COLD OPEN
On June 27th, 2017, Sergei Goncharov was walking back to his office after lunch. A few miles away, the sun glared off New Safe Confinement. It’s a massive steel structure, taller than Notre Dame Cathedral or the Statue of Liberty.
Staff call it “the Arch.” Underneath the Arch is a not-quite-as massive concrete sarcophagus, built in the 1980’s. And underneath that is what used to be Reactor 4 of the Chernobyl Nuclear Power Plant.
It’s the same reactor that exploded in 1986, spewing Caesium and other radioactive isotopes into the atmosphere, poisoning the soil, mutating the wildlife, and giving so many people cancer that we’ll never truly know the number.
As Sergei made the short walk back from the cafeteria, robots inside the Arch were carefully disassembling the wreckage of Reactor 4. Like they do everyday, and will until at least 2064.
June 27th was a Tuesday. It was also the day before Constitution Day. For many Ukrainians, Constitution Day was the start of a long holiday weekend, maybe even a vacation.
But not for Sergei or his colleagues. They had to stay vigilant.
Sergei was Chernobyl’s IT director. When Sergei got back to his office, his cell buzzed. It was the Arch’s main control center.
Uh, Sergei? There’s something wrong with the computers. Our screens are going black and when we reboot there’s this weird…message on them.
They texted Sergei a photo of a computer screen. It was all black except for red text.
Oops, your important files are encrypted. It said. If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our encryption service.
Sergei recognized what it was: a ransomware attack. It wasn’t exactly uncommon to folks in the IT trade. But Sergei knew it could be devastating.
He ran into the next room, where his systems administrators all sat looking at their computers in shock.
Sergei and his team watched in horror as the malware spread quickly through Chernobyl’s thousands of computers.
They only had one option. Segei picked up the intercom that reached each of the dozens of buildings in the Chernobyl complex and pressed the button.
To all staff members, immediately turn off computers and unplug network cables. Await further instructions.
Across Chernobyl, workers obeyed. Sergei prayed it would contain the spread. But the computer outage was just one piece of shit hitting the fan. Without computers, they couldn’t monitor the site’s radiation levels. They had no way of knowing if Chernobyl was leaking lethal doses of radiation into the countryside.
Without computers, it might as well have been 1986 again.
Sergei’s first phone call was to the cybersecurity company that Chernobyl hired to protect its network. The security analyst answered on the first ring.
We’ve been hit with ransomware, Sergei began.
But before he could continue, his counterpart cut him off.
Everyone’s been hit. All over the country. Even us.
This ransomware was spreading across Ukraine in the blink of an eye. Sergei realized that Chernobyl wasn’t even the target.
His mind was full of questions. Do they pay the ransom? In the meantime, how would they monitor the radiation levels? And most of all, who the fuck was behind the attack?
At the site of Ukraine’s worst disaster of the 20th century, Sergei began to understand that his country was in the middle of its worst disaster of the 21st century.
On this episode: Russia vs. Ukraine, cyberwarfare, and giant Sandworms. I’m Keith Korneluk and this is Modem Mischief.
Introduction
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of NotPetya.
ACT ONE
Three years earlier, a group of anxious Ukrainian soldiers watched two green trucks drive up to the gate of their base.
Over a dozen men climbed out of the trucks. They were all armed with assault rifles and shotguns. All dressed in uniforms the same shade of green as the trucks, but without insignias to identify where they came from. All of their faces were covered, hiding their identities.
The commander of these unknown soldiers looked up at the watchtower.
Surrender this base, or we’ll take it by force.
The Ukrainian watchtower guard made no reply. As ordered.
The man who gave that order was inside the base’s headquarters, Colonel Andrey Andreyushin. He knew this day was coming. All his men did.
All over the Crimean Peninsula, groups of these mysterious green-uniformed soldiers were systematically taking over Ukrainian military and government facilities, mostly without even firing a shot. Had been for weeks. Right here in Simferopol, they had taken the civilian and military airports, local parliament offices, and an army base.
Col. Andreyushin was in charge of a facility used for mapping. Its official name was the 13th Photogrammetric Center of the Central Military-Topographic and Navigation Administration. It wasn’t even strategically important. But it was a military facility, one of the few in Crimea still under Ukrainian control.
The colonel was determined not to let his base fall into enemy hands.
Outside, the green-uniformed soldiers were all arranged in defensive positions behind their trucks. The Ukrainian soldiers manned the walls. Both sides gripped their weapons tightly, waiting for someone to make the first move
Suddenly, one of the green soldiers raced toward the walls and started climbing.
Stay the fuck back! The guards on the watchtower yelled.
The green soldier kept climbing.
Then, his comrades opened fire. The Ukrainians shot back.
SFX: gunfire.
