This Is How They Tell Me the World Ends

Book Preface

This book is the product of more than seven years of interviews with more than three hundred individuals who have participated in, tracked, or been directly affected by the underground cyberarms industry. These individuals include hackers, activists, dissidents, academics, computer scientists,

American and foreign government officials, forensic investigators, and mercenaries.
Many generously spent hours, in some cases days, recalling the details of various events and conversations relayed in these pages. Sources were asked to present documentation, whenever possible, in the form of contracts, emails, messages, and other digital crumbs that were considered classified or, in many cases, privileged through nondisclosure agreements. Audio recordings, calendars, and notes were used whenever possible to corroborate my own and sources’ recollection of events.
Because of the sensitivities of the subject matter, many of those interviewed for this book agreed to speak only on the condition that they not be identified. Two people only spoke with me on the condition that their names be changed. Their accounts were fact-checked with others whenever possible. Many agreed to participate only to fact-check the accounts provided to me by others.

The reader should not assume that any individual named in these pages was a source for the events or dialogue described. In several cases accounts came from the person directly, but in others they came from eyewitnesses, third parties, and, as much as possible, written documentation.

And even then, when it comes to the cyberarms trade, I have learned that hackers, buyers, sellers, and governments will go to great lengths to avoid any written documentation at all. Many accounts and anecdotes were omitted from the following pages simply because there was no way to back up their version of events. I hope readers will forgive those omissions.

I have done my best, but to this day, so much about the cyberarms trade remains impenetrable that it would be folly to claim that I have gotten everything right. Any errors are, of course, my own.
My hope is that my work will help shine even a glimmer of light on the highly secretive and largely invisible cyberweapons industry so that we, a society on the cusp of this digital tsunami called the Internet of Things, may have some of the necessary conversations now, before it is too late.
—Nicole Perlroth
November 2020

By the time my plane touched down in Kyiv—in the dead of winter 2019—nobody could be sure the attack was over, or if it was just a glimpse of what was to come.

A note of attenuated panic, of watchful paranoia, had gripped our plane from the moment we entered Ukrainian airspace. Turbulence had knocked us upward so suddenly I could hear bursts of nausea in the back of the plane. Beside me, a wisp of a Ukrainian model gripped my arm, shut her eyes, and began to pray.

Three hundred feet below, Ukraine had gone into orange alert. An abrupt windstorm was ripping roofs off apartment buildings and smashing their dislodged fragments into traffic. Villages on the outskirts of the capital and in western Ukraine were losing power—again. By the time we jerked onto the runway and started to make our way through Boryspil International Airport, even the young, gangly Ukrainian border guards seemed to be nervously asking one another: Freak windstorm? Or another Russian cyberattack? These days, no one could be sure.

One day earlier, I had bid my baby adieu and traveled to Kyiv as a kind of dark pilgrimage. I came to survey the rubble at ground zero for the most devastating cyberattack the world had ever seen. The world was still reeling from the fallout of a Russian cyberattack on Ukraine that less than two years earlier had shut down government agencies, railways, ATMs, gas stations, the postal service, even the radiation monitors at the old Chernobyl nuclear site, before the code seeped out of Ukraine and haphazardly zigzagged its way around the globe. Having escaped, it paralyzed factories in the far reaches of Tasmania, destroyed vaccines at one of the world’s largest pharmaceutical companies, infiltrated computers at FedEx, and brought the world’s biggest shipping conglomerate to a halt, all in a matter of minutes.
The Kremlin had cleverly timed the attack to Ukraine’s Constitution Day in 2017—the equivalent of our Fourth of July—to send an ominous reminder to Ukrainians. They could celebrate their independence all they wished, but Mother Russia would never let them out of its grip.

The attack was the culmination of a series of escalating, insidious Russian cyberattacks, revenge for Ukraine’s 2014 revolution, when hundreds of thousands of Ukrainians took to Kyiv’s Independence Square to revolt against the Kremlin’s shadow government in Ukraine and ultimately oust its president, and Putin’s puppet, Viktor Yanukovych.

Within days of Mr. Yanukovych’s fall, Putin had pulled Yanukovych back to Moscow and sent his forces to invade the Crimean Peninsula. Before 2014, the Crimean Peninsula was a Black Sea paradise, a diamond suspended off the south coast of Ukraine. Churchill once coined it “the Riviera of Hades.” Now it belonged to Russia, the infernal epicenter of Vladimir Putin’s standoff with Ukraine.
Putin’s digital army had been messing with Ukraine ever since. Russian hackers made a blood sport of hacking anyone and anything in Ukraine with a digital pulse. For five long years, they shelled Ukrainians with thousands of cyberattacks a day and scanned the country’s networks incessantly for signs of weakness—a weak password, a misplaced zero, pirated and unpatched software, a hastily erected firewall—anything that could be exploited for digital mayhem. Anything to sow discord and undermine Ukraine’s pro-Western leadership.

Putin laid down only two rules for Russia’s hackers. First, no hacking inside the motherland. And second, when the Kremlin calls in a favor, you do whatever it asks. Otherwise, hackers had full autonomy. And oh, how Putin loved them.
Russian hackers are “like artists who wake up in the morning in a good mood and start painting,” Putin told a gaggle of reporters in June 2017, just three weeks before his hackers laid waste to Ukraine’s systems. “If they have patriotic leanings, they may try to add their contribution to the fight against those who speak badly about Russia.”

