Andy Greenberg

Andy Greenberg has done some serious legwork tracking down knowledgeable people around the world for interviews, even attending a hacker conference in Moscow bravely asking strangers "Do you hack for Putin?" (he didn't get many straight answers). There have been so many hacking attacks and the trail of who did it is so opaque that it is very confusing. Nevertheless, Greenberg and the Western intelligence community has narrowed in on Russia as the world's primary state-sponsored hacking show more organization, responsible for most of the big hacking incidents in the past 10 years or so including one that did at least 40 billion in damages, the largest hacking incident to date. Specifically the FBI indicted two GRU units known as Unit 26165 and Unit 74455 working from Moscow.

Why does Russia do it? Russia is a relatively small country with a GDP comparable to Canada, yet it feels embattled and surrounded by powerful countries. It uses tactics similar to terrorism in an asymmetrical manner. By destabilizing and keeping its powerful enemies off-balance and guessing it can slow or halt perceived attempts to usurp those currently in power in Russia. Thus the cyber attacks are only one part of a larger strategy to sow chaos in the West. Unfortunately Russia has set the stage for other countries to follow who fear being left behind, there are now at least a dozen countries working along similar lines, beyond the usual suspects like China, North Korea and Iran. This does not include the terrorism of scammers calling our homes and elderly parents, or sending spam emails. We live in an increasingly dangerous world, but that is what terrorism seeks to achieve, to erode trust in governments. Greenberg ends with a story of a high-level security expert who doesn't own a smart-phone, TV or radio - he seeks to reduce his exposure to technology as a means of protection, and resilience. show less

I listened to this book in a day and a half, it was that engaging. Starting with money-laundering crypto-crime, Greenberg spends most of the book on the AlphaBay dark web drug marketplace, and the take-down of its founder in Thailand. His profiles of the bad guys and the good guys bring them all to life (this is a mini-series begging to happen) in a way that's hard to put down.

Once that's done, Greenberg moves on to the grimmest part of the story, the uses of crypto to fund the global show more market for child abuse videos. He concludes with more recent efforts to circumvent the discoverability of crypto sources with ever-more-creative new models, and the always-accelerating efforts of law enforcement to stay one step ahead of crime.

absolutely fascinating. show less

I swear this book reads more like a spy novel than accurate events surrounding the tracking down and arrest of cryptocurrency crooks. One of the attractions of Bitcoin and other cryptocurrencies was their supposed impenetrability to law enforcement. But as with anything digital, there’s always a way, and this is also a story of how clever researchers and cops discovered ways to track transactions by using the very device, the blockchain, that was supposed to guarantee both anonymity and show more security.

But a more basic and skeptical thought immediately struck Gambaryan about this new form of currency. “Participants can be anonymous,” he had read. But if this blockchain truly recorded every transaction in the entire Bitcoin economy, then it sounded like the precise opposite of anonymity: a trail of bread crumbs left behind by every single payment. A forensic accountant’s dream...Gambaryan had always had his doubts about Bitcoin’s untraceability. From the very first time he’d read about Bitcoin, back in 2010, his accountant’s brain had wondered how it could truly provide anonymity when the records of every transaction were shared with so many thousands of machines around the world—even if those transactions were to addresses rather than names

The blockchain is a form of public ledger that is duplicated across millions of computers and involves solving a mathematical algorithm that requires increasing amounts of computer power. Because it is public and always duplicated, it’s trusted, but it also provides an enormous amount of data for analysis.

When someone moves a sum of bitcoins, their wallet software broadcasts the transaction over the internet to Bitcoin’s network of “nodes,” the thousands of servers around the world that store copies of the blockchain. Whichever node first receives the announcement of the new transaction then passes it on to other nodes, which in turn broadcast it out further, so that the record of the payment is confirmed and copied into the blockchain’s global ledger of all transactions. The system is a bit like a crowd of people who each whisper a rumor to their immediate neighbors, so that the information spreads virally through the crowd in ripples—but at digital speeds designed to inform the entire network in minutes or even seconds.

Some of the agencies involved in the hunt are unknown to the vast majority of people. The IRS-CI, for example, an arm of the IRS had some very sophisticated analysts who loved the challenge of breaking the unbreakable and beating a new cipher.

