Andy Greenberg

The Kremlin’s Hack Attacks

Air Date: February 18, 2020

Wired reporter Andy Greenberg discusses the next wave of Russian cyber crimes.


HEFFNER: I’m Alexander Heffner, your host on The Open Mind. Writer for Wired magazine, Andy Greenberg is author of “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers.” Three years ago Greenberg learned of a group of hackers hitting Ukraine with relentless, what he calls disruptive cyber attacks, with effects that would soon spread globally, as we well know today. His book tells that story of the first true cyberwar. As Russia has attacked, Greenberg has not been far behind reporting on these incursions and Wired while searching for their perpetrators. “Like the best true crime writing, his narrative is both perversely entertaining and terrifying,” says the New York Review of Books and longtime national security advisor Richard Clarke adds about Greenburg’s book, “It’s an in-depth investigation of what the Russian military’s best cyber unit has already done to disrupt corporations, to penetrate utilities and to prepare for all-out cyberwar.”

It considers too how we might counter the Kremlin in the future. And it couldn’t be a timelier conversation to have, at least not ever I hope timelier than today because then we might be in the midst of a full scale digital Pearl Harbor or digital 9/11.

GREENBERG: Hopefully not too timely.

HEFFNER: Right, right. Hopefully it doesn’t get any timelier


HEFFNER: But I want you to start with the history of what preempted, what occurred prior to the influence on the American campaign and the attacks, the bots and the trolls and the espionage that occurred during the 2016 cycle. Because the precursor to that, as I said in the intro is Ukraine. What happened in Ukraine?

GREENBERG: In many ways this book is about how Ukraine is this canary in the coal mine, that you can look to Ukraine to see the future and to see very specifically what Russia is planning with what Russia is trying to carry out in kind of most insidious and aggressive maneuvers. So I think as you were alluding to, before even the real story of this book gets started, just after the pro-Western revolution that happened in Ukraine, in early 2014 this kind of moment when Ukraine tore away from the influence of its, of its Russian neighbors to the East and tried to embrace the EU. Well, Russia invaded and seized Crimea and then began this sort of touched off a Russian supported civil war in the East of Ukraine, but they also began to carry out wave after wave of cyber attacks.

And the very first of those was actually an attempt to hack the Ukrainian election. So Russian hackers, we would later learn they were in fact the same Russian hackers who meddled in the U.S. election who hacked the DNC, the DCCC the Clinton campaign. They tried to spoof the results of the Ukrainian election by hacking into the central election commission and adding fake results that they were actually then trumpeted on Russian television, even though the Ukrainian television station managed to take them down before they could be broadcast in Ukraine. So it was clear that there was some coordination there. When I began looking at Ukraine actually, in late 2016, after the Russian attempts to interfere in the U.S. election, I saw that as maybe the first sign that you could see the future, by looking at Ukraine you could see how Russia was testing out new cyberwar information warfare capabilities in Ukraine.

And what was really chilling was that, well, first you could see that Russia hacked the Ukrainian election. Then they by then had already tried to hack our election, I think you can say, but they had also hacked so many other things in Ukraine, including even the power grid, causing the first-ever blackouts triggered by hackers. So did that mean that Russia was building a capability there that they also would use elsewhere in the world just as they had with their election meddling techniques? You know, was, were those Ukrainian blackouts, a kind of harbinger of similar cyber attacks on electric utilities elsewhere in the world or the capability that Russia was trying to develop, it seemed like Ukraine was being used as a kind of test lab for cyberwar and capabilities that really threatened everyone in the West and elsewhere.

HEFFNER: I love that line from The Americans and we hosted Joe Weisberg, of course, the creator and writer of The Americans on when there is a military officer who to whom it’s explained looking at code, that’s what the future of the free world rests on that code. It seems at least ostensibly, like the Russians decided amidst this kind of nuclear detente and deterrent that this is the, this is where the future is.

