27.
Sofacy
Three days before the election in Ukraine, CyberBerkut compromised the Central Election Commission’s network.1 Commission staff discovered the damage when they arrived at work the next morning. The attack succeeded in disabling central network nodes and “numerous components of the election system,” according to Nikolay Koval, who headed Ukraine’s Computer Emergency Response Team during the incident.2 The election was approaching fast, but the real-time vote-count displays had been knocked out—and stayed that way for nearly twenty hours, as engineers worked frantically to fix the problem. Meanwhile, the digital intruders taunted the Ukrainian officials, leaking photos of the commissioner’s bathroom renovation, his passport and that of his wife, and—in an attempt to undermine the election’s legitimacy—leaked emails from Western officials to the Ukrainian election commission. Koval and his team scrambled to contain the damage. Thankfully, the original network architects had saved a backup of the commission’s data, which gave the emergency response crew a head start. At daybreak on Sunday, as Ukrainians started heading out to cast their votes on paper slips, the CEC’s systems were back up and running, including the displays. The country eagerly awaited the first counts of the presidential vote at one of the tensest moments in Ukraine’s history.
Headquarters of the Russian General Staff’s Main Intelligence Department (GRU) in Moscow, December 2016 (Natalia Kolesnikova / AFP / Getty Images)
Less than an hour after voting stations had closed, Russia’s most popular TV station, Channel One, reported that Dmytro Yarosh, a far-right leader of Right Sector and a combat-experienced commander of the Ukrainian Volunteer Army, was the likely winner of the vote.3 The Channel One presenter, Irada Zeynalova, showed what she called a “strange chart” which, she alleged, had “appeared on the central website of the CEC of Ukraine a few minutes ago.” The chart listed the names of several Ukrainian candidates alongside bars that displayed a number of votes. At the top was Yarosh, with 37.13 percent of the vote, followed by Petro Poroshenko, with 29.63 percent. The graph did appear to be taken from the CEC’s website; it had the same dark green logo with a yellow-and-blue wave, a similar layout and fonts. But there was one problem: the image used on Channel One never actually appeared on the public-facing CEC website.4
The attack on the displays, it turned out, was a diversion tactic. While the Ukrainian Computer Emergency Response Team scrambled to restore the CEC’s display system in the days and hours before the vote, a second, undetected attack was unfolding in secret. The reconnaissance phase for this second attack started more than two months earlier, on March 19. On April 21 the server had been breached.5 A day before the election, the attackers were busy preparing for their actual mission: placing fake election results on the CEC website, to be ready for prime time at just after eight that evening, when the polls closed and all eyes turned to the CEC in anticipation of the results. The attackers uploaded their bar-chart forgery at 19:52, eight minutes before the end of the election. But in their haste, they failed to fully appreciate how the commission website was set up. To prepare for both the high number of visitors on election night, and to guard against denial-of-service attacks, the commission had “mirrored” its website on several servers. This mirroring made the website more stable under the heavy traffic of election night—and, inadvertently, also slightly harder to hack: the load-bearing mirror sites meant that putting a file on the CEC server, if done incorrectly, would not automatically post the file on the commission’s actual, public website. The attackers, it seems, did not grasp the site’s complex setup, and placed their carefully prepared forgery in the wrong folder. This meant that the forgery, named “results.jpg,” was publicly accessible at the full URL that used the CEC’s IP address, but not via the official website.
Immediately after uploading the forged chart, the clandestine attackers forwarded the URL to Russia’s Channel One. Twenty-four minutes later, several different journalists and producers at the TV station accessed the obscure, unpublished URL.6 Shortly thereafter, Russia’s prime TV station included the false Yarosh announcement in its 9:00 p.m. news segment.
The Computer Emergency Response Team immediately learned of the Russian breaking news, and started investigating what looked to them like an adversarial operation to interfere in a presidential election. Three days later, the CERT published its technical findings, laying out the errors in tradecraft that the Russian hackers had made and cleverly articulating the suspicion that Channel One may have been complicit in the prime-time election interference. The Ukrainian investigators concluded that Channel One could not have found the forged graph without secret help, and mockingly offered to turn over files to Russian law enforcement in order to get to the bottom of the case.
