Skip to main content

tv   Andy Greenberg Sandworm  CSPAN  February 10, 2020 7:00am-8:01am EST

7:00 am
7:01 am
it will tell you what is coming up for the next six weeks. a quick reminder to please picture cell phones on silent. we really appreciate that. so the la times says our feature book for the evening "sandworm" is much more than a true life technothriller. but the events around multiple techs. what motivates the sea and worm hackers.
7:02 am
what lessons had we learned. when we leave the subtitle a new era of siebel -- cyber war you may think you are picking up the latest tom clancy novel. andy greenberg spent three years reporting on the story. i happen to look up sand worm out of the curiosity on the internet. and what came up it is a fictional creature that appears in the dooms novel. i'm curious to hear this came from. the author of the machine kills secrets.
7:03 am
he lives in brooklyn new york. we are so honored tonight. artificial intelligence and he writes for the wall street journal. thank you so much for having us here. it's really wonderful to be in a full-service bookstore with the great room to talk in. with the first book this machine i wrote about it.
7:04 am
that story is going to say julian a song. it's a really fascinating book. the enabling technologies that allow wikileaks to happen. this leaking thing i don't know if it's good to catch on. it was kind of a low. i think the wiki leaks thing was overblown. and ends the next year. this is what i had written a book about. i think they just kept coming.
7:05 am
we had raised the generation of post- millenials. they head in their dna to do leaking. we are one of the big stories in the news right now. there is an anonymous whistleblower. it really took off. i just wondered if you kind of thought and connected that. if that is something about technology. did they build a new sort of sentiment around leaking. the idea of the book i did not expect to be talking about this book today. it was about mega leaks. the ability to be making that the mouth of data digitally. that has happened.
7:06 am
they have a drawer for all of the leaks that i wrote about in that book. i was trying to show it. we are in this new era of very liquid information. we talk about this. not every major newspaper has the same kind of protected inbox for leaks. the wall street journal has one of those. they came to pass. i don't know if the book was too early because it came
7:07 am
after wikileaks. i hope this book has better timing. i hope this book has better timing. i hope you're wrong about that because this book is terrifying. it puts the risks of cyber warfare in a context. if these kind of things could come to pass it ten years ago i would probably laugh at you. i thought cyber warfare was just a fancy word for espionage. it is the unique richmond facilities. it really captures the whole context of this.
7:08 am
the first question i should start with is the name "sandworm". tell us about how your book came to be called "sandworm". >> after all of the 2016 elections. they were .-ellipsis with this as anyone. i like you was like when they were there. i was kind of resistant to this idea. they leaked all of that online. it seemed like digital dirty politics not cyber war. i went looking for what could be a real cyber story. my colleague had written these
7:09 am
stories. it happened in ukraine. i looked more deeply at ukraine and started talking to sources who were familiar with what was happening in ukraine. as of the bigger context in 2014 they had have this pro- western revolution. russia had responded by invading. they had been companied by wave after wave of a cyber attack. in fact a whole series of them. they had tried to spoof the results of ukrainian election in 2014 before they try to mess with our election. the media and government agencies and private industry destroying hundreds of intruders in some cases.
7:10 am
finally the first blackout had been the claimant of that attack. the first time that has ever happened anywhere in the world. there was a second blackout in ukraine. this time in same in the capital of kiev. i could see that i wasn't too late to the story. it was a real cyber war. it have all of those criteria is like this is an actual nationstate hacker group that seems to be launching disruptive attacks. in the midst of a physical war. i became kind of who was these russian hackers who was responsible for this.
7:11 am
eyesight partners had discovered these hackers who seemed to be russian in 2014 into the group they appeared to be russian because they have actually left one of their servers open and unprotected. they had found on that server. they controlled the malware that they were planting. it seemed like they were doing pretty typical espionage stuff some other targets did not look like espionage. some of them were even in the united states and those american grid targets in fact this group would use in 2015 and 16 the first step of their
7:12 am
blackout attack. the reason they become to called sand worm. each of those victims of the first round of attack was identified in a little snippet of the code. and each of those references was a little name from that science the science fiction novel doom. it features these monsters called sand worms. to me it was the incredibly appropriate name. only occasionally surfaces to do's terrible destructive things. it's hard to imagine.