The green soldier fell from the wall. A watchtower guard took a bullet in the neck.
The green trucks roared forward and smashed through the gates of the base. Green soldiers stormed in behind them, pausing only to shoot.
The Ukrainians were outnumbered and outgunned. Some threw down their rifles and surrendered. Others ran to the cartography center’s second floor, where they barricaded the doors to make their last stand.
The green soldiers stormed into the headquarters building, pointing their AKs and shotguns in the Colonel’s face.
The masked commander approached. Tell the rest of your men to surrender.
The Colonel looked him in the eye. I want your guarantee we all leave with our lives.
The two commanders hammered out the details. Ambulances were allowed to approach and treat the casualties. The soldier who scaled the walls was dead, as was the Ukrainian watchtower guard. It was Warrant Officer Kokourin, the colonel learned. Kokourin had a wife, son, and unborn child at home. The colonel would see to it that Kokourin got a medal.
Several hours later, Colonel Andreyushin and his men exited the base and into the streets of Simferopol. They had given up their weapons, their identifying documents, even the cash in their wallets.
Behind them, the green soldiers raised the Russian flag over their base.
Who were these men in green, and where did they come from? Clearly they had some tie to Russia, but whether they were Ukrainians with Russian sympathies, or actual Russians, was up for debate.
Weeks earlier, Russian President Vladimir Putin held his annual four-hour Q&A session with the Russian public. It’s designed to make him appear accessible, but all the questions are carefully vetted beforehand.
One Russian citizen asked Putin who the green soldiers were.
Putin shrugged. Ukrainian self-defense militias, he said.
For the past two years, Ukraine had been in the throes of a pro-democratic, pro-Western revolution that had just removed the corrupt, pro-Russian president Viktor Yanukovich from power.
To the best of Putin’s knowledge, these militias were just ordinary Ukrainian citizens worried about the direction of their country. So, they went to their local military surplus stores, bought up some used gear, and took matters into their own hands.
Almost nobody believed him. Shortly after Putin’s remarks, a magazine in Finland identified the gear these soldiers were carrying. It was the same kit used by the Russian military.
In the coming weeks, these green-uniformed not-officially-Russian soldiers continued to hold the Crimean Peninsula hostage. For people in cities like Simferopol and Sevastopol, the men in green became a familiar if unnerving site.
They nicknamed them “little green men,” like the plastic soldier toys. It was an ironic joke, since they were so obviously Russian.
Then, next month, more of these little green men poured into Ukraine, this time in the country’s Donbas region in the east. There, they teamed up with separatist groups who wanted to break away from Ukraine and join Russia. Ukraine sent in the military, and the situation escalated into violence.
Ukrainians everywhere knew what this was: a Russian invasion in everything but name. Putin could deny it all day long, but the events in Crimea and Donbas followed a pattern of Russian aggression just too closely for it to be a coincidence.
Ukraine has only existed as an independent nation since 1991. Before that, it was under Russian control since the 18th century. Ukraine has always been home to a strong nationalist movement, but when the Soviet Union collapsed, independence finally happened, for real.
At first, Ukraine’s future looked promising. In the 1990’s, Ukraine’s economy flourished, and the country even flirted with joining NATO, the military treaty organization led by the US, the UK, and most other European democracies.
To Vladimir Putin, Ukraine joining NATO was unacceptable.
Putin counts himself among the Russians who believe Ukraine has always been part of Russia. To him, the collapse of the Soviet Union and Ukraine’s prosperity was a geopolitical humiliation.
The Soviet Union used to be one of two world powers. Now its former subject countries were breaking away.
First Ukraine wanted to join NATO. Now Yanukovich was removed from the presidency.
If Putin wanted Ukraine under Russian control, he had to act now.
Problem was, in 2014 at least, an outright military invasion was off the table. Even if Ukraine wasn’t part of NATO, Russia couldn’t invade a sovereign country without an international outcry.
On top of that, it was doubtful whether Russia could even afford an invasion big enough to take Ukraine.
Russia’s GDP is less than Italy’s or Canada’s. Conquering Ukraine would require hundreds of thousands of soldiers, who would need to be fed, equipped, and supplied for months, if not years.
So, the deluxe military intervention was out of Putin’s price range.
Instead, he would have to settle for the more affordable model: asymmetrical war on a much smaller scale, using unconventional techniques.
Like sending little green men into Crimea and Donbas.
It wasn’t until 2015, more than a year after the violence in Crimea and Donbas began, that Putin finally admitted the truth. The little green men were, in fact, Russian special forces operatives within the GRU, Russia’s military intelligence organization.
This time, Putin explained that he sent in his special forces only to stop Ukrainiane from committing genocide against its Russian-speaking citizens.
