Ep.

30: The scariest piece of malware since Stuxnet

DINA TEMPLE-RASTON: Of all the doomsday scenarios that keep cyber officials up at night,
an attack on major infrastructure probably tops the list.

Targeting an electrical grid or, say, a water treatment plant can bring a city to a standstill
or compromise national security. And, so far, this kind of attack has been so rare, when
hackers manage to get into infrastructure the attacks actually get sinister sounding names
like Stuxnet or Industroyer.

That second one, Industroyer, showed up six years ago in an electrical grid near Kyiv. And
people are still talking about it.

Robert Lipovsky is the principal threat intelligence researcher at a cybersecurity company

called ESET.

ROBERT LIPOVSKY: Industroyer was A) the first malware ever specifically designed to attack
power grids, and B) It was the second ever after Stuxnet designed to create physical
damage to equipment.

TEMPLE-RASTON: Like, break things. In the physical world.

The example everyone goes back to is Stuxnet. It was a piece of malware that attacked a
uranium enrichment plant in Iran in 2010. Stuxnet allowed hackers to take control of the
centrifuges that enrich uranium and order them to spin so fast they literally broke.

Lipovsky says that Industroyer malware they found in 2016 looked like it could actually do
that kind of damage to a power grid. But the hackers seemed to be just testing it, because
all they did was turn out the lights in a suburb of Kyiv for about an hour, in the middle of
the night.

(BLACK OUT SOUND)

And then Industroyer malware just vanished. No one saw it in the wild for years, until this
past April…when Lipovsky and his team found it in a different regional power supplier in
Ukraine.

1
(THEME MUSIC)

LIPOVSKY: It was a new version of Industroyer…

TEMPLE-RASTON: And to understand what that really meant, think of it as someone

hacking into Pepco or PG&E, and then doing it in the middle of a war.

I’m Dina Temple-Raston, and this is Click Here, a podcast about all things cyber and
intelligence. Today, we look at a sophisticated cyber attack launched against Ukrainian
transmission stations. And had it not been for a kind of “Thank God It’s Friday,” miracle this
industrial control system hack could have struck a real blow in the early weeks of the war.

And we talk with a high ranking member of Ukraine’s now infamous IT Army, which is
fighting against these kinds of attacks. A group of IT professionals, not soldiers, who are
helping Ukraine punch way above its weight not just in cyberspace, but in the ground war,
too.

IT ARMY MEMBER: Bascially once I started hearing about civilians and children and women
and elderly getting bombed or killed or starved is when I basically decided to do something.

TEMPLE-RASTON: Stay with us.

(BREAK)

TEMPLE-RASTON: Robert Lipovsky says what made the 2016 Industroyer malware different
from most malware is that it spoke this very old, very specialized control systems language.

LIPOVSKY: It was something that stands out. Something that we have never seen before.

TEMPLE-RASTON: The Industroyer malware spoke a kind of Dothraki that only control
systems speak.

LIPOVSKY: These protocols were designed decades ago without security in mind, so once
attackers get access they can send out commands to those circuit breakers to open them.

2
TEMPLE-RASTON: The malware was able to tell the system to, say, open those circuit
breakers or, perhaps, keep those circuit breakers closed — which could physically burn out
part of the power grid.

Industroyer is the brainchild of a hacking group called Sandworm. They are a unit of
Russia’s military intelligence agency, the GRU. And one of the people trying to stop them is
this guy

ANNOUNCER: We have a very special guest today, directly from Ukraine, Mr. Victor Zhora,
who's the deputy chairman of the state service of special communications.

(APPLAUSE)

ANNOUNCER: He's overseeing the incident response to the Industroyer attack…

TEMPLE-RASTON: Victor Zhora was at the Black Hat conference as a sort of an unbilled
surprise guest.

VICTOR ZHORA: It’s a privilege to be at Black Hat for the very first time…

TEMPLE-RASTON: He was wearing the conference uniform: a black T-shirt and jeans. And he
said Ukraine was half expecting some sort of Industroyer-like comeback.

VICTOR ZHORA: So most of these attackers are focusing on critical infrastructure and
government agencies. And based on experience, we gained from the last eight years of, uh,
cyber aggression against Ukraine, we continue being very attentive to all tips we receive, uh,
regarding the energy sector.

TEMPLE-RASTON: So when an energy company told Ukrainian authorities that someone was
in their systems, he reacted right away.

ZHORA: We got confirmation with them that there were issues. And we immediately started
providing incident response.

TEMPLE-RASTON: Apparently, someone at the company had clicked on a phishing email

before the invasion had even started. And, with that one click, Industroyer and its creators
were in.

3
But the malware had become much more complex in the years since it had last been seen.
This time, Victor says, it was part of a cascading array of attacks that would stop computers
from booting up or erase hard drives.