7:13 am
they were using that same server to control infections of this malware called black in energy. that's what tied all of these attacks together. and showed who the victims were in that first 2014 campaign that was really just the first hint of what they were trying to do. we have heard about cyber attacks on the grid for years. when they were not having a cyber event. how did you approach the story from the start. by then it had been a year since the very first
7:14 am
blackout. they eventually became the central characters in the book. and the mechanism of the first blackout attack was so interesting. it started with the typical word documents in a phishing e-mail that has a malicious part of it that takes over your computer. to move into the other part of the grid network. that is the part that actually controls the equipment. they took control of the circuit breakers. they hijacked the remote desktop software that meant
7:15 am
their port grid operators watched as the mouth just started moving on their own accord. they could not control and click through all of the circuit breakers on their screen. there was nothing they could do about it. it was so symptomatic. i was very drawn to this hacker group. we publish that. it was something that i have heard about.
7:16 am
you write lots of interesting stories. this is an interesting story. at what point did you feel like this was a immediate enough topic for this book. i eventually delivered -- delivered. early 2017 have gone to ukraine and have talked to everyone there about how they saw what was happening as this one group of hackers which would become too known as a sand worm carried out the escalating attacks against them the thesis of that story we need to pay attention to ukraine. because they are already at war with ukraine. they are using ukraine as a test lab.
7:17 am
if we look at ukraine we can see the future of cyber war. and bizarrely, the issue at the magazine hit the newsstands. it was the day that that piece of malware was released by the hackers. it spread to the rest of the world. it became the worst cyber attack in history. they took them the networks of the companies. you don't really want the prediction they make come true. that is essentially what happens. they were making this argument that ukraine was the canary in
7:18 am
the coal mine. when that happened. this is a book. it took a little bit what while. it is said to define sand worm. it was the piece of malware. a warm that spreads from computer to computer automatically. it was a dangerous thing. they had spread had spread it to the entire internet. it looked like a ran somewhere warm. a piece of malware encrypts your computer and then demands of certain ransom. they demanded $300 and bit coin.
7:19 am
it looks initially like a familiar piece of a ran somewhere. even when you pay the $300 you can get your computer back. it was a destructive worm pretending to be ran somewhere. it was an attack that hit ukraine and destroyed the networks of 300 companies. pretty much ever government agency. multiple airports. in ukraine it was truly like a kind of a carpet bombing. it also immediately spread to the rest of the world. it wasn't clear how serious it
7:20 am
was. they reported to their shareholders $300 million in damage. the ransom where attack. it costs cost about $20 million ultimately. they lost $870 million. i could see that this was quickly turning out to have been the worst attack in history but none of these companies who talk about that with their experience. it was becoming clear that it was something unusual it took a couple of months to see that the full scale of it. we could very quickly see the forensic links between those
7:21 am
earlier sand worm attacks. it have turned off the lights to the citizens in ukraine. there was an arc to the story a kind of kind of building and a climax. that was the bigger story and that's when i began to work on it as a book. it was designed to spread like a worm. it was out of control when it was moving around the world and spread in russia. with these two attacks that are linked. they are linked to russian intelligence. and one of them is causing widespread damage around the world including taking out companies in russia. we tried to puzzle out to figure out what it was intended to do.