Another weapon in Putin’s asymmetrical warfare arsenal? Cyberattacks.
At the same time the little green men arrived in Ukraine, hackers were relentlessly attacking Ukraine in cyberspace. They took down telecommunications networks in Crimea and Donbas. Ukrainian government and business websites were hit with Denial of Service attacks. Hundreds more had sensitive documents stolen. Putin’s hackers even tried to disrupt Ukraine’s 2014 presidential election, but Ukrainian cybersecurity experts stopped them at the last minute.
It was clear these attacks originated from Russian IP addresses. But once again, Putin denied Russian involvement. He claimed these cyberattacks were the work of patriotic hackers who had taken it upon themselves to volunteer for a cyberwar. He’d said the same thing about other cyberattacks in Estonia, Lithuania, Georgia, and Syria.
Little green men, patriotic hackers, it was all a smokescreen. By denying responsibility and offering an alternative narrative, Putin was attempting to create confusion among his opponents. In theory, this allows him to stay one step ahead of them.
In reality, the international cybersecurity community was already tracking various Russian government hacking groups, like the FSB’s Cozy Bear, and the GRU’s Fancy Bear—and we covered Fancy Bear in Episode 18 which you should check out.
But the cyber attacks in Ukraine were different.
The hackers created a PowerPoint document with a list of supposed pro-Russian Ukrainian terrorists. Then, they emailed it as an attachment to hundreds of Ukrainian businesses and government agencies. When the file was downloaded, it would upload malware called BlackEnergy.
BlackEnergy was created in 2008. It was normally used to issue Denial of Service attacks, rendering computers inoperable.
But these hackers repurposed it. Their version of BlackEnergy allowed remote access to an infected computer, allowing a hacker to steal documents or even take control of the system.
After the cyberattacks in Ukraine began, analysts at the Maryland-based cybersecurity company iSight’s spent weeks decrypting this new BlackEnergy variant until they arrived at the source code. They combed through the ones and zeros until they found a word they recognized:
Arrakis02.
Arrakis is the setting of Frank Herbert’s 1965 novel Dune. Soon, they found more Dune references. There was HouseAtreides94, the last name of Dune’s protagonist, Paul. The references got more obscure: BasharoftheSardaukars, SalusaSecundus2.
Whoever these hackers were, they were clearly big Dune fans.
This wasn’t the work of Cozy Bear or Fancy Bear. It was a new group of Russian hackers, most likely part of the military.
iSight published its findings. Since iSight discovered this hacking group, they had the honor of naming it. They went with: Sandworm, in honor of the giant, carnivorous worms that roam Arrakis beneath the surface.
This new group, Sandworm, was just as sophisticated as Fancy Bear or Cozy Bear. But it was even more vicious.
And Sandworm was just getting started.
As Russia’s proxy war with Ukraine continued, Sandworm continued launching its cyberwar on the country.
In October 2015, it took down Ukraine’s biggest TV network, StarLightMedia. Then, two days before Christmas, 2015, Sandworm hacked the capital Kyiv’s power grid. Using another BlackEnergy variant called KillDisk, Sandworm hacked into three separate power companies and shut off the power for 230,000 people. Engineers scrambled across Kyiv to reset the circuit breakers. It took six hours to get the power back on, in the middle of winter.
Much of Kyiv’s power grid was still using Soviet-era hand-operated circuit breakers. If these had been fully computerized, the cyber attack could have wiped out the grid for much longer. Ironically, Ukraine’s outdated technology was a plus.
It was the first known cyberattack on any country’s physical infrastructure, but it wouldn’t be the last.
Sandworm continued its attacks throughout 2016, targeting Ukraine’s national pension fund, the treasury, the seaport authority, and the ministries of infrastructure, defense, and finance. In December, Sandworm once again hit Kyiv’s power grid, taking out an entire transmission station with a malware called Industroyer.
The Ukrainian government struggled to keep up.
At the time, Ukraine’s government agency tasked with defending the country against cyberattacks was the National Cybersecurity Center.
At least officially. Really, the NCC’s job was to coordinate between several smaller agencies that handled different parts of cyberdefense. It had no jurisdictional authority over any of them. The best it could do was try to coordinate.
Ukraine’s cybersecurity community pleaded for a beefed up cybersecurity agency. But the government was preoccupied with the proxy war in Donbas.
So far, the cyberattacks hadn’t caused any major disasters. But they were a message. A constant reminder that Ukraine was vulnerable, that its government couldn’t protect its citizens, online or IRL.
As the Ukrainian cybersecurity community investigated these attacks, they concluded that most of them weren’t as destructive as they could have been. The 2015 StarLightMedia attack didn’t fully wipe out the backup servers. The 2015 and 2016 power grid attacks only targeted portions of the grid.