ZHORA: We later discovered Maze malware for windows workstations.

TEMPLE-RASTON: Which meant they were targeting individual desktops. And the attack had
a very specific trigger: In the command line that launched the malware there was…

ZHORA: an algorithm which is waiting for the letter Z

(TYPING SOUND)

TEMPLE-RASTON: The letter Z, of course, has become a symbol in Russia to show support
for the war, so the hackers were being cute. But here’s the thing, this wasn’t an attack that
was supposed to just happen any time. It was supposed to happen at a very precise
moment.

ZHORA: The overall idea was to provide this blackout in the end of Friday, 5:58 pm.

TEMPLE-RASTON: The idea was to sow chaos just before workers were going to leave for the
weekend. Robert Lipovsky analyzed the code, and he thinks the most recent attack was
meant to mirror what happened in 2016. And he figures it was supposed to unfold
something like this:

LIPOVSKY: What the attackers actually try to do is de-energize the substation.

TEMPLE-RASTON: So flip a switch to start a blackout…

(SOUND OF POWER GOING OUT)

LIPOVSKY: Then wipe those controlling stations so the operators, uh, couldn't see, couldn't
have visibility and also couldn't control it. Couldn't do anything about it except restoring the
power manually.

TEMPLE-RASTON: Which could cause a power surge.

4
LIPOVSKY: That could theoretically, because it depends on a lot of variables, and maybe
cause physical damage.

TEMPLE-RASTON: Would it blow it up?

LIPOVSKY: Maybe.

TEMPLE-RASTON: Wow.

LIPOVSKY: Who knows?

TEMPLE-RASTON: Imagine what that kind of attack could do in the early stages of a
full-scale war. Even that day, the day the attack was supposed to happen, imagine the
scenes outside.

People would start to drive home and the traffic lights would go out. They’d hop on trains
that would stop in their tracks. Shops would close. Even under the best of circumstances, it
would be frightening, which was exactly the intention.

(MUSIC)

TEMPLE-RASTON: Victor sees it as a digital component of Russia’s conventional war, to keep

the Ukrainian people on the back foot.

ZHORA: We consider this to be a kind of supportive operation to a lot of conventional

operations that happen each day focusing completely on civilian infrastructure.

TEMPLE-RASTON: Focusing completely on civilian infrastructure, the very kind of attack that
keeps cyber security officials up at night. We’ll never know if that was the hackers’ exact
intention because the Russian attackers neglected to take into account one very important
thing.

A kind of TGIF thing.

ZHORA: Friday is a short working day so most people end their work at 5 p.m. or even 4 p.m.

5
TEMPLE-RASTON: Never underestimate just how badly people want to leave work on a
Friday. At 5:58 on a Friday evening, when the attack was supposed to start, most of the
workstations at the utility were off.

So there were no hard drives powered up, so the malware could wipe them clean. Robert
said the attack never got a chance to start.

TEMPLE-RASTON: Had they planned to do this right after lunch on a Friday, what would've
happened?

LIPOVSKY: Speculating?

TEMPLE-RASTON: Yes.

LIPOVSKY: The wipers might have had better success.

TEMPLE-RASTON: So worst case scenario, everything works the way they want it to what
could have happened?

LIPOVSKY: Well, there would be a blackout, and a blackout that would affect a lot of people.
So the electrical distribution company, the oblenergos, serves electricity in a region with 2
million people at a time of a raging war.

TEMPLE-RASTON: One of the lessons here: Sometimes it is better to be lucky, than good.
And another: We just got a little bit closer to realizing one of those scary infrastructure
attacks.

ZHORA: All of Ukrainians are grateful to people who continue to weaken our adversary.

(MUSIC)

TEMPLE-RASTON: When we come back, we meet someone else fighting Russian hackers in
cyberspace, a high-ranking member of the IT Army of Ukraine.

You may have heard of them: they are a volunteer hacking force made up of literally
hundreds of thousands of IT professionals from all corners of the world.

6
IT ADMIN: If we talk about Russian IT forces, if I can say so, they are not as sufficient and
massive as ours

TEMPLE-RASTON: Stay with us.

(BREAK)

TEMPLE-RASTON: What’s the best way to refer to you?

IT ADMIN: Uh, you can refer to me as IT Army Admin if that’s okay. Admin for short.

TEMPLE-RASTON: Okay (Laughs)

ADMIN: Because my circumstances didn’t change from the last time we spoke.

TEMPLE-RASTON: We last spoke to Admin back in March. And his circumstances, and the
reason we agreed not to use his name, have to do with where he’s living. He’s in Kyiv.

(AIR RAID SIRENS)

TEMPLE-RASTON: When we last checked in with him, he used to have to take his parents
into the basement during rocket attacks. They’ve moved, so he doesn’t have to do that any
more.