7:22 am
he backing on the software that it updates. anybody that wanted to file taxes have to have this piece of accounting software. kind of like the turbotax of ukraine. that was a method that was used in targeted with ukraine. it hit everyone else who did business with ukraine. the sand worm in this kind of way that i have come to associate with this russian military agency. it was just an insanely reckless in brazen attack that was a shoot first and ask questions later and attempt to an attempt to destroy the internet without really considering the collateral damage. that hit russia. i spent six or nine months of this reporting really delving
7:23 am
into the experience of the multinational companies to try to capture what it looks like when an entire global: conglomerate was off-line like that. one of my favorite parts of the book is you have ports around the world. vegetables are rotting. and material that the global transit system is basically frozen by this ran somewhere. they almost lost everything. what the domain controllers have. there was the beginning of the story and it really starts in their headquarters in copenhagen and this never officially returned my calls. this is the frustrating things that none of the massive companies that were decimated
7:24 am
by this. it would talk officially about what have happened to them. the fact that it was russia that did it. it took back channels investigative reporting it to tell the stories. it starts with a staffer who told me that his screen went black and the headquarters of this massive shipping conglomerate and he looks up and sees there is a wave of black screens going across the room in the office at every screen. it shows this ransom message. they're yelling for everyone to turn off their computers. as going into the middle of meetings. jumping over turnstiles to get to the other sides of the
7:25 am
building. they have already been locked and paralyzed by this malware. it's not just an it company. they control the fifth of the world's global shipping community. seventy-six terminals and ports around the world where the shipping containers and the size of the empire state building arrived carrying another worth of cargo. suddenly they were just brain-dead and couldn't figure out what was on the ships. they did not know how to unload them. the gates he said outside of the terminals 17 terminals ultimately, the gates were paralyzed so the trucks were just lining up by the thousands going miles long and the tracks can't get in and nobody is telling them where to go. they can't even send them an e-mail to tell them what is happening.
7:26 am
all of the windows and in machines in their entire network was down. they have to figure out where to send their containers. they can't figure out where to keep it. it's part of some just-in-time supply chain. this is how you use $300 million. what i just described is multiplied by 17 ports around the world. then there is also merck the massive pharmaceutical giant that faced a cost that was more than twice as much. each one of these companies has the disaster story. the mac was that linked to that translation problem that they were having with the
7:27 am
voice translation software. by the speech detect. this is part of the area that cannot be quantified. they hit hospitals across the united states. it directly affected a few hospitals and shut down all of their computers but much more common was the experience where hospital used this one piece of the speech to text recognition software. it allows doctors and nurses to read changes into a medical record and have them automatically updated from an audio file. and nuance was taken down and lost $92 million which is not that big in the scheme of things but the bigger cost is that nuance fails in a silent way so that all of the hospitals and one executive
7:28 am
told me she was on a conference call at one point where hundreds of people were trying to get answers from nuance. hundreds of hospitals had doctors who were reading changes into nuance software. these are like procedures to be followed before surgery. >> these are all kinds of updates. any kind of my new ship. i guess they can include a test that is necessary before surgery. i spoke to one it emergency administrator and she told me about a week after these hospitals had millions of changes milling the millions of changes. this it administrator was
7:29 am
approached by the panicked nurse who was saying we need to transfer the child patient for surgery and we don't know if the child has the test necessary to clear them for that procedure. they have to hunt down the raw audio file. they have to find the lost audio file. they did it just in time but this happened three more times over the course of the week. just in the one person's experience. you start to question i didn't actually confirm that anybody was killed. you do start to question how this could happen without anyone dying. such a mass massive scale of
7:30 am
outage. by the way if anyone has a question i'm get a come back for questions and just a few minutes. just think about if you want to ask andy anything. our pension was built on a couple pieces of software. a french man that you interview. there are two pieces of software that basically were not created to do this type of activity. >> they had three main ingredients and stories that i tell on the run up to this kind of armageddon moment. there was the hijacking of the accreting -- of the ukraine software it would spread it with these two intertwined
7:31 am
tools one and which was a stolen nsa hacking tool that have been stolen and leaked by the very serious a group group called the shadow brokers. who we still have not identified. this is kind of like a skeleton key hacking tool. they can use that to break into any windows. for the break in technique. there is was many hundreds of thousands. that was paired with this other kind of freely available demonstration hacking tool. it was an open source tool developed. it's a very dangerous component because it was capable of if it could run on a computer you can take all of
7:32 am
the passwords that were in the computer's memory lingering. with the two tools intertwined and that kind of initial seating out. it was given initial foothold on the network and then spread in an instant. so it saturates thousands of every computer on the network. >> in part you had ten million dollars in damage. because of the hacking tool. how much of that is on the nsa. >> this is a big question it was that hacking tool. it was leaked by the rogue
7:33 am
attackers. they did actually do their best to try to respond to this. it was the neurological problem. a lot of people don't. if you blame nsa for the fact that there tool was taken and misused. if not entirely exclusively to go on with what the nsa does. there are partners at the other part of that government. they will use the same kind of hacking tools.