It was like all these cyberattacks were practice runs. They didn’t know for what, but they knew it could be worse than anything they’d ever seen.
In early 2017, Sandworm’s commanding officer, Colonel Aleksandr Osadchuk, arrived at his office on 22 Kirova Street. It’s a 25-story office building in suburban Moscow, made up of mirrored glass windows that make it impossible to see what’s going on inside.
The 55-year-old GRU colonel sat down with a group of his much younger hackers. The ones with crewcuts were career soldiers, trained to hack since their teens. The ones with slightly longer hair were former civilian hackers whom the GRU “convinced” to serve their country, in order to avoid a jail sentence.
What do you have for me? The Colonel asked.
One of his hackers, Pliskin, opened up his laptop.
The colonel didn’t like Pliskin. He was one of the long-haired. He was also the one who put references in their code to his favorite goddamn science-fiction novel. An American one, no less.
We’ve been working on a new piece of malware, even more destructive than BlackEnergy. It’s based on Petya.
Pliskin pulled up some code on his laptop and explained.
Petya was a piece of ransomware that surfaced in 2016, created by a Russian hacker nicknamed Janus Cybercrime Solutions—apparently just an ordinary criminal hacker and not one employed by the Russian government. They named their malware “Petya,” after the fictional weaponized spy satellite in the 1995 James Bond film GoldenEye.
Petya worked by encrypting a computer’s Master Boot Record, or the directory that contains its operating system. Essentially, it locked a user out of their own computer with encryption that was impossible to break. The victim had to pay a ransom in bitcoin to unlock their computer again.
But ours is different, Pliskin continued. Ours will leave no way to unencrypt the hard drive, whether they pay or not.
The colonel smiled. Pliskin came with his aggravations, but he had his uses, too.
In the following months, Pliskin and his colleagues would lay the groundwork for their new vicious piece of malware’s debut.
Like the sandworms in Frank Herbert’s novels, the Russian hackers were lurking just out of view, waiting for the right moment to strike.
ACT TWO
SFX: crowded market
Chicken, fish, salad stuff, melons…what else?
Oleg Derevianko was going over his shopping list inside Bessarabska, Kyiv’s large indoor market that opened in 1912.
It was the day before Constitution Day 2017, and unlike Sergei Goncharov at Chernobyl 60 miles to the north, Oleg was taking a vacation. He and his wife were taking the kids to his parents’ village, about three hours’ drive away.
Oleg was the co-founder of Information Security Systems Partners, a Ukraine-based cybersecurity firm. This meant that for the past three years, he had been in constant battle with Russian hackers, who targeted his many clients.
So Oleg was looking forward to a few days at his folks’ place, far the hell away from Kyiv and the ongoing cyberwar.
As Oleg was reaching for some bread, the phone rang. He answered.
The voice was unfamiliar. It was an employee of a telecommunications company, which handled the IT systems for Oschadbank, Ukraine’s largest state-owned financial institution.
Oschabank wasn’t one of ISSP’s clients, but they were desperate for help. The bank was hit by what looked like a ransomware attack.
Oleg saw this stuff on a daily basis. Nothing he needed to handle personally. He agreed to hand it off to one of his few analysts still in the office, Alexei, and continued his shopping.
A few hours later, Oleg and his family were on the road when the phone rang again. It was his business partner, Roman Sologub. Roman was supposed to be on vacation with his family in Turkey.
Where the fuck are you? Roman began. I’ve been on the phone all day with clients. Everyone’s systems are down. I’m lucky I even got through to you.
Oleg pulled off at the next exit, which had a roadside restaurant where he prayed the WiFi still worked. Thankfully, it did.
Alexei had emailed him more details about the Oschadbank cyberattack, including a breakdown of the malware responsible.
To Alexei, the malware was a lot like Petya, the ransomware that first arrived on the scene last year. The program would prompt the user to reboot their computer. Once they did, it would display an error message, saying the entire hard drive had been encrypted. The victim had to pay $300 in bitcoin to retrieve their data.
But there was one difference. This malware wasn’t ransomware. One of ISSP’s clients actually paid the $300 bitcoin, and nothing happened.
This wasn’t about money. This was about destroying computers.
Oleg knew his vacation was over.
Around six p.m., Oleg went back to the car and his very patient wife and kids. When he tried to gas up and finish the drive, he discovered that the digital fuel pump was offline. So were all the ATMs in the area. With no cash, Oleg was unsure if he had enough gas to make it to his parents’ village.
They made it, just barely. Minutes after arriving, Oleg quickly said goodbye to his wife and kids and left. He checked in at a hotel 10 miles away, the only one in the area with working WiFi. He would spend the rest of his holiday there.