Ukraine had become their digital test kitchen, a smoldering hellscape where they could test out every hacking trick and tool in Russia’s digital arsenal without fear of reprisal. In the first year, 2014, alone, Russian state media and trolls barraged Ukraine’s presidential election with a disinformation campaign that alternately blamed the country’s mass pro-Western uprisings on an illegal coup, a military “junta,” or “deep states” in America and Europe. Hackers stole campaign emails, prowled for voter data, infiltrated Ukraine’s election authority, deleted files, and implanted malware in the country’s election reporting system that would have claimed victory for a far-right fringe candidate. Ukrainians discovered the plot just before the results were reported to Ukraine’s media. Election security experts called it the most brazen attempt to manipulate a national election in history.

In retrospect, this should have all set off louder alarm bells in the United States. But in 2014, Americans’ gaze was elsewhere: the violence in Ferguson, Missouri; the horrors of ISIS and its seeming emergence out of nowhere; and, on my beat, the North Korean hack of Sony Pictures that December, when Kim Jong-un’s hackers exacted revenge on the movie studio for a Seth Rogen–James Franco comedy depicting the assassination of their Dear Leader. North Korean hackers torched Sony’s servers with code, then selectively released emails to humiliate Sony executives in an attack that offered Putin the perfect playbook for 2016.

For most Americans, Ukraine still felt a world way. We caught passing glimpses of Ukrainians protesting in Independence Square, and later celebrating as a new pro-Western leadership replaced Putin’s puppet. Some kept an eye on the battles in eastern Ukraine. Most can recall the Malaysian airplane—filled with Dutch passengers—that Russian separatists shot out of the sky.
But had we all been paying closer attention, we might have seen the blaring red warning lights, the compromised servers in Singapore and Holland, the blackouts, the code spiking out in all directions.

We might have seen that the end game wasn’t Ukraine. It was us. Russia’s interference in Ukraine’s 2014 elections was just the opening salvo for what would follow—a campaign of cyberaggression and destruction the world had never seen.

They were stealing a page from their old Cold War playbooks, and as my taxi made its way from Boryspil to Kyiv’s center, Independence Square, the bleeding heart of Ukraine’s revolution, I wondered which page they might read from next, and if we’d ever get to a place where we might anticipate it.
The crux of Putin’s foreign policy was to undercut the West’s grip on global affairs. With every hack and disinformation campaign, Putin’s digital army sought to tie Russia’s opponents up in their own politics and distract them from Putin’s real agenda: fracturing support for Western democracy and, ultimately, NATO—the North Atlantic Treaty Organization—the only thing holding Putin in check.
The more disillusioned Ukrainians became—where were their Western protectors, after all?—the better the chance they might turn away from the West and return to the cold embrace of Mother Russia.
And what better way to aggravate Ukrainians and make them question their new government than to turn off Ukraine’s heat and power in the dead of winter? On December 23, 2015, just ahead of Christmas Eve, Russia crossed a digital Rubicon. The very same Russian hackers that had been laying trapdoors and virtual explosives in Ukrainian media outlets and government agencies for months had also silently embedded themselves in the nation’s power stations. That December they made their way into the computers that controlled Ukraine’s power grid, meticulously shutting off one circuit breaker after another until hundreds of thousands of Ukrainians were without power. For good measure, they shut down emergency phone lines. And for added pain, they shut off the backup power to Ukraine’s distribution centers, forcing operators to fumble around in the dark.

The power wasn’t out long in Ukraine—less than six hours—but what happened in western Ukraine that day is without precedent in history. The digital Cassandras and the tinfoil-hat crowd had long warned that a cyberattack would hit the grid, but until December 23,

Iran and North Korea were high up on the list of cyber threats, too. Both demonstrated the will to do the United States harm. Iran had brought down U.S. banking websites and obliterated computers at the Las Vegas Sands casino after Sands CEO Sheldon Adelson publicly goaded Washington into bombing Iran, and—in a wave of ransomware attacks—Iranian cybercriminals had held American hospitals, companies, entire towns hostage with code. North Korea had torched American servers simply because Hollywood had offended Kim Jong-un’s film tastes, and later, Jong-un’s digital minions managed to steal $81 million from a bank in Bangladesh.

But there was no question that in terms of sophistication, Russia was always at the top of the heap. Russian hackers had infiltrated the Pentagon, the White House, the Joint Chiefs of Staff, the State Department, and Russia’s Nashi youth group—either on direct orders from the Kremlin or simply because they were feeling patriotic—knocked the entire nation of Estonia offline after Estonians dared to move a Soviet-era statue. In one cyberattack Russian hackers, posing as Islamic fundamentalists, took a dozen French televisions channels off the air. They were caught dismantling the safety controls at a Saudi petrochemical company—bringing Russian hackers one step closer to triggering a cyber-induced explosion. They bombarded the Brexit referendum, hacked the American grid, meddled with the 2016 U.S. elections, the French elections, the World Anti-Doping Agency, and the holy goddamn Olympics.