“Every Bitcoin user has access to the public Bitcoin blockchain and can see every Bitcoin address and its respective transfers. Due to this publicity, it is possible to determine the identities of Bitcoin address owners by analyzing the blockchain,” the ruling read. “There is no intrusion into a constitutionally protected area because there is no constitutional privacy interest in the information on the blockchain.The HSI agent wasn’t caught in the Welcome to Video dragnet because IRS agents had violated his privacy. He was caught, the judges concluded, because he had mistakenly believed his Bitcoin transactions to have ever been private in the first place.”
As the Berkeley researcher Nick Weaver had warned, and as cryptocurrency users around the world were finally learning, “The blockchain is forever.”

Very interesting book that should cause those wanting to transact criminally in cryptocurrency to tremble.

Note that Tigran Gambaryan, one of the principal IRS investigators working on tracing bitcoin blockchain transactions has been imprisoned in Nigeria. “Gambaryan was detained alongside a colleague in mid-March on the grounds that Binance had devalued the country’s fiat currency and enabled the “illicit” transfer of funds. While his colleague was able to escape, Gambaryan remains imprisoned on financial crimes charges—even as a growing number of US lawmakers pressure the Biden administration to facilitate his release.” Wired Magazine show less

Greenberg writes for WIRED magazine and is a specialist in cyber security and privacy issues. This book is an extremely readable account of a Russian hacker group nicknamed Sandworm that succeeded in shutting down a substantial amount of infrastructure throughout the world but was aimed primarily at Ukraine. The attacks targeted every aspect of Ukrainian society: government servers, media organizations, transportation hubs. Ukrainian cyber experts could only watch as systems began to crash show more all around them. Public web sites, trains, banking systems and ATMs were disrupted. Finally, the electricity grid collapsed plunging hundreds of thousands of Ukrainians into darkness.

Having read several articles and books on Stuxnet, the successful destruction of Iranian nuclear centrifuges by the U.S. and Israel, I was anxious to read Greenberg's book. "Zero Day" security flaws are software holes that have never been used before so their vulnerability has yet to be discovered or fixed. Knowledge of these is precious to those wishing to penetrate systems. The Sandworm group (the name came from a Frank Herbert novel, Dune) has access to several and used them to great effect. The group went to great lengths to disguise themselves and hide. To Greenberg's credit he is able to explain how experts deciphered what group was responsible and he does it in language free of technical jargon.

Just a few months ago, a Netherlands researcher wanted to come to the U.S. to present a paper on the vulnerability of the industrial control system. There are almost 30,000 of these devices (programmable logic controllers) that control everything from wastewater plants to the electrical grid. The researcher, thanks to America's arcane and silly visa system, was not admitted and so unable to present these important findings. Fortunately he was able to post them to his blog. Whether that resulted in a wider dissemination of the information than had he delivered his talk is academic, perhaps. **

Researcher Wojciech, used standard OSINT techniques (the CIA has identified five main OSINT fields: Internet, media, geolocation, conferences, and online pictures) to analyze the exposed ICS devices. Many of these are used in critical infrastructure that would include dams, electrical grid, reactors, health treatment facilities, etc. Critical infrastructure developed by OSINT can be used not just by espionage agencies, but also criminal elements who may seek to gain monetary advantage by holding these devices hostage. OSINT techniques are passive, in that the target remains completely unaware it is being surveilled. Access may be gained by open ports, IP addresses, knowledge of details of the specific devices and how they work -- all freely available online and elsewhere -- and even responses from the device itself.

Here's an example of device information that's available that even includes the phone number:
There are several programs that permit searching the internet for active ICS devices (https://www.shodan.io for example.) The author lays out precisely how to go about searching. Many of these devices have open management ports that are convenient for technicians to access the devices remotely for maintenance. That, however, makes them extremely vulnerable to malicious actors. General contractors with government contracts are particularly vulnerable as they have a history of being more open and thus more vulnerable.

That hackers can cause innumerable problems has already been shown in Ukraine, Estonia, and Georgia where the Russians devastated each country's infrastructure. Andy Greenberg in Sandworm documents what happened in several cases. In Ukraine access to the banking system was eliminated.