All across Ukraine, cybersecurity experts and IT administrators like Oleg Derevianko were having similar Tuesdays. All across Ukraine, computers were hit with the exact same malware, designed to look like ransomware, but in fact a computer-destroying worm.
Oschadbank was just one of 22 banks across Ukraine that went down on June 27th, along with all their ATMs and card payment systems.
The attack spread to airports, power companies, and hospitals. Internet service providers, telecommunications companies, and media corporations. Hundreds of private businesses. Practically the entire federal government went down. Ukraine’s Ministry of Health pre-emptively took all its computers offline to avoid an infection.
Ukrainians couldn’t buy gas, get money from ATMs, buy groceries, pay their bills, or any other daily activity that relies on computerization.
The dangerous malware first emerged in the early morning hours of June 27th, where it hit Ukrainian power companies.
Ukraine’s National Cybersecurity Center got wind of the malware at about 10:00 am. It tried to coordinate with its many affiliated agencies. But this new malware worked too fast for that.
With Ukraine’s government slow to respond, private cybersecurity firms from Ukraine, Europe, and the US stepped in to provide answers.
Many first suspected it was another outbreak of Petya. But by 10:30 a.m. on June 27th, the Russian cybersecurity firm Kaspersky posted definitive proof that this wasn’t Petya. Kaspersky referred to it as “NotPetya,” and the name stuck.
Shortly before noon, Ukraine’s Cyber Police Department determined who was Patient Zero, the origin of the spreading NotPetya worm.
NotPetya was hidden inside an update file for M.E.Doc. (pronounded “Me doc”) It was tax preparation software, like Ukraine’s version of TurboTax or Quicken. At the time, M.E.Doc was installed on more than a million computers across Ukraine.
Somehow, the hackers had infiltrated the servers for M.E.Doc’s parent company, Linkos. When Linkos recently issued an update for M.E.Doc, the company sent NotPetya out to more than a million computers.
Worst of all, unlike Petya, NotPetya didn’t even need a user to open an email. It worked entirely on its own.
Linkos was a small, family-owned company, run by Sergei Linnyk and his daughter Olessya. Sergei had created the company’s original accounting software in the early 1990’s, and Olessya had grown the business into what it was today. Sergei and Olessya issued a frantic press release, claiming that they were victims along with everybody else.
Kaspersky and other cybersecurity companies dissected NotPetya and determined how it worked. NotPetya was made up of two main components.
The first was Eternal Blue. This was a zero-day exploit targeting Windows operating systems. A zero-day exploit is hacker slang for a vulnerability in a program or operating system that the developers themselves aren’t yet aware of.
But this one was reportedly developed by the NSA. In 2016, a mysterious hacking group called the Shadow Brokers leaked EternalBlue online, allowing hackers around the world to make use of it.
The incident was a huge embarrassment for the agency. The NSA quickly tipped off Microsoft about EternalBlue, admitting that it had hacked the company’s operating system years before.
Soon, Microsoft issued a software update closing the flaw that EternalBlue exploited. So technically by the time NotPetya hit, it wasn’t a zero-day exploit any more.
Even so, thousands of computers in Ukraine and elsewhere hadn’t updated their operating systems. The day NotPetya arrived, they were running vulnerable operating systems.
The other component of NotPetya was a program called Mimikatz. It was created in 2007 by French software engineer Benjamin Delpy. Delpy had discovered a vulnerability in Microsoft’s operating system, where the computer’s hard memory stored all the usernames and passwords entered on the machine. Eternal Blue gave the hackers access to a machine, and Mimikatz would snatched up sensitive information.
When Delpy created Mimikatz, his intentions were pure. He only wanted to alert Microsoft to a security risk. Microsoft ignored him, so Delpy released Mimikatz online as an open-source program. If Microsoft wouldn’t fix their vulnerability, Delpy figured that giving it away would force them to.
But the worst part about NotPetya was how quickly it spread. Once inside a system, NotPetya would infect all linked computers in a matter of seconds. IT professionals like Oleg Dereviano barely had time to register a NotPetya infection before it had already infected every computer in their network.
Once NotPetya did infect their network, it couldn’t be reversed. It had no cure.
Ukrainian society scrambled to contain the damage. But like those clouds of radioactive Cesium spewing out of Chernobyl 30 years earlier, NotPetya didn’t care about national borders.
Within hours, NotPetya would spread beyond Ukraine and around the world. It hit the pharmaceutical company Merck. As a result, Merck couldn’t produce vaccines like Gardasil 9, which prevents certain cancers and human papillomavirus. Merck was forced to ask the Centers for Disease Control to borrow back some of its reserve supply just to meet demand.
NotPetya hit FedEx’s European subsidiary, TNT Express; It hit Nabisco and Cadbury’s parent company Mondelez; it hit the French construction company Saint-Gobain; it hit the English manufacturer Reckitt-Benckiser, which makes Durex condoms and Lysol disinfectant, among other things.