Instead of Russian authorities, CyberBerkut responded. Just hours after the CERT’s analysis was published, the mysterious pseudo-activists posted an explicit note to the press. “We did not hack the CEC website on May 25,” the hackers announced, admitting that they, in fact, did hack the CEC’s network, adding that they had watched from within the commission’s own networks as the CEC attempted to repair the website in real time. “We were inside of the system and were monitoring vain endeavors of the officials to restore it. But they failed.”7 CyberBerkut’s claim was incorrect; the Ukrainians had succeeded in restoring the site. Yet CyberBerkut’s main purpose was to counter the Ukrainian version of the story, and that meant backing the Yarosh graph and calling into question the Ukrainians’ statement that it was not available on the public-facing website. CyberBerkut claimed that the “junta” in Kyiv would understate support for Yarosh, and that the initial graph might in fact be the correct one. “We confirm the table showing that Yarosh and Poroshenko had passed to the second round of the elections appeared on the official CEC site.” Then the faux activists even provided the IP address of that official website, and the addresses of six different mirrors.8 It was an extraordinary admission not just of their own technical error but that the taunting response from the Ukrainian CERT had touched a nerve. As always, CyberBerkut signed off, “We are CyberBerkut! We will not forget! We will not forgive!”
But the wider world would forget and forgive these renewed Russian active measures. CyberBerkut’s hacking tools were then brand-new and hard to detect. The Ukrainian responders had found their traces, but at the time only a few intelligence officers and researchers would have been able to do so. Only later would the trail lead to Russian military intelligence.9
Less than two months later, on July 17, as passengers settled in for a long flight from Amsterdam to Kuala Lumpur, a Buk anti-aircraft missile ripped into their Boeing 777. All 298 people aboard Malaysia Airlines Flight 17 perished. Debris and body parts fell from the sky above eastern Ukraine, scattered across fields and grassland. Almost immediately, Russian intelligence took advantage of the disaster. Less than two weeks later, online spies started baiting their victims—who later included the Dutch team investigating the shooting down10—with a file named MH17.doc. The file contained news on the crash along with a small, well-crafted tool that allowed the attackers remote access to files on their targets’ machines.11 The pace and aggression of operations was picking up.
By September 2014, Russian military intelligence had been hacking for more than a decade. A range of computer security companies had traced Russian hacking sprees for years, and came up with various confusing and meaningless code names for the hacking groups, the first of which was SOFACY. Others, deliberately vague in order to enable open conversation, were Sednit, Pawn Storm, APT28, Strontium, and FANCY BEAR.12 Whatever the code name imposed on them, the group’s first known digital artifact, a so-called malware sample, dates back to July 15, 2004. But the tool would publicly emerge only more than a decade later.13 In the early days, until late 2014, analysts weren’t quite sure whose activity they were describing with these arcane cryptonyms. Yet three things became increasingly clear: the group was highly prolific and highly capable, and it wasn’t particularly stealthy.
The first public hints of high-end hacking behavior started trickling out in late 2012, when the Russian military operators used previously undisclosed software vulnerabilities against their victims.14 Security companies were tracking the intruders in more detailed, unpublished reports. BAE Systems, a British defense and security firm, distributed a detailed analysis to its clients in late August.15 By then the Russian spies were going after a growing number of targets. The main public repository and catalog for malicious software, known as VirusTotal, then contained more than six hundred distinct samples of the GRU’s favorite digital crowbar, known as “Sofacy,” like the group itself.