GREENBERG: Well, as you were saying, we don’t see much of the same kind of you know, the NSA and cyber command, U.S. forces hacking in the same sort of like massively disruptive ways.

HEFFNER: If they’re doing it, we don’t know about it.

GREENBERG: They do it occasionally. They, you know, Stuxnet, this piece of code and in 2009, 2010 was this kind of brilliance lead designs tool that the NSA and Israeli forces together used to, you know, destroy Iranian centrifuges to prevent them from developing a nuclear weapon. But that’s a very rare and also very, very targeted sort of cyber attack. What we’ve seen from Russia and beginning in Ukraine have been wave after wave of very loud, massively destructive attacks that have destroyed the entire networks of media companies, private sector industry, government agencies. And it culminated in not one, but two attacks on the Ukrainian power grid that turned off the power to hundreds of thousands of people.

These are the kind of quintessential acts of mass cyberwar that we’ve been waiting for, you know, really sort of dreading and writing sort of science fictional hypothetical stories about for decades. And that happened in Ukraine, but it wasn’t, you know, this book is about the fact that we should have seen those attacks happening in Ukraine, said that, told Russia this is unacceptable. These sorts of cyber attacks on civilian targets are never acceptable. These are essentially cyberwar crimes. And yet we said nothing. And that allowed Russia to keep going and gave them this implicit signal that they could escalate, which they did. And ultimately those attacks spread to the rest of the world.

HEFFNER: Right. And, and of course, you had a presidential candidate at that point encouraging the hacking. If you’re listening, please hack into the DNC. Please recover emails from Hillary Clinton. So we ought not ever forget that there was complicity,


HEFFNER:… in the perpetuation of those attacks.

GREENBERG: Absolutely. The Obama Administration, it’s, I feel like I need to say to be fair, responded to Russia’s attacks on the U.S. election, but did not respond to the attacks on Ukraine, and even when they were the kind of most obvious crossing of red lines that we should have been trying to set, like nobody should turn off the power to civilians with a cyber attack. The Obama Administration said nothing about it.

HEFFNER: It’s not clear that they had the foresight either.

GREENBERG: Right. But then those attacks continues under the Trump Administration and it seems like there there’s a different motivation, which is that the Trump White House doesn’t like to talk about Russian hackers for obvious reasons. They are, Trump himself seems to be incredibly sensitive to any suggestion, any mention of Russian hacking and also very isolationist in his view. So when those attacks continued in Ukraine, it’s no surprise that the Trump White House also said nothing, even as those attacks escalated, even as the warning became clearer and clearer that things were happening in Ukraine that would soon hit us in the U.S. as well. And, and what I mean by that is not just election hacking, I should be clear, but a very specific cyber attack that these same hackers, known as Sandworm, that’s why there’s the title of my book, these same hackers unleashed in Ukraine, and that very literally spreads a worm that spread through the rest of the world and caused $10 billion dollars in damage took down American hospitals medical records systems, shut down Maersk, the world’s larger shipping farm and Merck New Jersey pharmaceutical company. Well, maybe we’ll get to this, but this is the kind of climactic attack that fulfilled this prediction, this warning that what happened in Ukraine should not be ignored, that it would happen to us too. And it did in 2017.

HEFFNER: Do you expect as we anticipate this false campaign that they will, the Russian inspired and active measures against American democracy will be in even more brutal force then in 2016 that it will materialize in the way you describe to intimidate voters?