Even Russian companies weren’t immune to NotPetya. The state-owned oil company Rosneft went down, as did steelmaker Evraz, and the medical technology company Invitro.
Finally, there was Maersk. Even if you’ve never heard of the company Maersk, you’ve know of Maersk. The Denmark-based shipping conglomerate is one of the largest companies in the world, responsible for one fifth of the world’s shipping. There’s a good chance that several of the items in your home arrived in one of Maersk’s signature Triple E Class shipping vessels, which are as big as the Empire State Building, and can carry another Empire State Building.
Maersk has 72 ports around the world. One is in Odessa, about 300 miles south of Kyiv, on Ukraine’s Black Sea coast. Earlier that summer, a financial executive in Odessa asked a member of his IT department to install a copy of M.E.Doc on his computer.
On June 27th, from that one computer in Odessa, NotPetya quickly spread to Maersk’s corporate headquarters on Copenhagen’s harbor. There, Maersk employees sprinted through the halls, yelling for their coworkers to unplug from the network.
The company’s IT headquarters was 800 miles away, in Maidenhead, England. It was clear that NotPetya was too infectious and aggressive to stop. Maersk’s best option was to unplug its entire global network.
But this still took two hours, and by then the damage was done. NotPetya completely bricked 49,000 laptops belonging to employees all around the world, turning them into useless hunks of plastic and silicon. More than half of the company’s 6,200 servers were destroyed. Even worse, all 1,200 of the company’s internal applications were inaccessible, and over 1,000 were wiped entirely. Even if Maersk employees somehow could unlock their computers, they would still be unable to run their day-to-day operations.
Another of those 72 Maersk ports is in Elizabeth, New Jersey. It’s located on a one-square mile manmade peninsula that juts out into the Atlantic Ocean. On a typical day, tens of thousands of shipping containers pass through the docks, where Two-hundred ft. cranes load and unload them and send them on to their destinations.
By 9 a.m. on the morning of June 27th, New Jersey-time, NotPetya had already been rampaging through Ukraine for more than eight hours.
On that morning, Pablo Fernandez was sitting behind the computer at his desk in one of Maersk’s office buildings at the port. He was a freight forwarder. Basically, his job was to make sure that Maersk got cargo from point A to point B.
But that day, Pablo’s phone began ringing. It was an irate representative from one of the cargo owners.
My drivers are telling me they can’t get through the terminal. What the hell is going on over there? He’s got perishable food items.
Pablo looked out the window, where he could see the massive cargo terminal. It was completely offline. Hundreds of trucks were backed up outside the terminal, stretching for miles.
Pablo tried to get in touch with his superiors at Maersk, but none of his calls connected. All through that day he would receive just one official email from the company, a panicked missive from someone’s personal Gmail account. All it really said was that the company’s network was down. No shit. As for what to do about it, Pablo was on his own.
Pablo didn’t have time to wonder why the terminals were down. Every minute his cargo sat on the trucks was costing the company hundreds of thousands of dollars. He had to find alternate shipping arrangements, and if not that, he had to find a place to store all this stuff until it could be shipped.
The same situation played out at Maersk’s ports all around the world. In Algeciras, Spain, in Los Angeles, in Rotterdam, in Mumbai.
NotPetya accomplished its goal by throwing Ukrainian society into chaos. But NotPetya was much more destructive than its makers intended, and the world was paying the price.
ACT THREE
In the weeks and months following the Chernobyl meltdown in 1986, the Soviet Union gathered an enormous cleanup force of at least 600,000 people and brought them to the site. These firefighters, miners, engineers, soldiers, police, cleaners, and medical personnel were called “the liquidators,” and they were tasked with containing the spread. Exposure to radiation gave many of them life-threatening illnesses.
Just over 30 years later, companies like Maersk were employing a similar strategy to clean up the mess created by NotPetya. In the days and weeks after NotPetya first hit Maersk’s global network, the company flew hundreds of its IT personnel into its IT headquarters in Maidenhead, a small town on the west coast of England.
Four hundred IT staffers from all around the world crowded into the Maersk IT offices, grabbing whatever corner was available and getting to work. Every hotel, motel, hostel, B&B, and spare room in town was booked, and many IT people just slept under their desks.
In charge of this small army was Maersk’s IT director, Adam Banks. He had just come home from his honeymoon when NotPetya hit.
It was clear to Banks and his team that there was no undoing NotPetya. Unencrypting just a single infected computer would take several weeks. Maersk just didn’t have the time to unencrypt its entire network.
Instead, they would have to rebuild their network from scratch.
Only they didn’t have time for that, either.