ADMIN: One of the reasons why it's that we are not living in an important area of a town. So
there are not, uh, much targets to attack.

TEMPLE-RASTON: And he says there have been big changes for the IT Army in the past six
months, too. They’ve become much more professional. And organized.

ADMIN: At the start we faced a few problems with the trust, with dependability on each
other. Right now I'm ready to say that we became like, uh, a hub for digital resistance here
in Ukraine.

TEMPLE-RASTON: A hub for digital resistance, he says. They are organizing hundreds of
thousands of people who want to help Ukraine keep Russia busy on the cyber front.

7
ADMIN: We connected more than a few groups together, many talented people to help us
build tools, to manage our activity, to search for new targets. We became much, uh, bigger,
much better.

TEMPLE-RASTON: People all over the world wanted to volunteer, which the IT Army
welcomed. But it was hard to tell who was friend or who was foe. They knew that Russian
agents were trying to infiltrate the group.

ADMIN: The problem of trust that we faced at the start of the war, it still haunts us. It's, uh,
kind of hard to share some crucial information with the people you don't trust.

TEMPLE-RASTON: So they set up systems to assess the volunteers and protect against
infiltration and sabotage. They have silos of information. Things are on a need-to-know basis
now.

The group has a weekly meeting and special channels only its leadership can access. They
have a special committee that does targeting and they send that up the chain. They try to
limit their interaction to when big decisions need to be made.

ADMIN: If someone has a question, we don't really, like, put on a big call for it; we can
discuss it fast enough with the team.

TEMPLE-RASTON: With these systems in place, they were able to take in and work with
volunteers from Poland, the United States, the hacker collective Anonymous — people from
all over the world.

TEMPLE-RASTON: So how big are you now?

ADMIN: it's usually better to be quiet about the numbers.

TEMPLE-RASTON: Can you give me an idea of how much bigger you are than six months
ago?

ADMIN: I believe, uh, I will not, uh, exaggerate if I tell you that. Yeah, we are doubled in size.

TEMPLE-RASTON: Wow. From all over the world?

8
ADMIN: Yes. We still have more users from Ukraine because it's our war, it's our problem.
But it's always nice to see people joining from, uh, other sides of the world, cheering for us,
trying to do their best to help.

TEMPLE-RASTON: And using Telegram and other chat channels, the IT army's hundreds of
thousands of members have managed to do some really amazing things. Like a denial of
service attack that delayed President Vladimir Putin’s opening speech at Russia’s equivalent
of Davos.

Hackers helping the IT army stole 20 million Russian cell numbers to build a website that
allows people to message Russians directly to tell them the truth about the war. Others
created a system that allows people to log and report Russian troop movements.

And while the attack on Russia’s Davos was just a simple denial of service operation, it did
what it needed to do: It embarrassed Putin. It told the world everything isn’t just fine. Things
aren’t normal.

And that’s the IT Army’s MO. It doesn’t launch big, complicated attacks. It is behind lots of
little irritating ones. And, Admin told us, about two dozen key people help make decisions
about that.

ADMIN: I can't count the number of people who are busy with executing tasks, but on a
higher level, I mean, if we're talking about decision makers, it's around 25. Something like
like, uh, general leaders, if I can say.

TEMPLE-RASTON: So all Ukrainian?

ADMIN: Yes.

TEMPLE-RASTON: So the control of the IT army is in the hands of Ukrainian professionals?

ADMIN: Yes.

TEMPLE-RASTON: Everyone seems to agree that the IT army's antics have kept Russian
hackers so busy defending the motherland, it has cut back on the time they have to attack
Ukrainian networks.

9
In fact, the head of Britain’s signals intelligence service, GCHQ, recently tipped his hat to the
IT army, saying they were an important part of the most effective cyber defense in history.
Just as Ukraine surprised the world by holding off Russia on the ground, its cyber forces are
punching above their weight in cyberspace too.

ADMIN: I, uh, believe that, uh, we will be victorious, uh, that we will take back all our lands,
all the other territories that we lost. But I'm not sure that it'll happen by the end of the year,
because from what I can see, uh, what I, uh, heard from other people, Russia is solely
preparing for a long-term war.

(MUSIC)

TEMPLE-RASTON: This is Click Here.

(B SEGMENT MUSIC)

TEMPLE-RASTON: Stanford’s Internet Observatory and the online analytics company

Graphika just released a new report on influence operations. They analyzed a bunch of fake
accounts — trying to understand how they targeted specific audiences to push political
messages or change their minds about things.

Russia did that during our election season. China and Iran target U.S. audiences, too.

But what made this new report different was that it studied influence operations that
seemed to originate in the West.

Producer Will Jarvis has the story.

WILL JARVIS: Influence operations have certain set pieces, no matter who is behind them.