It took forty-five seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub…was fully infected in sixteen seconds. Ukrenergo, the energy company…had also been struck yet again…the effect was like a vandal who first puts a library’s card catalog through a shredder, then moves on to methodically pulp its books, stack by stack.

Ukraine became a testing ground for Russian hacking. Disinformation to spread distrust in the election and tampering with the infrastructure were simply test runs for their successful attacks on United States electoral trust in 2016 and 2020. Ukraine had taken the brunt of Russian abuse for centuries and Greenberg's short history of those onslaughts was suitably horrifying. (See also Anne Applebaum's Red Famine: Stalin's War on Ukraine to understand why Ukraine at first welcomed the Nazis.)

US officials, typically heads in the sand, refused to admit something similar could happen in the U.S. yet we now know that Russian hackers infiltrated the U.S. election system and may well have manipulated the outcome in a variety of unorthodox ways. In 2016, Iranian hackers attacked several US banks causing millions in damages and shut down a dam presumably in retaliation for the Stuxnet attack. The attacks themselves were quite unsophisticated, mostly DDoS attacks that even the most unsophisticated hacker can pull off.

There is software (malware, really) that has been designed for specific purposes; Stuxnet is but one example. Another, discovered by the security firm Dragos, was CrashOverride***, only the fourth example of malware designed to attack and manipulate the controllers in electrical grids. "The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages."

Greenberg shows that a variety of software is available, even for sale, that permits relatively easy access for anyone, but can also be used to hide the origin of the attacker. To make matters worse, Greenberg wrote in Wired (https://www.wired.com/story/plundervolt-intel-chips-sgx-hack/) of researchers who had managed to access and control Intel processors (a vulnerability that has since been fixed) by manipulating the internal voltage of the processor. You can induce faults by lowering or changing the voltage and once you can do that you can change the output by manipulating the faults. The technique, called Plundervolt, was discovered concurrently by a researcher in Beijing. (Take from that what you will.)

In his book, Greenberg focuses on Sandworm, a group of hackers and software named after the malicious creature in Dune (cyberanalysts had discovered that preference while doing research on the code - don't ask me how.) They determined there was evidence that Sandworm had been infiltrating critical infrastructure—some of it in the United States—since 2011 and had already developed a weapon that could knock it out. When it was used against Ukraine, it had evolved even further.

The hackers had, in other words, created an automated cyberweapon that performed the same task they’d carried out the year before, but now with inhuman speed. Instead of manually clicking through circuit breakers with phantom hands, they’d created a piece of malware that carried out that attack with cruel, machine-quick efficiency.

PowerPoint users need take note that the program has become so large and now includes so many useless features that it has almost become its own programming language. The Sandworm group utilized the ability to place objects and run programs within slides to place malware within the users computer that would download or run other programs unbeknownst to the user.

They managed to fix the system in about an hour, but the point was made. Another group calling themselves ShadowBrokers made off with a whole set of penetration tools developed by the NSA and turned them loose in the wild where virtually anyone with a modicum of knowledge can make use of them. Shadow Brokers caused immense harm when they released EternalBlue, malware that spread faster than anything anyone had seen before. Within minutes it had disabled pharmaceutical companies, and Maersk, the huge shipping company was brought to its knees.

“ 'For days to come, one of the world’s most complex and interconnected distributed machines, underpinning the circulatory system of the global economy itself, would remain broken,” Greenberg writes of the attack on Maersk, calling it “a clusterfuck of clusterfucks.” The company was only able to get its ships and ports back in operation after nearly two weeks and hundreds of millions of dollars in losses, when an office in Ghana was found to have the single computer that hadn’t been connected to the Internet at the time of the attack.' " ****

I've been reading a lot of books and articles on the potential for cyberwarfare. The potential is there for even non-state actors to operate in the shadows and do tremendous harm. Then again shutting down most of our industry might solve the global warming worst case scenarios. One apocalypse preventing another.

**https://www.icscybersecurityconference.com/intelligence-gathering-on-u-s-critical-infrastructure/

***For a review of CrashOverride designed to attack electricity grids, see https://dragos.com/wp-content/uploads/CrashOverride-01.pdf

****https://www.i-cio.com/management/insight/item/maersk-springing-back-from-a-catastrophic-cyber-attack Note that this source places the lone saved Domain Controller in Nigeria rather than the more accepted Ghana. show less