Crucially, every computer in Maersk’s network had its Access Directory wiped—essentially its version of the Windows operating system that ran all of the computers. Rebuilding the Access Directory would take weeks if not months. And they would still never recover the countless documents that had been lost.
Adam looked at his assembled staffers. See if anyone in the company hasn’t been infected yet, he told them.
Using their personal devices and email accounts, staffers reached out all around the world. Soon, one of them got a response.
Adam? One branch office was unhit. Nigeria.
When NotPetya struck Ukraine, the capital of Nigeria, Lagos, was hit with an unrelated power outage. The local Maersk’s office’s servers were offline and thus uninfected. It was a miraculous stroke of luck.
Banks picked a trusted subordinate and put them on the first plane to Lagos. He didn’t remind his employee of the gravity of the situation. He didn’t have to.
More than 12 hours later, the exhausted employee returned, gingerly carrying a hard drive with the Access Directory on it. They were in business.
Almost.
Next, Banks and his global team of IT staffers had to buy up as many laptops as possible and upload the new Access Directory on it. They also bought up every available USB stick, but it was far too few. Banks even tried to work out a bulk purchasing arrangement with the USB manufacturers, without success.
It took five long days to boot up enough computers just to get the company’s core functions back online and resume shipping operations. It took four weeks in all to get the company’s 49,000 laptops back online, and even longer to restore its thousand destroyed applications.
In all, Maersk estimates that it lost $300 million dollars in the attacks.
All over the world, companies and organizations hit by NotPetya were undertaking similar cleanup efforts. It would take years to calculate the total damage, but it’s estimated to be more than $10 billion.
Computers in the US, UK, Italy, Germany, France, Poland, and Russia were infected. And again, most of this damage was unintentional.
For the United States and other NATO countries, the NotPetya attacks were a wakeup call.
NotPetya came less than a year after the Russian hacking group Fancy Bear attempted to influence the 2016 American presidential election by releasing stolen emails from the Democratic National Committee.
The DNC hacks in 2016 were a political smear job. NotPetya was more like an act of industrial sabotage on a large scale.
True, American and European cybersecurity companies like iSight were aware that Russia had repeatedly engaged in destructive cyber attacks. iSight was the first American company that discovered Sandworm in 2014. Since then, it was purchased by the cybersecurity company FireEye. FireEye spent the intervening years trying to warn the Pentagon that an attack like NotPetya could hit America.
Before NotPetya, the United States government and its citizens paid little attention to Russian cyberattacks in Ukraine. NotPetya changed that instantly.
NotPetya wasn’t a far-off concern. It hit Americans. Not just American corporations like FedEx and Merck, but American businesses and hospitals. NotPetya hit Heritage Valley Health System, a Beaver, Pennsylvania-based hospital network, as well as Sutter Health, a network of 24 hospitals that stretches from Utah to Hawaii.
In the months following NotPeyta’s attack, the CIA conducted a forensic analysis of the malware. In February 2018, White House press secretary Sarah Huckabee Sanders blamed Russia for the NotPetya attacks, characterizing them as an ongoing attempt to destabilize Ukraine. One month later, the United States Treasury Department issued sanctions against Russia in response to NotPetya.
Two years after that, America formally charged specific Russian hackers with the attack. In October 2020, the American Justice Department formally charged six Russian GRU officers with creating and unleashing NotPetya.
The indictment also identified Sandworm’s official name within the Russian military intelligence: Unit 74455.
But this indictment was really just symbolic. Vladimir Putin was never going to extradite Russians to the US, especially not military hackers. At best, the indictment would make it difficult for the six GRU officers to travel abroad.
The US and NATO had shamed and sanctioned Russia many times before, with little to show for it.
Meanwhile, Ukraine was still in the thick of a war with a much more powerful adversary. While NotPetya was international, 80% of all the computers it destroyed were in Ukraine.
If NotPetya was a wakeup call to the US and NATO, Ukraine had already been awake for years.
While the US and NATO were dragging their feet, Ukrainians everywhere knew that Russia was responsible for NotPetya. Russia had been cyber-blitzing the country since 2014. The Ukrainian government waited just one day before formally accusing Russia of the attack.
This time, Putin didn’t even bother to respond. At the time, he was spending most of his media appearances throwing denying about Russia’s involvement in the 2016 DNC hacks.
By now, there was little point in asking Vladimir Putin about Russian cyberattacks. Predictably, he would deny involvement no matter how much it fit Russia’s MO.
In Ukraine, the question wasn’t who was responsible for NotPetya. The question was, how the hell do we stop the next one?
One week after NotPetya hit, Ukranian National Police officers stormed the offices of Linkos, the Ukrainian tax software company owned by Sergei and Olessya Linnyk, whose tax program M.E.Doc served as the vector for the infectious malware.
