The Sandworm Strikes

In 2009, as revealed in Andy Greenberg’s detailed and harrowing Sandworm, George W. Bush took aside a newly elected Barack Obama and filled him in on the U.S. government’s secret plan to disable an increasingly nuclear-hungry Iran from enriching uranium. The plan involved the U.S.’s creation of a malicious cyber weapon called Stuxnet which, once infiltrated in Iran’s nuclear program, would destroy their centrifuges.

On its surface, the plan worked like a charm. Expanded during President Obama’s tenure, Stuxnet destroyed many of the thousands of centrifuges in Iran’s underground nuclear facility in Natanz. News filtered back to the states of Iranian scientists infighting over these mysterious malfunctions, which was no doubt greeted by high-fives all around. We’d prevented a country hostile to our own from gaining a nuclear weapon—at least for the moment—and we’d done it without the use of a single soldier. Mission accomplished.

Unfortunately, this victory came at the price of escalating cyberwar from mere website disruptions to real-world physical destruction. According to Greenberg in Sandworm, “Stuxnet had propagated far beyond its Natanz target to infect computers in more than a hundred countries across the world.” This meant thousands of versions of the malware were now “out there.” Of course, U.S. engineers had thought of this. They’d created Stuxnet to distribute its payload only at Natanz—no threat of it harming other systems. What these researchers seemed to miss is that Stuxnet was now available for other hackers to learn from and exploit. The genie was out of the bottle.

Greenberg recounts the dissemination of many other individual pieces of malware that would go on to serve as the foundation of the international hacker’s toolbox. For example, in 2011 Frenchman Benjamin Delpy uncovered a security issue with Windows and alerted Microsoft to his findings. When the company refused to act on his discovery, Delpy decided to write code to demonstrate the vulnerability. He named the resulting malware Mimikatz, and its creation led to his being strong-armed into making his source code publicly available.

By 2017, a mysterious group of most certainly state-sponsored Russian hackers would use Mimikatz as an important element of their malware NotPetya to shut down electrical systems, hamstring shipping ports, disrupt hospitals. NotPetya brought many international companies such as Maersk to virtual standstills, and their disruptions caused billions in corporate damage. In Sandworm, Greenberg says that one CTO described Mimikatz as “The AK-47 of cybersecurity.”

I believe Delpy when he admits, in Sandworm, to feeling “very, very bad” about the first time Mimikatz was used by others as a tool of destruction, but his subsequent continuance of the methods that brought Mimikatz to the world do not reflect this feeling. Instead of running from his mistake, he’s running to it, adding new features to the malware to continue to challenge Windows’s security issues. This strikes me as both a practical necessity in the modern cyber world and a kind of folly. I couldn’t help but think of J. Robert Oppenheimer, one of the fathers of nuclear weapons, and his important subsequent role in securing the international control of nuclear power. Short of not inventing a weapon of mass destruction in the first place, it seems the most we could’ve asked of Oppenheimer. One can only hope Delpy might ask the same of himself.

Thankfully, a malware travesty leading to a death toll hasn’t happened. Even Greenberg struggles to link cyberattacks to actual casualties. Still, he takes pains to clarify the vulnerability of our essential systems—power companies, water suppliers, food providers—to these attacks. Creating malware for an arguable good is somewhat similar to driving one’s car while ignoring incontrovertible evidence of that activity’s effects on climate change. It’s coming, but hopefully not today. We have to get to work.

If and when the cyber Big One detonates, the hackers responsible probably will have cut their teeth on Stuxnet and Mimikatz.

(Doubleday, November 5, 2019)