7:34 am
only in the most targeted fashion. it is pretty responsible with their use of this. from the fact they kept that hacking tool secret for years before it was stolen and leaked. and it kinda gets to the theme of this book. the u.s. government has and for this entire story meant so much more interested in maintaining the hacking capabilities. in some cases pushing forward. then they are with trying to control russia or trying to restrain these incredibly dangerous hackers. the ark of the book in some ways is how the u.s. watched the cyber war build. and didn't say anything as they turned out the power to hundreds of thousands of ukrainian.
7:35 am
it should not had been called out as crossing a redline. even though ukraine is not nato, they're not us. we should have in the u.s. we should of said that is essentially the cyber war crime. what do you think the redline should be. targeting the critical subsystems. i would say they are targeting critical infrastructures. is probably never okay. and the mass scale where you are turning off the power it is certainly not okay. but when i put this two both obama and trump administration officials. they both made the argument that we want to be able to do that ourselves.
7:36 am
we don't really want to call out russia. we want to be able to turn out your power in the midst of war. we want to be able to destroy entire networks. but it's so short sighted because when we do that we do tend to actually do it in the pretty restrained and targeted way but when you fail to call out russia or try to set the rule that nobody should do it sandworms seems to do it in a way that is entirely indiscriminate. they don't even seem to care that much if their own people are hit by a war. i don't know if you have a lead on how the discussions had been known. if you do i would be interested in hearing that. the obama administration tried to set some cyber norms.
7:37 am
they did indict the hackers for hitting the banks with the hacks. the obama administration's sale. they just continued into what they built with this thing. i did blow up and hit us as well. fulfilling every warning of that kind of cassandra who is watching the cyber war and trying to warn that this was a dangerous unfolding phenomenon. the trump administration has
7:38 am
her own blind spots about russian hackers. so when it hits and hit american soil they did billions of dollars of damage to the government. it took eight months for the trump administration to even say anything about it. i still kind of scratch my have about. you don't go into the oval office of president trump and talk about russian hackers is not a subject. after sony was hacked there was a statement from the department of justice i think we explored and not only did it take the government years it took until the global
7:39 am
cyber's attack fibrous attack for our government to start talking about the cyber war. it took eight months for them to talk about it. for them to say it was russia. it was the worst cyber attack in history. it actually was a coordinated statement with four other countries and their governments as a gift to give credit to some adults in the trump white house who made this happen. it was the first moment that seemed warm was called out. it was too little and too late. five or six days before the administration even made that statement. the same agency likely sand worm itself had carried out another destructive cyber attack on the winter olympics.
7:40 am
for which they have not been held accountable. the government as still said has still said nothing at all. >> that is also a great story. >> when you start with one. i will repeat it just so we can get it. >> my first exposure to work in my security was back in 1999 from the kind of people that you heard here. intended to be from all of the usual suspects you can think that why people wouldn't want to talk about this. it exposes their weakness and it's an ongoing war. i would love to hear more about where we are now and not
7:41 am
our particular administration where our u.s. defense private and public partnerships are and staying current. are we falling behind. >> the question is in the context of these terrible weapons that they've been describing how to things look for the u.s. are we falling behind are we ready for this? it's interesting you started out by saying use saw the attacks constantly. we used to talk about cyber attacks is somewhat trying to hack your network the most common version of that is some sort of espionage. they're trying to break in and steal information.