GREENBERG: I think it’s maybe a foolish game to try to predict what Russian hackers will do because they seem to thrive on a predictability of doing something different from what they did last time, doing the unexpected. It does seem likely that we’ll at least see the same kind of influence operations, information warfare that we saw in 2016. But you can also see the ways that Russia, more specifically with this group sandworm, which to kind of maybe spoil some of the surprises in the book is a part of the military intelligence agency, the GRU, the same one that meddled in the 2016 election, we see how they’re developing ways of not just trying to sway public opinion, disinformation, hacking and leaking operations, dirty politics, they’re doing, Sandworm is doing disruptive attacks that break pieces of our society of you know, Ukraine’s critical infrastructure that shut down massive networks. And…

HEFFNER: That’s what I mean,

GREENBERG: There’s a, there’s a fear. I think what you’re getting at is that there’s a fear that those sorts of attacks could be launched for instance, on Election Day in 2020 and what would it look like if there were, you know perhaps, big attacks on the U.S. media that destroyed hundreds or thousands of computers as this happened in Ukraine on the day of the election? That exactly, that actually happened in Ukraine, Russian hackers, Sandworm, attacked Ukrainian television broadcasters on the day of an election – that could happen in the U.S. we could see, I don’t want to be a scaremonger here and it’s difficult, it’s dangerous to predict, but we could see blackouts or a disruptive worm that spread, you know, wantonly through American networks destroying computers on Election Day. What would that mean for voter turnout, for the distraction of the, of U.S. citizens on this crucial day?

HEFFNER: That’s what I was going to get at though, which is, we ought to expect that they’re going to do a number on the Biden emails or the Buttigieg emails or whoever the eventual democratic nominee is,

GREENBERG: Right. Right. You know we

HEFFNER: At a minimum

GREENBERG: We absolutely should expect that every campaign that will be targeted by Russian hackers, probably Chinese, I probably plenty of foreign states hackers at least as an espionage target. I think we can also expect that the there will be some sort of repeat of 2016 where those espionage campaigns escalate into hacking and leaking operations where, you know, with false identities, hackers just spill out the guts of these campaigns in embarrassing ways or you know, maybe with disinformation fake emails thrown in to try to sway public opinion. We saw that in the French election in 2017 as well. Also with the same hackers involved.

But the DHS, you know, Reuters has reported that the DHS is trying to prepare for a more disruptive and destructive kind of cyber attack on the 2020 election as well. Perhaps that could target election infrastructure,


GREENBERG: We could see like some sort of disruption campaign against voter rolls.


GREENBERG: Sandworm did also in 2016 breech states’ Boards of Election that includes voter rolls. So that could be a way to affect turnout, but there could also be something less direct, something that simply, you know, just shuts down lots of U.S. infrastructure on that day. The DHS is trying to prepare for that too, but that is a, that is a vast target to try to put a shield around. I’m not sure it’s really possible to prepare when, you know, we’re talking about trying to protect essentially everything at the same time. I mean we can’t simply just like lift the cyber security of the entire U.S. Private sector and government to prepare for 2020.

HEFFNER: It doesn’t get back to the motive, the question of motive and the GRU and Putin who from what we gather is the puppet master of the GRU. And you know it doesn’t benefit him ultimately to turn off the lights completely, of the global economy. I don’t think, I don’t think that that’s, I if you watch Icarus which is sort of the companion documentary on Netflix to your terrific book “Sandworm,” you’ll see that there was an animus that was a result of American interference and allegiance to Ukraine. And I’m wondering, Andy, you know, is there even an effort at that level to understand motive?

GREENBERG: It’s interesting that you, that you sort of pair Icarus and “Sandworm” … Icarus, you know Bryan Fogel’s Icarus is really about Russia’s obsession with the Olympics. And my book is, is in part, it’s actually, there are some parts about that, but it’s kind of about Russia’s other obsession, which is Ukraine. And it seems like those obsessions are not entirely rational and they lead to maneuvers, to attacks that are not always even you know, sort of strategically smart for Russia to do for in Ukraine in 2017, this kind of climactic attack I was getting at, this is called NotPetya. Sandworm, these, this group of Russian hackers, that’s part of the GRU the military intelligence agency, unleashed a worm that spread to the rest of the world, cost $10 billion in damage and actually hit Russian companies as well. It was so reckless in it’s automated spreading from network to network in the damage that it did, that it was entirely indiscriminate and untargeted.

