The Perfect Weapon

David E. Sanger



In the twenty-first century we have seen a tendency toward blurring the lines between the states of war and peace. Wars are no longer declared and, having begun, proceed according to an unfamiliar template.
—Valery Gerasimov, chief of the general staff of the Russian Federation Armed Forces, on Russia’s hybrid warfare strategy, 2013

In the last days of June 2017, Dmytro Shymkiv was 4,600 miles from Ukraine, dropping off his kids for summer camp in upstate New York. It was the family’s annual summer break from life in Kiev, a capital that still lives uncomfortably between the tug of old Soviet culture and the lure of new Europe.

At camp, the kids could practice their English and learn what it’s like to be American teenagers. But for Shymkiv, a broad-faced entrepreneur with spiky hair, then forty-one, who became one of Ukraine’s most recognizable techies long before he was lured into government service to help complete a revolution, the daily cyber battle with Moscow was never far away. Even in the mountains of New York.

“I had just gone out for a run,” Shymkiv recalled later that summer as we sat in his office in the presidential palace in Kiev, down the hall from President Petro Poroshenko. “When I came back, I caught my breath, and I looked at my phone and there was no real news. But then, on social media, there were indications of a problem. And not a little problem.”

Then the texts started pouring into his phone. Something—his staff could not tell exactly what—was freezing computers around Ukraine, simultaneously and seemingly permanently.

His first thought was that the Russians were back.


Before Shymkiv unexpectedly found himself playing the role of four-star general in the world’s most active cyberwar, he was a computer-obsessed kid growing up in a distant corner of the Soviet Union, and thinking constantly about how to get to the West. By the time he was a teenager, the Soviet Empire was no more, and by his twenties he had become one of the country’s first tech entrepreneurs, before pivoting to lead Microsoft’s small Ukraine operation. There he discovered just how vulnerable the country’s backward technological foundation—full of old machinery and pirated, unpatched software—was to a massive cyberattack. He knew how simple it was for Russia to exploit Ukraine’s weaknesses in the two wars simultaneously under way in Ukraine.

“There’s a shooting war in the Donbass, since Crimea,” he told me, referring to the eastern corner of the country where Russia’s military forces were conducting a guerilla war against Ukraine, after Vladimir Putin ordered the seizure of the Crimean territory in early 2014. “And there is a digital war, every day, in Kiev.” Shymkiv lived five hundred miles and a world away from that grim shooting war. But he had a front-row seat to the digital war, and it helped galvanize him to political action.

In February 2014, Shymkiv had taken vacation days from Microsoft to join the protests in Maidan Square at the center of Kiev—ground zero in the revolution that ousted Viktor Yanukovych, the corrupt former president and Russia-puppet. He camped with the protesters for two weeks, clearing snow and, ultimately, giving lectures on digital technology in the freezing cold in what came to be known, half in jest, as the “Open University of Maidan.” He kept his Microsoft affiliation quiet; the company didn’t know how the revolution was going to turn out and didn’t want to be associated with the uprising. But Shymkiv broke his cover one night when Poroshenko—the opposition politician who would ultimately prevail and emerge as the country’s president—came through. The two men chatted, a move that shocked some of Shymkiv’s fellow protorevolutionaries. Yanukovych, of course, was spending millions of dollars to stay in power, relying on the advice and services of Paul Manafort, his friend and chief political strategist. Ultimately, though, he fled to exile in Russia. The election to replace him, in May 2014, amounted to a stark choice between a Ukraine that would surrender to Putin and one that Shymkiv and a generation of young Ukrainians imagined—a country that would turn to Europe. That election was a major target for Putin, who sought to defeat Poroshenko or, if that failed, cast doubt on his legitimacy and the integrity of the Ukrainian democratic process.

Thirteen more months would pass before Donald Trump glided down the golden escalator at Trump Tower to announce his candidacy for president of the United States. But for anyone looking for a preview of coming attractions, this was it.