Google was one of the first companies to call out the perpetrators by name, albeit in an underhanded way. On September 5, 2014, the security team in Mountain View circulated among its malware researchers a report titled “Peering into the Aquarium.” The title sounded strange. But those in the intelligence business would understand: “the aquarium” was a reference to the GRU’s old headquarters building at the Khodinka airfield near Moscow16—one GRU defector even titled his memoirs Inside the Aquarium.17 The Google security team noted that the hackers appeared to have about a week’s notice ahead of a Russian military operation in Syria, and had breached online targets accordingly. The GRU seemed to be the obvious perpetrator, but Google wasn’t completely sure. The aquarium in the title “was a way to get people to disagree and to let us know if we had got it wrong,” one of the authors told me.18 The actual report only obliquely referred to a “sophisticated state-sponsored group targeting primarily former Soviet republics, NATO members, and other Western European countries.” The Republic of Georgia, Google found, was at the top of the target list.
About a month later, the first big public reports came out, beginning on October 8 with ESET, an IT security company headquartered in Bratislava, Slovakia. Based on research enabled by Google’s work, the ESET analysts described a customized hacking tool that was used to “relentlessly” attack Eastern European targets.19 About a week later, one of America’s leading advanced computer security companies, FireEye, published a major report, spelling out in public for the first time what many security researchers had long known or suspected in private: that the Russian government was behind the mysterious “APT28,” as many outside experts then referred to the entity that they suspected was, in fact, the GRU. “Russia has long been a whispered frontrunner among capable nations for performing sophisticated network operations,” the FireEye analysts wrote.20 They observed that APT28 was skilled, but did not engage in intellectual property theft or economic or financial espionage, only old-school, defense-related spying for geopolitical purposes, with a consistent, eight-year focus on Eastern European governments, the armed forces in Russia’s periphery, but also NATO and OSCE, a European security organization, as well as defense attachés and defense events and exhibitions in Europe. Detection rates of Russian hacking tools improved, and breaching high-value targets became harder for the GRU.
A few weeks later, however, on November 12, 2014, NATO’s supreme commander in Europe, an American four-star general named Philip Breedlove, publicly announced that he had intelligence that confirmed Russian military equipment was seen entering Ukraine. The GRU now trained its sights on Breedlove, and readied to strike.
The war in Eastern Ukraine continued to churn. By early December, about a thousand people had died in Donbass. On December 16, a senior Russian diplomat accused the West of providing “lethal weapons” to Ukraine.21 About a week later, the first digital active measures against the United States began. On Christmas Eve 2014, the Albuquerque Journal suddenly found that its website had been defaced. A new entity calling itself “CyberCaliphate” had posted a picture of a man with his face covered by a black-and-white keffiyeh scarf against a pitch-black background, with the Islamic State flag and the line “i love you isis” typed in lowercase next to the masked face. The headline was “Christmas Will Never Be Merry Any Longer.”22
“While the U.S. and its satellites are bombing the Islamic State, we broke into your home networks and personal devices and know everything about you,” read the journal’s hacked home page.23 Two weeks later, on January 6, a local Maryland TV station was the target of a similar defacement, using the same moniker and the exact same imagery.24 The FBI told the station personnel that similar attacks had quietly happened to media companies across the United States. A larger campaign was slowly beginning to take shape, possibly designed to distract the West from the renewed military escalation in Ukraine.
The following day, terror struck in Paris. Between January 7 and 9, several Islamist terrorist attacks killed seventeen people in four shootings, the most infamous of which took place at the offices of the satirical newspaper Charlie Hebdo. The massacre was a response to the publication of highly controversial cartoons that lampooned the Prophet Muhammad. Islamic extremism and free speech were among the most divisive issues in Europe and North America. The West was on edge, expecting the next Islamic State terrorist attack at any moment. The situation was ripe for exploitation.
The widely used logo of a Russian military intelligence front, CyberCaliphate, which perpetrated advanced computer network attacks against a range of targets in the name of ISIS
Three days later, on January 12, U.S. Central Command’s social media accounts were compromised.25 Unknown hackers changed Central Command’s profile picture and banner to the same image used in the previous hacks. Then the hackers posted their first note on Twitter from the hijacked U.S. military account: “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS.” Within twenty minutes, the purported Islamic State militants had published seven posts to Central Command’s 110,000 followers, who included many journalists. More than two hundred different news stories on the episode appeared that month. Many debunked the claim that ISIS hackers had successfully breached Centcom’s sensitive networks, as most of the material that ISIS claimed had been stolen and leaked appeared to be publicly available. But most of the stories repeated the false claim that Islamic State had successfully hacked and attacked U.S. Central Command. “We know everything about you, your wives and children,” the faux-Islamic hackers had threatened. “We won’t stop!” That part, at least, wasn’t a lie.
Ten days later, on January 23, 2015, the GRU penetrated the internal network of the French broadcaster TV5/Monde.26 The Russian operators installed a specific implant, an updated version of the well-known Sofacy tool, which was configured to call home via two specific command-and-control machines, inside the French broadcaster’s network. FireEye intelligence analysts were monitoring one of these command-and-control machines.27 In February, just days after the full compromise of TV5, FireEye noticed that the implant was communicating with its automated handlers from inside the French TV station. APT28 was researching the TV5 networks from the inside, especially the nature of the machines that controlled the broadcasting operation itself. This was not trivial—rather, the attack was an intriguing engineering challenge for the operators in Moscow. French investigators later suspected that the saboteurs had translated and studied around thirty stolen documents in order to prepare for the next phase.28
Three days after the TV5 compromise, on the morning of January 26, 2015, the Malaysia Airlines website was defaced. “404—Plane Not Found,” read the text emblazoned over the large picture of a Malaysia Airlines passenger aircraft. Later the image changed to a graphic of a tuxedo-wearing, pipe-smoking lizard with a monocle and top hat, under the text “Hacked by Lizard Squad, Official Cyber Caliphate”—a strange mix of familiar hacker aesthetics, often associated with the Anonymous movement, and Islamic State themes.
On the morning of February 10, at around 10:45 Eastern Time, Newsweek’s Twitter account suddenly had its profile picture changed to the keffiyeh-clad ISIS fighter. A series of incendiary posts followed. The first was addressed to the First Lady, and said, “#CyberCaliphate Bloody Valentine’s Day #MichelleObama! We’re watching you, your girls and your husband!” The hacked Newsweek account then proceeded to post allegedly confidential Department of Defense files.
At that time, Angela Ricketts, whose spouse was in the U.S. Army, was taking a bubble bath in her home in Colorado, and had just opened a memoir to read. Suddenly a message appeared on her iPhone. “Dear Angela!” said the Facebook message. “Bloody Valentine’s Day!” Islamic State militants threatened to slaughter her family. Terrorists appeared to have hacked Ricketts’s phone and her computer. “We’re much closer than you can even imagine.”29 Ricketts was one of at least five military spouses who received such death threats; one was so terrified, she fled her home in fear.30 The operational pace was fast, and getting faster.
On the same day, a website called cyb3rc.com went live.31 Registered just hours earlier, the site’s URL was a hacker-style shortening of CyberCaliphate.
“Bloody Valentine’s Day!” began the first post, yet again. The supposed jihadis vowed to wage holy war on the Pentagon’s computers. “We are destroying your national cybersecurity system from inside,” they wrote, and then proceeded to use the same text they had already sent to several Army spouses like Ricketts: “We know everything about you and your relatives and we’re much closer than you can even imagine.”32
The self-proclaimed Islamic State website published a mix of documents that were already in the public domain, but hard to find, and documents likely stolen from the Department of Defense. It appeared that the Defense Cyber Investigations Training Academy, shortened to DCITA, had lost a number of documents with personal information on U.S. military personnel. Screenshots of the newly published cyb3rc site also appeared on Newsweek’s social media feed.
CyberCaliphate bore all the hallmarks of a coordinated disinformation campaign: these actions were launched simultaneously, with consistent branding and language, and across various fronts and hacked social media sites, both publicly and as silent measures against the military spouses. But it would take years for the forensic evidence to emerge that would allow a high-confidence assessment that the fake Islamic State group was, in fact, the work of Russian military intelligence.
Nonetheless, the similarities between CyberCaliphate and CyberBerkut were uncanny: in both cases the masterminds named their “cyber” front after a known, brutal real-world entity; both opted for medial capitals, FedEx-style, to make their cover names more legible; both assumed the aesthetics of the Anonymous movement, although they were an uneven fit for the fake jihadis. Both combined hacking-and-leaking with crude forgeries; both engaged in data destruction; both had dedicated websites with handcrafted layouts.
The sabotage preparations at TV5 were making good progress. Lurking within the TV station’s computer network, the hackers were intercepting the log-ins and passwords for the station’s social media feeds, the content management system for TV5’s website, and the routers and switches that beamed video into the world. On April 6, the APT28 operators checked whether the stolen log-ins to Facebook, Twitter, and YouTube would work; they did.33
Digital D-day was April 8, when TV5, which ran a global broadcasting operation in two hundred countries and territories, with up to 50 million weekly viewers, was set to launch a new channel.34 French dignitaries were attending the launch at the Paris headquarters. The attackers did a meticulous dry run to check whether their log-in credentials were up to date for the encoders and multiplexers—broadcasting devices that enable the transfer of video and audio simultaneously over one frequency channel.35 Those passwords were also still good. Finally, at 7:57 p.m., the demolition began. The GRU operators modified the input parameters for the multiplexing machines, laying the groundwork for the programming disruption. One hour later, TV5’s social media accounts suddenly displayed the Islamic State flag. Fifty minutes after that came the main strike: the attackers hopped onto some of the station’s most critical routers and simply deleted the firmware that kept the broadcasting machines running. All TV5 screens immediately went black.36
At that moment, Yves Bigot, TV5’s director general, was having a late dinner in a restaurant in Paris. Bigot was out with a fellow broadcaster from Radio Canada, and in a celebratory mood. Suddenly, as the appetizers arrived, Bigot’s phone started buzzing. All twelve channels served by TV5, his staff told him, had gone off the air. “It’s the worst thing that can happen to you in television,” Bigot later recalled.37 As the TV executives began to panic, the hackers were preparing a flanking attack aimed at TV5’s emergency responders. At 10:40 p.m., APT28 managed to bring down TV5’s internal messaging system. The situation was dire. Late that night, TV5 called the government for help.
The broadcaster was lucky that night. Because of the launch of the new channel the previous day, many qualified technicians were still close by. Now they scrambled to relaunch the entire station. “One of them was able to locate the very machine where the attack was taking place and he was able to cut out this machine from the internet and it stopped the attack,” Bigot later told the BBC. At 5:25 a.m. the next day, the incident responders had managed to restore one channel, and others soon followed.
But the sabotage of TV5 was not over. The hack was accompanied by a shrewd publicity blitz—a small con to support the big con. About twenty-two hours after the attack, the first technical analysis appeared on an obscure blog called Breaking3Zero. The post reproduced several of the supposed ISIS notices posted from the hacked TV5 website and social media accounts; its author claimed that a member of the public had alerted him or her to the TV5 defacement, and that he or she had then “conducted an investigation into cyber jihadism and found the group responsible for the attack.” The post claimed, without citing any sources, that TV5 had been breached through a Java flaw in the machine of TV5’s social media officer, and that this bridgehead computer was “directly connected to the control room.”38 The post was extraordinarily detailed: the author claimed to have identified the “virus” used to breach TV5, that this malware was named isis.vbs, that the encryption of the virus had been “broken,” that the attacker had used a proxy to hide its tracks, and that it had identified the culprit, an Algerian ISIS-affiliated jihadi named “Najaf” who was in reality hiding behind the pseudonym “JoHn.Dz.”
