Cybersecurity Experts Share 4 Lessons Learned From Hacking Group Sandworm

Sandworm, an infamous strain of malware and advanced persistent threat group, has caused numerous worldwide disruptions with devastating effects. In the past several years, Sandworm has caused nearly $1 billion in losses to three people alone, launched the 2015 to 2016 Ukraine power grid attacks, and allegedly disrupted the 2017 French elections and 2018 Winter Olympics.

As recently as October 2020, six Russian GRU (Russian Main Intelligence Directorate) officers were charged in connection with the worldwide deployment of the malware. In the years since the attacks, cybersecurity industry leaders continue to converse about how Sandworm’s actions affected countries and the world as a whole, and what we can learn moving forward.

Human Threats Like the Ukraine Power Grid Attacks Require More Than a One-Size-Fits-All Approach

Robert M. Lee, CEO and founder of Dragos, where he and his team helped lead the investigation into the 2015 and 2016 cyberattacks on Ukraine's power grid, as well as other attacks in the Middle East, finds one particular lesson more important than the rest after confronting the attack in Ukraine.

“While the malware gets a lot of attention and it was an important detail … was that this isn't some attack that you can patch a vulnerability and be done with, or deploy another antivirus solution. This was a human threat learning and abusing native functionality.”

As such, Lee and his team advise everybody to not just “copy and paste” enterprise security strategy and to take a different approach to this sort of threat and security.

The Sandworm 2018 Winter Olympics Attack Lacked a Clear Objective

“It start[ed] out with DDoS attacks,” said John Hultquist, senior director of intelligence analysis at FireEye. “There's several intrusion attempts [and] eventually they gain access to some of the actual information … and it all sort of culminates in this destructive attack on the Olympics.”

“What was so interesting about the situation is … it felt like a harassment campaign,” Hultquist continued. “It wasn't clear what major strategic objective was there, especially attacking a sort of global goodwill event. Attack on the Olympics is essentially an attack on the global community. But they carried it out anyway.”

Government and Private Sector Teams Differ in Dealing With Cybersecurity Threat

How the government handles cybersecurity is different than how private sector teams do, and it’s important to note these differences and acknowledge the strengths of each.

“I think you have to separate the value from governments and value from the private sector,” said Lee.

“A lot of the intelligence requirements in the private sector are very defense-focused without attribution, whereas a lot of the intelligence requirements at government level to support sanctions and diplomatic efforts exist solely on attribution,” he continued. “Finding that right balance as we communicate between the private sector and government; finding that right balance of playing to our strengths, especially inside the government of ‘What are we going to do?’ is important.”

Government and Private Sectors Must Find Balance When Discussing Cybersecurity

Hultquist, having worked in both government and now the private sector, echoed Lee’s sentiments and believes an ideal solution to be governments working with more commercial partners.

“We need to fundamentally reverse our sense of collaboration,” suggested Chris Inglis, a commissioner in the U.S. Cyberspace Solarium Commission. “We share information without precondition before we know that it's valuable to us,” he continued. “As we discover [information, then], we'll co-discover those things [together]. Those things will then be enriched by the relationship we have with each other.”

“That's the miracle of collaboration, especially when it's done at the lowest possible level,” Inglis added. “So if I have a hope and aspiration, a dream for the next two years, it would be that we create those spaces where we have physical common ground, we develop professional intimacy, we share without precondition, we co-discover, and we then begin to co-mitigate because policymakers typically don't know what questions to ask.”