Putin’s cyber army went to work. Teams of hackers had scoped the Ukrainian election system, and planned their intrusions. On Election Day, they were ready. At the critical moment, they wiped out data in the system that tallied votes. But that was just the beginning. The hackers also managed to get into the reporting system that announced the results, altering the vote counts received by television networks. For a brief while, as news of the tally unfolded, it appeared to the Ukrainian media that Dmytro Yarosh, the leader of the nationalist and pro-Russia Right Sector Party, had emerged as the unlikely winner.

It was, of course, all a digital mind game. The Russian hackers didn’t think the television declaration would stick. Rather, they simply sought to create chaos, and fuel an argument that Poroshenko manipulated the results to win. The plot failed: Ukrainian officials detected the attack, and corrected the results a nail-biting forty minutes before the networks aired them. Poroshenko had won, though not overwhelmingly—he had about 56 percent of the vote. Russia’s own television networks, apparently unaware that the cyberattack had been detected, announced the phony results, with Yarosh as the victor.

Within weeks Poroshenko had contacted Shymkiv, whom he knew only vaguely beyond that encounter in the square. “He didn’t give me much of a choice,” Shymkiv later said with a laugh. Soon the guy who had started in computing by playing with the portable Sinclair computers of the ’80s had been handed two tasks, both impossible: reforming Ukraine’s corrupt institutions and securing the country against the daily cyber onslaught from Russia.

Now, three years later, in the woods of New York state near his kids’ summer camp, Shymkiv fixated on his phone screen as texts from his Ukrainian colleagues pinged him in staccato. They reported that at around eleven-thirty in the morning computers across the country abruptly stopped working. ATMs were failing. Later the news got worse. There were reports that the automatic radiation monitors at the old Chernobyl nuclear plant couldn’t operate because the computers that controlled them went offline. Some Ukrainian broadcasters briefly went off the air; when they came back, they still could not report the news because their computer systems were frozen by what appeared to be a ransomware notice.

Ukraine had suffered cyberattacks before. But not like this one. The unfolding offensive seemed targeted at virtually every business in the country, both large and small—from the television stations to the software houses to any mom-and-pop shops that used credit cards. Computer users throughout the country all saw the same broken-English message pop onto their screens. It announced that everything on the hard drives of their computers had been encrypted: “Oops, your important files have been encrypted . . . Perhaps you are busy looking to recover your files, but don’t waste your time.” It went on to make the dubious claim that if they paid $300 in Bitcoin, the hard-to-trace cryptocurrency, their data would be unlocked.

The attack was designed to look like a national shakedown scheme. It wasn’t. The hackers weren’t after money, and they didn’t get much.

This was “NotPetya”—so nicknamed by Kaspersky Lab, which was itself suspected by the US government of providing back doors to the Russian government via its profitable security products. (The attack got its odd-sounding name because cyber-threat experts, trying to understand the inner dynamics of the attack, found elements in it that were similar to malware called “Petya” used in an attack the year before.) It didn’t seem coincidental that the malicious code detonated just before the holiday that marks the adoption, in 1996, of Ukraine’s first constitution after its break from the Soviet Union. But how had the hackers managed to freeze so many systems at once—upward of 30 percent of the nation’s computers, of many different types?

It turned out that Ukraine’s own backwardness—and an archaic remnant of its past—had played into the hands of the attackers. In true post-Soviet style, Ukraine required businesses to use a common piece of accounting software, M.E.Doc. It was clunky, it was old, but it was required by the state. Corrupting the software with malware was ridiculously easy: No one had invested in updating it in years. In fact, it used an outdated “platform” that had not even been supported by its manufacturer since 2013. No updates, no security patches.

By the time Shymkiv sped back to Kennedy Airport, his staff had discovered that the attack was no one-day event. “It turned out that bringing all those businesses down was the very end of a much bigger operation,” he told me later. For months, the forensics showed, the Russian hackers had been gathering intelligence on Ukraine’s top businesses, downloading emails and looking for everything from passwords to good blackmail material.

“Then, at the end, when they were done, they planted the bombs,” Shymkiv said. “It was like the old Soviet days: First you rob the village, then you burn it.”

Keep reading

The Perfect Weapon David E. Sanger