7:42 am
what i would call a fiber -- a cyber cyber attack now is an effort to destroy computers. i think that is the kind of the new world and the escalation that we have seen. are we protected against the new era in many ways cyber security has massively improved. they can the kind of embrace the hacker community. at the big feeling that i'm focused on is that really and technical cyber security which is a terribly endless uphill battle it's always easier for the attacker. any kind of setting norms in the geopolitical sense of drying red lines. >> we haven't done at all.
7:43 am
the obama administration kind of started to do that by calling out certain actions by other governments against u.s. targets. we are going to impose new sanctions for the russian meddling in the election. those rules kind of breakdown when you then watch a couple of blackouts be afflicted by the hacker. >> what do you make of the fact that the first nation to create a piece of software that attacks critical systems was the united states. >> that is another way in which the u.s. is pushed forward the cyber war. i sometimes think of it as lord of the rings where everyone has just attracted to the power of this new weapons they all think they can use it
7:44 am
for something good to advance what they think is there important agenda. none of the players in the global stage want to constrain the power. in 2009 and 2010. they destroyed the iranian nuclear richmond center. it was a new kind of demonstration to the world. you can destroy physical equipment. and that was incredibly powerful. >> it was also spread amongst at least 30,000 computers. having the software that's not supposed to be there is a potentially reckless move. in some ways that was
7:45 am
definitely a mistake. it allows them to be discovered. and they have never been identified by the global cyber community the important thing two-point out about that spread is that it did not start spreading around the world and blowing up equipment the way it did the interviews. it would sometimes crash of the computer here or there. for the most part i just spread in this area. it was really the opposite. it was not decide to spread indiscriminately. i want to keep moving to questions. >> white russia particularly targeted the ukraine as opposed to other places in europe. they have a very special in abusive relationship with ukraine. it was part of the soviet
7:46 am
union. ukraine has many russians that can be an offshoot of their culture and not a real country for its entire thousand year history. and also ukraine has things that russia wants like warm water ports in previous generations in the breadbasket of russia. it was just part of the influence and when it kind of turned to the west it starts to erode this buffer zone that russia wants to create. russia invaded and people talk about this. they did not want to conquer ukraine they wanted to place the war in ukraine that never ends to make it a permanent war zone.
7:47 am
and that is where the cyber attacks come in. was cyber war you can project that uncertainty in the loss of confidence while beyond the military front. and start to demoralize civilians in the west of the country finding them all off-line. gas stations aren't working. in these types of environments. your fears changing from my boss is annoying at work to him by going to get food for my family tonight. >> ultimately it is that kind of disruption and the mass societal creation of fear and uncertainty and doubt it is a
7:48 am
kind of terrorism where you don't tactically gain that much in your war against ukraine by just preventing people from taking that metro because they can't pay with their credit card. or just by destroying all of their government agencies. the company was a physical advance from the military. it makes ukraine look like a failed state and make some wonder if they should be supporting the pro-western government. when things were a little bit more stable. >> i am interested in the corporate response. the multinational corporations. it can focus enormous
7:49 am
financial resources and capital on preventing the stuff from happening again. are you seen corporations starting to respond in ways that could be effective. where are these things just inevitable. >> what are corporations doing and talk about microsoft because you mentioned the media caps. that is a microsoft flaw. a lot of the attacks were on their system. >> i think you're asking about the victims. the reason is that none of the companies wanted to tell the story of how they got hit by them. is because of victim shaming. i did this to not have the victim shaming. i believe a lot of this could've happened to not quite
7:50 am
any multinational company but many of them. a use a secret vulnerability. nonetheless i will now shame them and talked about their vulnerabilities. they had developed a new security plan that would of evolved upgrades to all of their computers and operating systems. they have a budget for this. the it team never carried it forward because of their bonus incentive program and it didn't actually motivate them to do it. they pay this massive price afterwards of course they did have to rebuild everything. 45,000 pcs and servers. that was after the fact.