And, and it hit the U S it hits all over Europe and in Russia as well as, you know, carpet bombing the intranet of Ukraine, which was its actual intention. So I don’t believe that that was intended to do millions of dollars in damage to Russia as well. It seems like the GRU in particular, this one intelligence agency that is tasked with these insanely aggressive you know, sorts of attacks, the GRU is responsible for that, for NotPetya for these attacks on Ukraine, Sandworm is part of the GRU, they have almost, it seems like a sort of cowboy mentality that you just everyday try to do the most scary and aggressive thing that you can think of to impress your bosses. Maybe to impress your boss’ boss or maybe to impress Putin himself and you don’t always think about the consequences. But to more directly sort of tie into what you’re saying, I think the in 2018 Sandworm, all the GRU, again attacked the 2018 Olympics too with a cyber attack that essentially destroyed the IT back ends of the winter Olympics in Pyeong Chang. You know, this is where Icarus and Sandworm really, you know, these obsessions Ukraine and the Olympics, they are often tied together and that attack and that attack, Sandworm tried to cover its tracks to make the attack look like it could be China or it could be North Korea with all of these false flags. They didn’t try to take credit for it. They didn’t try to send a message. So you can see almost the pettiness of this, that Russia had been banned from those Olympics for doping and they just wanted to spoil it for everyone else. They didn’t really want to accomplish anything tactically or to give themselves some advantage to, you know, try to remove that ban or get into the next Olympics. They just wanted to take revenge anonymously. So it’s, it’s really difficult to understand the motivations of the GRU, of Putin, it seems like sometimes it’s just almost emotional and it’s sort of petty vindictiveness.

HEFFNER: While it is emotionally charged I think from the American perspective there is a rational end-goal for them to destabilize democratic norms and to in-effect normalize autocracy in the United States. And that’s why they favor Trump. And,

GREENBERG: Yeah, I think that the 2016 election hacking was more rational,


GREENBERG: Was more strategic and it worked.

HEFFNER: So, in that vein, when, when we’re aware of the threat and the perpetrator, how brazen do you think it will get? We were talking about scenarios where they are cutting voters off the rolls or leading to blackouts, cutting the electricity in… I could imagine that being a next step in these districts where their cyber warriors were sending Facebook posts and tweets out that said “you can text your vote to,” and they did that specifically targeting low-information voters in, you know, certain localities. And do you think it will get that brazen and obvious to the point of shutting down the power grid where Trump’s opponents and voters for Trump’s opponent would come out? You think,

GREENBERG: Well, I think we can look at 2016 where they did pretty insanely brazen sorts of hacking and leaking influence operations, disinformation and they got away with it in the sense that, you know, our administration now has downplayed. It has denied. It has, we’ve failed to respond in many ways. I mean, half the country is massively inflamed about this, but the party in power is doing everything it can to downplay that. So I do think that invites even more aggressive tactics of those kinds in 2020. Will they try some sort of more disruptive attack that, you know deletes voter rolls or messes, with voter registration systems that destroys computer networks or causes a blackout? I don’t know if they’ll go that far. We’ve seen that Russian hackers including Sandworm have at some points planted their malware in American grid targets.

And in 2017, a different Russian hacker group got far enough as to be taking screenshots to have access to the control panel software. They could have started flipping switches. They probably could have caused at the very least, a very short-term blackout and they didn’t. So there is you know, that’s both extremely worrying, but it also shows that Russian hacking forces have some restraints when it comes to these very obvious and sort of like quintessential acts of cyberwar against the U.S., they haven’t gotten that far in the past. But I, I just, I wouldn’t want to bet that they will never take that step because they simply are so, so kind of macho, brazen, driven it seems by ego. And if for instance, there was ever a perception that the U.S. had done this to Russia or done something equivalent, I can see them firing back.

HEFFNER: If you were game playing this, Andy, based on your terrific research, what would you expect ultimately transpires in Tokyo and does that set up expectations for what happens in November?

