingers point to Russia than any other suspect. If that’s the case, it meant this was the same group that conducted NotPetya, one of the most extreme cyber-attacks the world has ever seen. This was the hacking group known as Sandworm.
ANDY: It’s quite ironic but in this most-deceptive-ever piece of malware ultimately were the clues that not only identified the perpetrators of this attack as Russian, but also contained in them the identity that would allow the cyber-security community to tie everything from NotPetya to the 2015 and 2016 blackouts in Ukraine to this one group, Sandworm. Olympic Destroyer actually contains in it the seeds of the answer to that larger mystery. Now you can see that in fact this whole chain of Russian cyber-attacks, cyber-war, in fact, has been tied to this one GRU unit. That ultimately is the best working theory we had for a long time about who Sandworm was.
JACK: It was a good theory because in July 2018, the US Department of Justice indicted twelve Russian GRU hackers for interfering with the 2016 US elections. In that indictment, they mention that there were two units within GRU that these hacks were carried out from; Unit 26165 and Unit 74455. The first was blamed for hacking the DNC and the second was blamed for hacking state boards of election. That was the missing piece of the puzzle. Matonis had already connected that whoever hacked the State Boards of Election also conducted Olympic Destroyer, but he did not know which GRU unit did it. Right there in the Mueller Report, it was the first time we learned that Unit 74455 was Sandworm. There was also a Washington Post story that came out which said that anonymous sources told them that Russia hacked the Olympics and tried to make it look like North Korea did it which is just another finger pointing in that direction.
So, almost two years after this happened, still no government has said who was behind this or blamed Russia for attacking a peaceful sporting event.
ANDY: [MUSIC] This is the most vexing part of this story for me. I don’t know, it’s flabbergasting. I don’t understand why a group of hackers were allowed to carry out a sabotage of global, peaceful events, and just essentially get away with it. When it comes to this attack on the Olympics, there has never even been a public statement from a government saying who was responsible.
JACK: So Andy wrote a follow up piece to this story, an OpEd in the Washington Post titled, We need to hold the Kremlin responsible for its 2018 cyberattack on the Olympics
ANDY: And one of the points I made in that OpEd, if nobody condemns this, if nobody shames Russia for this, then we are basically inviting them to try again in 2020.
JACK: Well, as you know 2020 had different plans for all of us. The Olympics were canceled due to coronavirus, but even if they had been held, Russia was not allowed to compete because they are still banned for doping in Sochi. So now that we’ve gone through all the technical stuff and figured out who did this, I’m still not sure if I fully understand why they did this.
ANDY: They tried to cover their tracks. They weren’t even trying to send a message. They were trying to make sure that a message was not sent, that nobody could trace this back to them.
JACK: Yeah, ‘cause if you’re going to conduct something like this, all you’re doing is making a statement. You’re essentially saying we don’t like that you banned us, but then you try to hide the fact that you made this statement?
ANDY: Was it really just as petty as it seems? [MUSIC] I can’t think of another instance myself when a country has carried out a destructive cyber-attack like this with real global impact just out of a pure toddler emotion.
JACK: Heh, toddler emotion. Is that too strong a way to put it? I thought so, ya, maybe. But then some major news broke last week.
DOJ: Good afternoon. Today we announce criminal charges against a conspiracy of Russian military intelligence officers who stand accused of conducting the most disruptive and destructive series of computer attacks ever attributed to a single group.
JACK: This announcement was delivered by John Demers, the Assistant Attorney General of the united states, an FBI director, a US Attorney, and an FBI special agent.
DOJ: The defendants in this case were all members of the military unit 74455 of the Russia main intelligence directorate, known as the GRU.
DOJ: Six current and former officers in unit 74455 are accused of the following deceptive and destructive alleged in the indictment. In December 2015 and 2016 the conspirators launched destructive malware attacks against the electric power grid in the Ukraine. From there the conspirators destructive path widened to encompass virtually the whole world. In what is commonly referred to as the most destructive and costly cyber attack ever. The conspirators unleashed the NotPetya malware. Rather than express remorse for the damage they inflicted against victims worldwide, the conspirators callously celebrated their success. Next the conspirators turned their sights on the winter Olympics. The conspirators feeling the embarrassment of international penalties related to Russia’s state sponsored doping program, that is cheating, took it upon themselves to undermine the games. Their cyber attack combined the emotional maturity of a petulant child with the resources of a nation state.
JACK: Ooooh, dang. The DOJ whipping out name calling. And I thought it was harsh when Andy called this an emotional response of a toddler, now the Assistant Attorney General says that Sandworm has the emotional maturity of a petulant child. Oh wow. But it, it’s true. I’m desperately trying to think of another way to view this, but I can’t. Because all of the planning that had to happen here. An attack like this wasn’t just a snap decision, flick of a switch, knee jerk reaction. No, there were meetings to discuss whether or not to do this, because I’m sure Sandworm has other work to do too. So this was prioritized over all the other stuff they had to do. Then they had to assign a team of people to do this. That team spent lots of time creating phishing emails, identifying targets, and constructing the malware. And while the technical capabilities of the malware wasn’t all that sophisticated, it was very sophisticated in all the false flags it had in it. Extracting bits of code from different nations malware and putting in fake footsteps. This took months of preparations and cost a significant amount of resources. All for what? Just to get back at them or something? I mean if you put this in any other context it would absolutely seem crazy. Imagine someone got banned from your local restaurant for stealing food there and after they were kicked out they spent months exacting revenge, and spending a lot of time trying to make the restaurant fail. We wouldn’t think that person is not ok mentally, right? I want to give Russia the benefit of the doubt and that this wasn’t an insane thing to do, but I can’t find a good reason to believe otherwise.
