Goodreads Profile

All my book reviews and profile can be found here.

Wednesday, April 28, 2021

Review: Sandworm by Andy Greenberg

Greenberg writes for WIRED magazine and is a specialist in cyber security and privacy issues. This book is an extremely readable account of a Russian hacker group nicknamed Sandworm that succeeded in shutting down a substantial amount of infrastructure throughout the world but was aimed primarily at Ukraine. The attacks targeted every aspect of Ukrainian society: government servers, media organizations, transportation hubs. Ukrainian cyber experts could only watch as systems began to crash all around them. Public web sites, trains, banking systems and  ATMs were disrupted. Finally, the electricity grid collapsed  plunging hundreds of thousands of Ukrainians into darkness.

 

Having read several articles and books on Stuxnet, the successful destruction of Iranian nuclear centrifuges by the U.S. and Israel, I was anxious to read Greenberg's book. "Zero Day" security flaws are software holes that have never been used before so their vulnerability has yet to be discovered or fixed. Knowledge of these is precious to those wishing to penetrate systems. The Sandworm group (the name came from a Frank Herbert novel, Dune) has access to several and used them to great effect. The group went to great lengths to disguise themselves and hide. To Greenberg's credit he is able to explain how experts deciphered what group was responsible and he does it in language free of technical jargon.

 

Just a few months ago, a Netherlands researcher wanted to come to the U.S. to present a paper on the vulnerability of the industrial control system. There are almost 30,000 of these devices (programmable logic controllers) that control everything from wastewater plants to the electrical grid. The researcher, thanks to America's arcane and silly visa system, was not admitted and so unable to present these important findings.  Fortunately he was able to post them to his blog. Whether that resulted in a wider dissemination of the information than had he delivered his talk is academic, perhaps. **

 

Researcher Wojciech,  used standard OSINT techniques (the CIA has identified five main OSINT fields: Internet, media, geolocation, conferences, and online pictures) to analyze the exposed ICS devices. Many of these are used in critical infrastructure that would include dams, electrical grid, reactors, health treatment facilities, etc. Critical infrastructure developed by OSINT can be used not just by espionage agencies, but also criminal elements who may seek to gain monetary advantage by holding these devices hostage.  OSINT techniques are passive, in that the target remains completely unaware it is being surveilled. Access may be gained by open ports, IP addresses, knowledge of details of the specific devices and how they work -- all freely available online and elsewhere -- and even responses from the device itself.

 

Here's an example of device information that's available that even includes the phone number:

There are several programs that permit searching the internet for active ICS devices (https://www.shodan.io for example.) The author lays out precisely how to go about searching.  Many of these devices have open management ports that are convenient for technicians to access the devices remotely for maintenance. That, however, makes them extremely vulnerable to malicious actors.  General contractors with government contracts are particularly vulnerable as they have a history of being more open and thus more vulnerable.

 

That hackers can cause innumerable problems has already been shown in Ukraine, Estonia, and Georgia where the Russians devastated each country's infrastructure.  Andy Greenberg in Sandworm documents what happened in several cases. In Ukraine access to the banking system was eliminated.

 

It took forty-five seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub…was fully infected in sixteen seconds. Ukrenergo, the energy company…had also been struck yet again…the effect was like a vandal who first puts a library’s card catalog through a shredder, then moves on to methodically pulp its books, stack by stack. 

 

Ukraine became a testing ground for Russian hacking. Disinformation to spread distrust in the election and tampering with the infrastructure were simply test runs for their successful attacks on United States electoral trust in 2016 and 2020. Ukraine had taken the brunt of Russian abuse for centuries and Greenberg's short history of those onslaughts was suitably horrifying.  (See also Anne Applebaum's Red Famine: Stalin's War on Ukraine to understand why Ukraine at first welcomed the Nazis.)

 

US officials, typically heads in the sand, refused to admit something similar could happen in the U.S. yet we now know that Russian hackers infiltrated the U.S. election system and may well have manipulated the outcome in a variety of unorthodox ways. In 2016, Iranian hackers attacked several US banks causing millions in damages and shut down a dam presumably in retaliation for the Stuxnet attack.  The attacks themselves were quite unsophisticated, mostly DDoS attacks that even the most unsophisticated hacker can pull off.

 

There is software (malware, really) that has been designed for specific purposes; Stuxnet is but one example.  Another, discovered by the security firm Dragos, was CrashOverride***, only the fourth example of malware designed to attack and manipulate the controllers in electrical grids.  "The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages."

 

Greenberg shows that a variety of software is available, even for sale, that permits relatively easy access for anyone, but can also be used to hide the origin of the attacker. To make matters worse, Greenberg wrote in Wired (https://www.wired.com/story/plundervolt-intel-chips-sgx-hack/) of researchers who had managed to access and control Intel processors (a vulnerability that has since been fixed) by manipulating the internal voltage of the processor. You can induce faults by lowering or changing the voltage and once you can do that you can change the output by manipulating the faults. The technique, called Plundervolt, was discovered concurrently by a researcher in Beijing.  (Take from that what you will.)

 

In his book, Greenberg focuses on Sandworm, a group of hackers and software named after the malicious creature in Dune (cyberanalysts had discovered that preference while doing research on the code - don't ask me how.)  They determined there was evidence that Sandworm had been infiltrating critical infrastructure—some of it in the United States—since 2011 and had already developed a weapon that could knock it out. When it was used against Ukraine, it had evolved even further.

 

The hackers had, in other words, created an automated cyberweapon that performed the same task they’d carried out the year before, but now with inhuman speed. Instead of manually clicking through circuit breakers with phantom hands, they’d created a piece of malware that carried out that attack with cruel, machine-quick efficiency.

 

PowerPoint users need take note that the program has become so large and now includes so many useless features that it has almost become its own programming language.  The Sandworm group utilized the ability to place objects and run programs within slides to place malware within  the users computer that would download or run other programs unbeknownst to the user.

 

They managed to fix the system in about an hour, but the point was made. Another group calling themselves ShadowBrokers made off with a whole set of penetration tools developed by the NSA and turned them loose in the wild where virtually anyone with a modicum of knowledge can make use of them. Shadow Brokers caused immense harm when they released EternalBlue, malware that spread faster than anything anyone had seen before. Within minutes it had disabled pharmaceutical companies, and Maersk, the huge shipping company was brought to its knees.

 

 “ 'For days to come, one of the world’s most complex and interconnected distributed machines, underpinning the circulatory system of the global economy itself, would remain broken,” Greenberg writes of the attack on Maersk, calling it “a clusterfuck of clusterfucks.” The company was only able to get its ships and ports back in operation after nearly two weeks and hundreds of millions of dollars in losses, when an office in Ghana was found to have the single computer that hadn’t been connected to the Internet at the time of the attack.' " ****

 

I've been reading a lot of books and articles on the potential for cyberwarfare.  The potential is there for even non-state actors to operate in the shadows and do tremendous harm.  Then again shutting down most of our industry might solve the global warming worst case scenarios.  One apocalypse preventing another.

 

**https://www.icscybersecurityconference.com/intelligence-gathering-on-u-s-critical-infrastructure/

 

***For a review of CrashOverride designed to attack electricity grids, see https://dragos.com/wp-content/uploads/CrashOverride-01.pdf

 

****https://www.i-cio.com/management/insight/item/maersk-springing-back-from-a-catastrophic-cyber-attack Note that this source places the lone saved Domain Controller in Nigeria rather than the more accepted Ghana.

No comments: