Inside the Discovery of Sandworm, the World’s Most Dangerous Hackers
Now, before Robinson’s eyes, BlackEnergy had resurfaced in yet another form. The version he was looking at from his seat in iSight’s bullpen seemed different from any he’d read about before—certainly not a simple website-attack tool, and likely not a tool of financial fraud either. After all, why would a fraud-focused cybercrime scheme be using a list of pro-Russian terrorists as its bait? The ruse seemed politically targeted. From his first look at the Ukrainian BlackEnergy sample, he began to suspect he was looking at a variant of the code with a new goal: not mere crime, but espionage.
Soon after, Robinson made a lucky find that revealed something further about the malware’s purpose. When he ran this new BlackEnergy sample on a virtual machine, it tried to connect out over the internet to an IP address somewhere in Europe. That connection, he could immediately see, was the so-called command-and-control server that functioned as the program’s remote puppet master. And when Robinson reached out himself via his web browser to that faraway machine, he was pleasantly shocked. The command-and-control computer had been left entirely unsecured, allowing anyone to browse its files at will.
The files included, amazingly, a kind of help document for this unique version of BlackEnergy that conveniently listed its commands. It confirmed Robinson’s suspicion: The zero-day-delivered version of BlackEnergy had a far broader array of data-collection abilities than the usual sample of the malware found in cybercrime investigations. The program could take screenshots, extract files and encryption keys from victim machines, and record keystrokes, all hallmarks of targeted, thorough cyber-spying rather than some profit-focused bank-fraud racket.
But even more important than the contents of that how-to file was the language it was written in: Russian.
The cybersecurity industry constantly warns of the “attribution problem”—that the faraway hackers behind any operation, especially a sophisticated one, are very often impossible to pinpoint. The internet offers too many opportunities for proxies, misdirection, and sheer overwhelming geographic uncertainty. But by identifying the unsecured command-and-control server, Robinson had broken through iSight’s BlackEnergy mystery with a rare identifying detail.
Despite all the care they’d displayed in their PowerPoint hacking, the hackers seemed to have let slip a strong clue of their nationality.
After that windfall, however, Robinson still faced the task of actually delving into the innards of the malware’s code in an effort to find more clues and create a “signature” that security firms and iSight’s customers could use to detect if other networks had been infected with the same program.
Although Robinson knew that the malware was self-contained and therefore had to include all the encryption keys necessary to unscramble itself and run its code, the key to each layer of that scrambling could only be found after decoding the layer on top of it.
After a week of trial, error, and standing fixated in the shower turning the cipher over in his mind, Robinson finally cracked through those layers of obfuscation. He was rewarded with a view of the BlackEnergy sample’s millions of ones and zeros—a collection of data that was, at a glance, still entirely meaningless. “It’s almost like you’re trying to determine what someone might look like solely by looking at their DNA,” Robinson said. “And the god that created that person was trying to make the process as hard as possible.”
By the second week, however, that microscopic step-by-step analysis finally began to pay off. When he managed to decipher the malware’s configuration settings, they contained a so-called campaign code—essentially a tag associated with that version of the malware that the hackers could use to sort and track any victims it infected. And for the BlackEnergy sample dropped by their Ukrainian PowerPoint, that campaign code was one that he immediately recognized, not from his career as a malware analyst, but from his private life as a science fiction nerd: “arrakis02.”
Gloss