So Andy, what was your reaction when you saw this news?
ANDY: Well, uh, it was kind of bizarre kind of gratifying, it was closure in a way. Not only is this the first real accountability that any government has tried to create for Russia after carrying out this attack on the Olympics. It’s the first time that we’ve seen most of these faces, of my book Sandworm, this group of characters that we’ve been tracking for 5 or 6 years, so it’s the coda to the story for me in some ways.
JACK: Ya so this indictment lists the names and photos of 6 of the people who carried out this attack. It’s really wild to see pictures of the people who did this.
ANDY: This is one of those remarkable times where you see the extent of the US or five eyes intelligence collection reach that they’re able to get inside of these people’s networks, to hack the hackers, I imagine, to the degree they are able to come up with names and photos and to know exactly who coded what parts of the malware. You know, they, really are up in these people’s systems it seems.
JACK: So this indictment. What does it mean, how does it change anything?
ANDY: Well it’s the first time any government anywhere in the world has expclitly called out Sandworm for this attack on the Olympics, and tried to condemn them, hold them accountable in some ways, and it’s huge, it’s what has been lacking for more than 2 years.
JACK: The indictment released last week is 50 pages long. It has interesting details of how the hacks took place, and what were all the targets.
ANDY: The thing that really struck me that among Sandworm’s targets, that we didn’t know about previously, were two timekeeping partners of the Olympics, that were responsible for the actual timekeeping of Olympic events. So what that implies to me is that Sandworm was trying to corrupt the actual sporting events, and not just the WiFi, and ticketing systems and display screens around the venues, they were actually messed with the results of the games, which is kind of almost poetic given how they tried to mess with the results of doping over so many years, this is kind of the digital spoiler equivalent.
JACK: So, they were banned from doping in the Olympics, um, don’t you think with this indictment coming out this will lengthen that ban or make it worse for them?
ANDY: Ya, I have to imagine that’s true. I mean they have suffered bans from every other cheating they’ve attempted. And it kind of just goes to show how petty and short sighted these tactics are. Like, I thought since I started reporting on this story, this is not a smart strategy. You know, Russia doesn’t get anything out of this, they weren’t even sending a message as I said. So it’s just a kind of emotional, knee jerk response, like less mess up this event if we can’t be part of it, and I don’t think they’ll get what they want out of that.
JACK: Some other news came out on the same day as this press conference.
ANDY: We just learned that US intelligence, and UK intelligence, had been tracking attempts, reconnaissance who were preparing to carry out a similar sabotage of the 2020 Olympics in Tokyo, which is what you expect if nobody holds them responsible or shame them for the first one. And that cyber attack may have been avoided only because the Tokyo Olympics were delayed because of the global pandemic.
JACK: So is calling them a petulant child enough to stop them from attacking next year’s Olympics? I hope so. Because the US can’t go into Russia and arrest these people, it’s just impossible, I mean Russia doesn’t cooperate with the US like that, and especially when the people are working for the Russian government conducting official orders. But if there is any attack on next year’s Olympics, Russia will certainly be the first suspect to be investigated.
ANDY: What’s scary to me about the Olympic cyber-attack is not just that it [MUSIC] almost threw this huge, globally-observed event into chaos, but also that it shows a evolution in deception. Sandworm has been evolving its disruptive capabilities but it’s also been evolving its deceptive capabilities. This was the moment when they were experimenting, trying out wearing not just the mask, but layers of masks to try to make it truly impossible to forensically determine who was behind this attack. I think that it’s just gonna get worse, that we’re going to see more innovation and false flags in years to come. It may come to a point where we are, at some point, truly fooled so we can’t get a definitive answer about who was responsible for an attack.
JACK: Hmm, imagine that. A false flag so good that a country falls for it, and blames the wrong country for the attack. And what kind of consequences would come from accusing a nation of doing something they didn’t actually do. Get ready, our future is going to be weird.
(OUTRO): [OUTRO MUSIC] A very big thank-you to Andy Greenberg for sharing the research he’s conducted on this. But this story is actually part of a bigger story around the hacking group Sandworm. Andy wrote a whole book about this hacking group. The book is called Sandworm and the paperback version just came out this month. I read every page and I just couldn’t put it down. I absolutely loved it. If you like this podcast, you will love the book [00:45:21] Sandworm. I’ll have an affiliate link to the book in the show notes. This show is made by me, the good rabbit, Jack Rhysider. This episode was produced by Eileen Guo and Ilana Strauss. Original score and sound design by Garrett Tiedemann, editing help this episode by the super-duper Damienne. Our theme music is by the mysterious Breakmaster Cylinder. Even though a few hours of trial and error will always save you a few minutes of looking at the manual, this is Darknet Diaries.
[OUTRO MUSIC ENDS]
[END OF RECORDING]