SHELBY GROSSMAN: fake sock puppet persona accounts, pretending to be citizens of

various countries, creating front media outlets, using AI, generated images as profile
photos.

JARVIS: Shelby Grossman is a researcher with Stanford’s Internet Observatory, and is

co-author of a new report called “Unheard Voice.” It’s an analysis of thousands of

10
overlapping accounts that Twitter and Meta had removed for supposed inauthentic
behavior.

What makes this different is that this wasn’t just another Russian influence operation. This
one was pushing pro-Western themes.

JACK STUBBS: Twitter said that they believed it originated in the U.S. and Great Britain. And
Facebook said they believed it originated in the United States.

JARVIS: That’s Jack Stubbs, vice president of intelligence at Graphika who worked with
Grossman on the report. He said they can’t attribute these operations to a specific
government, but the narratives were clearly favorable to the U.S.

For example, some posts created the impression that there was widespread grassroots
support for USAID programs in Iraq. Others focused on playful interactions between US
soldiers and children in Syria.

So not exactly subtle. And as a general matter the accounts seemed to accentuate things
that made Russia or Iran or China look bad.

GROSSMAN: So for example, there was lots of content targeting people in lots of different
countries about Russia's invasion of Ukraine in February.

JARVIS: If you were sitting in Central Asia, you might see a post suggesting that YOU could
be in Russian crosshairs next. The problem with these kinds of influence campaigns – aside
from their ham handedness — is that it is really hard to tell if they are successful.

If the metric is engagement, well…

GROSSMAN: It was just kind of funny because, you know, the tweets are getting no
engagement, but they're just kind of continuing with the same strategy over and over and
over again, like for hundreds and hundreds of tweets.

JARVIS: They posted at regular intervals, and they said the same thing over and over again.

STUBBS: It was just bad social media content

11
JARVIS: So what did they learn from all this? Something they already kind of knew: that if
online personas don’t feel authentic, they don’t get much traction. It doesn’t matter if they
come from authoritarian regimes or pro-Western bots.

But, there was one success story. It was last June, and one of these fake Facebook groups
re-posted a video from a verified news outlet.

(NEWS VIDEO)

JARVIS: A reporter is in a field, surrounded by melons. He’s interviewing a man who found a
new way to water his land.

GROSSMAN: I think it was an Uzbek farmer who was growing fruits in the desert.

JARVIS: It got hundreds of thousands of views on Facebook. It was their great viral moment.
Except for one thing…

It had nothing to do with politics.

I’m Will Jarvis and this is Click Here.

(HEADLINES MUSIC)

TEMPLE-RASTON: Here are some of the top cyber and intelligence stories from the past
week.

An Iranian hacker group called MuddyWater has been allegedly exploiting the Log4j
vulnerability to access corporate networks in Israel, according to new Microsoft research.
Log4j is a popular library for logging in Java applications. Just about every organization that
uses Java uses Log4j.
According to Microsoft, the hackers found vulnerabilities in a popular IT management
software called SysAid. Lots of Israeli organizations use it. And this isn’t a random hack.
According to U.S. Cyber Command, MuddyWater has been linked to the Iranian Ministry of
Intelligence and Security.

Turkish-speaking hackers are using free software downloading sites to spread

crypto-mining malware, according to new research by CheckPoint. It said it discovered the

12
campaign at the end of July and the ploy may have infected thousands of devices across 11
countries. The group has been offering imitations of PC applications like Google Translate
and then slipping their malware in that way. Once installed the malware forces a device to
verify cryptocurrency transactions.

And finally, the Federal Trade Commission filed a lawsuit this week against Kochava, a
major data broker. The FTC alleges that the company is selling geolocation data from
hundreds of millions of mobile devices to reveal potentially sensitive information. It sells,
among other things, geolocation data associated with unique marketing IDs, which can
reveal whether the person has visited sensitive locations like a place of worship or someone
who might be providing reproductive services. Such data can also be relatively easily tied
back to an individual.

And for those of you who listened to the bitter end… thank you…

We have a little Audio postcard from you…from Alex, who is living in Kyiv.

He recorded this on Ukraine’s independence day, August 24, a day that also marked the
six-month anniversary of Russia’s invasion.

ALEX: My name is Alex, and at the moment, I live in Kyiv. It’s not like the usual holiday. It's
totally different. Today is exactly six months of war. So when you spend six months in this,
it’s like you’re getting used to it.

Rockets can strike any place in Ukraine. So there is no safe place for Ukrainian. Right now I
started to think more about the future, and right now I’m trying to be useful. It’s hard. It’s
really hard to not do anything. But there is, like, 1,000 ways you can help

I want to say that Ukrainian nation is born again. I’m really proud to be Ukrainian. Really
proud to be Ukrainian today and gonna be proud til the end of my days and hope we will
win soon.

Thank you guys for telling my story and the story of the Ukrainian people.

13