GREENBERG: What’s important to look at as the pattern if we’re going to look at the Olympics. So in 2018, the head of the 2018 Olympics, GRU hackers, this group known as Fancy Bear that was also responsible for some of those attacks on the DNC and the Clinton campaign that stole and leaked emails, they, that same hacker group, which is part of the GRU, all of this as part of the GRU, they also stolen leaked emails from the worldwide anti-doping agency to try to discredit that group, you know in retaliation for the, their doping ban against Russia. That happened ahead of the 2018 Olympics on the day of the Olympics. And in fact, the moment that the opening ceremony began Sandworm, this other arm of the GRU launched a sabotage attack that destroyed the IT back end of those Olympics, forced these poor Korean it administrators to spend the next 12 hours, that entire night trying to rebuild the entire Olympics network from scratch, essentially, so that the games could begin at 8:00 AM the next day. And they just barely succeeded at that. It was a kind of heroic effort. But since then, since that attempted cyber sabotage on the Pyeong Chang Olympics, there’s been no government statement in the West. The U.S. government has not said that Russia did this, officially, which is just inexplicable. And I would say almost, you know, just appalling negligence,

HEFFNER: And who has said it?

GREENBERG: No one has really, I mean the,

HEFFNER: But you did.

GREENBERG: I have said it and in fact this, you know, my book includes I think some new evidence that proves that it was in fact Sandworm responsible for this. I shouldn’t say no one. The Washington Post reported a couple of weeks after the attack that it was the GRU that had done this, but without any evidence.

HFFNER: What about the Olympics or doping committees?

GREENBERG: Google has also said that Sandworm did the cyber attack on the 2018 Olympics. But the fact that no government has called this up means that they’re inviting another attack in 2020.


GREENBERG: And in fact, we’ve seen the precursors to that attack in 2020 already beginning. We’ve seen GRU hackers stealing, targeting the worldwide anti-doping agency again, which, you know, so we’re seeing the same pattern play out and we have not done the diplomacy, the kind of disciplined response necessary to try to prevent Russia from carrying out another potentially catastrophic attack.

HEFFNER: And most depressingly, I’ll just say to end that Robert Mueller is not home anymore, right, I mean, there, there was this faith that he would protect us as it related to the collusion, but the fact of the matter is he, you know, there is no active, at least publicly known, active law enforcement czar that is leading these efforts. And, you know, Robert Mueller might’ve gone away, but all of those threats, the Fancy Bears and the Sandworms, they remain. And, you know, to me, his concluding act and testimony before Congress just was a concession almost to, to the idea that that was the new normal. And, you know, those crimes were committed. We haven’t extradited anyone. We haven’t gotten real justice. And your final thoughts.

GREENBERG: Robert Mueller did, I believe, the best job of anybody so far, to actually hold some of these hackers to account, but he was focused on U.S. election interference. He did indict 12 GRU hackers in absentia, you know, we’re not going to get our hands on those guys. They included some members of Sandworm it turned out, but Robert Mueller, you know, it wasn’t his job and in fact it has sort of been nobody’s job. We don’t have somebody whose job it is to, to try to police the activity of these hackers more broadly. We, we not only are not protecting American interests; we are not protecting targets, civilian targets like the Olympics. We are not setting kind of global cyber norms about what is okay to do in cyberwar and what is not. We need a kind of Geneva Convention to make those rules and we’re not even close to one right now.

HEFFNER: We hope that Christopher Wray FBI director is at on this, and I’m sure there are people behind the scenes who are working on this, or at least we, we ought to hope. Andy, thank you for your time today.

GREENBERG: Thank you for having me.

HEFFNER: And thanks to you in the audience. I hope you join us again next time for a thoughtful excursion into the world of ideas. Until then, keep an open mind. Please visit The Open Mind website at to view this program online or to access over 1,500 other interviews and do check us out on Twitter and Facebook @OpenMindTV for updates on future programming.