At first, government investigators in France and neighboring countries were confused and even led astray by this highly technical and detailed analysis. But after a team of about a dozen investigators spent weeks examining the TV5 network, the French government agency in charge, ANSSI, discovered that Russian military intelligence had hacked the French broadcaster, sabotaged its programming, defaced its digital outreach as CyberCaliphate, and prepared a well-timed and technical incident report to mislead the initial press coverage.39 The ruse had worked. “TV Monde hacked by Cyber Caliphate group,” announced one cartoon in Le Monde the day after the attack.40 Le Figaro saw the hacked TV station as part of a global culture war by Islamic State.41 Some technology outlets also took the made-up incident report at face value.42
Three weeks after the GRU brought down the French broadcaster, it breached the German Parliament. Once in, APT28 installed clandestine backdoors on at least twenty-one workstations and four servers that were used by members of Parliament and their administrators. For their command-and-control communications back to Moscow, the intruders used third-party machines in Eastern Europe. However, these communications did not remain undetected. BAE Systems, the British security firm, soon noticed suspicious connections to the German Parliament emanating from a client connection it had been watching, identified the intruders as APT28, and confidentially informed German domestic intelligence.43 On May 20, 2015, an investigation later found, spies had exfiltrated sixteen gigabytes of data from the German Parliament.44 None of the data would be leaked or publicized, but APT28’s Bundestag hack would soon provide important forensic artifacts for other investigations.
Also on May 20, 2015, a “Yemen Cyber Army” claimed that it had hacked the website of the Saudi Ministry of Foreign Affairs. The ministry’s site now showed the fruits of what the attackers called #OpSaudi. That morning, Saudi diplomats stared at a picture of five men in Anonymous-style Guy Fawkes masks, above a bizarre poem:
Beneath this mask
there is more than flesh.
Beneath this mask,
there is an idea,
And ideas are bulletproof.
Yemen Cyber Army is Coming … 45
The anonymous hackers boasted that they had control over more than three thousand machines, with access to emails and secret files, and that they would destroy all of the ministry’s data at noon that Wednesday—less than two hours away. The initial announcement included links to file-sharing sites where the hackers had uploaded samples of the stolen files.46
Less than a month later, on June 19, WikiLeaks published more than sixty thousand diplomatic cables from Saudi Arabia. Known as the “Saudi Cables” and widely covered in the international press, the leak was one of the most controversial ever. The Saudi files contained a range of highly sensitive personal data, including more than five hundred passports or identity files and dozens of medical records. The files even exposed several rape victims by name, including Saudi teenagers abused abroad and foreign domestic staff tortured or raped in Saudi Arabia, some of the accounts in haunting detail.47
One week later, a new, mysterious, and dedicated leak site appeared. The site took inspiration from WikiLeaks, calling itself WikiSaudiLeaks. The page published more than seven thousand files purportedly stolen from the Saudi foreign ministry, and after a few days claimed that “‘WikiLeaks’ have been given access to some of these documents.”48
The Saudi Cables data dump was then one of the most voluminous to date, and bore the hallmarks of an intelligence operation. The identity of the attackers, however, remained undetermined. Western intelligence agencies and private-sector security companies studied the case closely, but could not come to a strong conclusion. Some circumstantial evidence pointed to Russian military intelligence; an investigator with firsthand knowledge of the case told me that the Saudi foreign ministry had been hacked by “APT28” in the spring of 2015.49 One of the most convincing clues was that some of the technical infrastructure used to host the WikiSaudiLeaks site overlapped with known GRU hacking infrastructure. Such evidence was a bit like finding a similar pair of hand-knitted gloves at two different crime scenes—helpful, but not watertight.50 Then there was the circumstantial evidence. The purportedly Yemeni site was registered from a Yandex email address—a Russian provider—on a Friday, a day that falls on the weekend in the Middle East. And finally, the leak site’s naming convention and tactics followed the similar dedicated sites in Ukraine, including the “Cyber” prefix and the use of Anonymous iconography.51 Other indicators, however, appeared to point to Iranian authorship—for example, the reuse of a unique name and a mock mathematical equation that had been previously linked to Iranian intelligence operations.
One thing is certain: the world’s most powerful intelligence organizations, including Russian spy agencies, carefully studied the Saudi leaks. And to anybody who was watching, the Saudi Cables demonstrated that WikiLeaks, although hard to control, was a highly effective outlet for high-volume data dumps, both credible and implausible, far superior to homemade, specific, stand-alone websites.