7:51 am
i really want to tell the story about the main controller. >> i don't know how they backup their domain controllers now. they're the servers that are the kind of backbone of a big it network. who has asked -- who has access to what. and when they just devastated them in the global network outside of london and they sent all of their it staff to this one building where people were sleeping under desks. one of the first things that they encountered was that they did not have a copy of their domain controllers.
7:52 am
and they have more than 100 domain controllers. but they were designed to back backup to each other. he would have dozens of others that have a copy of the same data. what they had planned for the have not planned for a situation where they all go down at the same time which is what exactly happens. when they realized it was kind of a panic they have a call all of the data centers around the world looking for one backup of a domain controller. and they finally found in uganda. this one data center have a normal blackout. the result was that the one domain controller had been off-line at the moment that hits so the backup was
7:53 am
preserved. they have this data that was the lifeline for the entire network. they tried to send it to their recovery operation center. they could not get enough bandwidth. they tried to fly to london with the plane. they did not have the right visas. they have to do the relay race handoff. and flyback. drive the hard drive to london. only then they began to rebuild their entire network. the lesson is keep at the domain controller off-line to begin with. >> you don't have to go into why microsoft had that memory problem.
7:54 am
>> i eventually heard a little bit about the merck story as well. they have a backup of all of their data but it was a hot backup meaning that it was connected they could more easily update their backup. companies are making efforts to do this but it's just the extra bit of expense to prepare for an actual cyber argument -- armageddon that you never expect to arrive. it's hard to note for the majority of companies but i think most of them still are not actually learning these lessons until they learn the hard way because it's hard to convince the ceo that this is what we should be spending money on. >> i think we are out of time right now.
7:55 am
we will have to talk to you about your question after this is over. i just want to thank andy for chatting with me. we are out of time now. i can't stress enough the way this book puts in the context of physical cyber threats in the proper place it's really a remarkable thing. it's a disturbing read. thanks for sharing a little bit about it. [applause]. >> we appreciate this. if you would like to purchase the book it will make a fabulous gift for the person that you are trying to get a gift for for the holidays. and you can chat with me
7:56 am
anymore if you anymore if you would like too. [inaudible conversations] >> recently on book tv charles schwab talked about his life and his investment career. they flashed a couple of big numbers on me. and having come from literally zero money myself it was a whole lot of money for the company. i owned about 40% of the company it was a lot of money in 1981. we finally decide to do that to make the transaction happen because i was faced with as we grew and grew we needed more and more money to grow. i was turned down by many venture capitalists along the
7:57 am
way. we were lowering the prices and making great service for customers. thousands of them were joining the company as clients. they did not want to finance any further. i did do tough time raising money. soon over the next three or four years it became clear that they were under the wrong umbrella and we have to work our way out of that. >> but they ran into huge problems. they went to the greek shipping guys. they'd all kinds of loans south of america. it went on and on. they do sell the big building. in downtown san francisco they sold it to a couple of other subsidiaries. i said hey, i convinced
7:58 am
convince them to sell us. and that was another interesting story about it. they said okay we will sell it to you. we will sell you to the highest bidder. i said terrific but you don't know very well that i'm not for sale. it was a real threat. i was a little bit upset for them. when we made the deal with them. our stock. they sought the transaction. it was like $24 a share. i think the next four years i went from 24 all the way down to nine. i was an unhappy guy for many reasons that was our total net
7:59 am
worth. she is so shy. >> it's a nontrivial point. they could sell charles schwab but they couldn't sell charles schwab of the the person. it was a provision in their that it wasn't for sale. to use my name and face by that time. i was getting people who identify the company with me. it opens up another company. we came to terms. they ended up with five and six times what they have paid me for an compensation in five years time. visit our website for more information on this event.
8:00 am
book tv is television for serious readers all weekend every weekend join us again next saturday beginning at 8:00 a.m. eastern for the best nonfiction books. .. >> c-span, your unfiltered view of government. created by cable in 1979 and brought to you today by your television provider. >> host: our guest this week on "the communicators" is representative jan schakowsky, a democrat from illinois and chair of the consumer protection

59 Views

info Stream Only

Uploaded by TV Archive on