The police officers rushed into Linkos HQ, pointing their assault rifles at the bewildered employees and ordering them to line up in the hallways. Olessya offered to open the door to the server room, but the officers smashed it open with a baton anyway. Inside, they discovered the pizza-box-sized server that NotPetya originated from.
For all the testosterone and spectacle, the police raid on Linkos HQ accomplished little other than to terrify a group of software programmers. It was soon clear that Linkos was a victim, like everybody else.
NotPetya was so widespread and so devastating that Ukraine was forced to take a long, hard look at its cybersecurity program.
Since 2014, the ongoing war in the Donbas region dominated the government’s attention. It could barely keep up with Russia’s relentless cyberattacks. It was clear that reform was needed.
In the months following NotPetya, the Ukrainian government expanded the National Cybersecurity Center’s authority over the country’s cyberwarfare program. With millions in funding provided by NATO, it created entirely new departments tasked with combating cybersecurity, adding more hackers to its digital army.
Meanwhile, Ukrainians everywhere slowly rebuilt the computer systems destroyed by the computer worm.
NotPetya was impossible to forget. A catastrophic cyberattack, one day before a national holiday. For the rest of 2017, every subsequent holiday in Ukraine could be another cyber attack.
There was Independence Day, which falls on August 24. There was Defenders and Defendresses Day, in honor of the fighters who gave their lives defending their country, which falls on October 14th. There was Army Day, the celebration of Ukraine’s armed forces on December 6th. Each was an opportunity for Russia to wreak havoc on its neighbor to the west.
Ukraine spent millions of dollars beefing up its defenses, but there was only so much it could do. Thousands of computers across Ukraine still used outdated operating systems. Thousands more used pirated software that didn’t receive security updates. Sandworm and other Russian hacker groups would keep coming.
ACT FOUR
On February 21st, 2022, Russian President Vladimir Putin entered the Kremlin’s Hall of the Order of St. Catherine. It’s a vast, ornate marble structure that once served as a throne room for Russia’s czars.
Today, in front of the assembled state-media cameras, Putin sat down at his desk, where a document was waiting. He picked up the fountain pen and signed it document.
The document contained Russia’s official recognition of the independence of two new nations: Donetsk and Luhansk. Both are within Ukraine’s Donbas region.
At two desks situated dozens of feet away, in compliance with COVID-19 regulations, the self-proclaimed leaders of Donestk and Luhansk signed their own declarations of independence.
Afterwards, Putin addressed the cameras, asking the Russian federal assembly to support his decision. As if there was any doubt that would happen.
Obviously, Ukraine and the rest of the world disagreed with these declarations.
But within an hour of Putin’s ceremony, Russian state media released a video from Russia’s Federal Security Service, or FSB, the country’s successor to the KGB.
The video showed a log cabin, blackened and charred from an explosion.
According to the FSB, this cabin was an outpost for Russian patrols on the border with Donetsk and Luhansk. Allegedly, Ukrainian artillery suddenly bombarded the cabin, without provocation.
It was obviously staged. All the video really showed was a random cabin in the tundra that looked like it was recently set on fire.. After eight years of Russian false flag attacks, smokescreens, and misinformation in Ukraine, this was just too obviously fake to be believable.
But for the Russian government, this was enough to justify an invasion. After eight years, Russia’s proxy war with Ukraine became a full-blown war. Putin sent 150,000 troops over the border into Ukraine. Russian forces headed straight for Kyiv, hoping to remove President Vlodomyr Zelenskiyy from power.
Ukraine’s smaller but NATO-funded military stopped Russia in its tracks, forcing the Russians to retreat and regroup. According to some estimates, Russia lost 20,000 troops in the first phase of the invasion.
Sandworm, too, played a role. In February 2022, Ukraine’s Computer Emergency Response Team, one of the new departments created after NotPetya, discovered an attempt to hack into the country’s power grid. The hackers used a malware called Industroyer 2, a variant of the same malware that disrupted the Kyiv power station in 2016.
But this time, the power stayed on.
In the following weeks, cybersecurity companies identified Sandworm was behind the attacks. The hacking group responsible for NotPetya was still active. This time, Ukraine was ready for them.
Today, Russian military hackers aren’t as effective as they were in 2015, 2016, and 2017.
But Sandworm isn’t going anywhere, and neither are Russia’s other state-sponsored hacking groups. They will evolve their strategies, and they will keep trying.
But even if Russia gave up hacking altogether, NotPetya still served as a template for anyone who wants to bring society to a grinding halt. A simple piece of malware “only” cost $10 billion in damage, and it didn’t kill anyone. With the next NotPetya, we might not be so lucky.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app right now so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon or a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus monthly bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka NotCoolyaAtAllYa. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!