YouTube Deep Summary

This is the story of the hunt for the world's most dangerous hackers. [Music] Prologue. The bears. Once upon a time, there were five bears. They all lived in Russia. [Music] Each one was different in the things they liked and in the things they did. But they shared one important trait. Their metaphors nicknames for special units of Russian intelligence services. These units are made up of hackers. Some of the most dangerous in the world. They each have different objectives. To spy, to expose, to wreak havoc. But they're not just a threat to computers or networks. They're a threat to Western democracies. They're tools of destabilization, of psychological warfare, of political manipulation. They've already made it into the German Parliament, into the email inboxes of the country's elected officials. They threw their full weight behind Donald Trump's 2016 campaign. They travel the world working in the interest of Vladimir Putin's regime. And they've played a key role for years in Russia's brutal war against Ukraine. This documentary reveals who these hackers are, how they operate, and how we can protect ourselves from them. [Music] [Music] [Music] This documentary is largely based on a fantastic German speaking podcast demon and miracles Gashner by German investigative journalists Hakan Tanek Verde and Florian F link is in the description chapter 1 the email this story begins with that little line above the E and with Claudia height she was working in Berlin back then as an assistant to a member of the Bundistag the German national parliament her office is beautiful in the center of Berlin it's May 8th 2015 A warm Friday in spring. The weekend is just around the corner. She's trying to write an email to a colleague named Renee. Hm. The accent IU doesn't work. Strange. She tries all the usual. Opening and closing Word, rebooting her PC. Nothing fixes the issue. The Bundesog has its own internal service hotline for that kind of thing. 117. She tells the IT guys that she thinks her PC got infected with some kind of malware. Perhaps a Trojan. but they don't take her seriously. At this point, no one realizes how serious the situation really is. There really was a Trojan on Claudia's computer. She'd been hacked. But it wasn't just her device. While she's still on the phone with 117, hackers are already deep inside the Bundesto systems. They're working on behalf of the Russian military intelligence agency, the GRU. Putin's bears are running wild right through the very heart of Germany's political system. If all this happened today, Claudia could have just asked an AI assistant, probably way more helpful than that service hotline. With UDA's website app, AI can also help you build your website in seconds. No coding skills needed. Just four easy steps. Define the type of website, industry, and goals. AI generates images and text tailored to your needs. Choose a color palette or upload your logo. Add pages and features. Choose a theme you like, then make it yours with simple drag and drop. With ChatPT built in Udu, the perfect text is generated for you. Or just ask AI to rewrite your copy for you. Need a multilingual website, a Japanese translation done in just a few clicks. It's fast, intuitive, and designed to make the experience smooth and effortless. Let UD's built-in AI handle the busy work so you can focus on the big picture. Get started today for free. Your first app is free for life, including unlimited hosting and support. With the website app, you can even get a free custom domain for one year. You've never launched a website this easily. Add more apps anytime and get the full suite of apps starting at just 19.90 per month. Click the link in the description to get started. 8 days earlier on April 30th, 2015, dozens of MPs and their staffs received an email. It looked official, as if it came from the United Nations. The subject line referenced Ukraine and its economic situation. It's just a year after the annexation of Crimea, Russia's first military incursion into Ukraine. The military operation is now underway in eastern Ukraine. The capital Kev and other Ukrainian cities have been hit by air and missile strikes over the past several hours. The situation in Ukraine was already a red-hot political issue. You had to stay informed. And if the UN sent something around, Claudia height and many others clicked. That single click was enough. Malware installed itself quietly in the background. No pop-ups, no warnings. The infection was silent, and from that moment on, the hackers had access. Their objective was clear. Gain administrator rights with those that had the digital equivalent of master keys, access to everything, the power to change anything. And they got what they came for. They broke into areas of the system that should have been completely off limits. That's how they were able to push deeper and deeper until they had essentially taken over the Bundisto's IT infrastructure. It was a sophisticated operation, carefully planned and executed. The attackers moved laterally, jumping from computer to computer, scanning for valuable information, documents, emails, anything of use. Eventually, they reached two machines inside a parliamentary office of the Conservatives. And not just any office, Angela Merkels, the German chancellor at the time. [Applause] The Bundesag hack is one of the most serious cyber attacks in German history. It will set off a large-scale international investigation and eventually arrest warrants that had once seemed unimaginable. And yet, inside the budistto itself, the attack goes unnoticed for quite some time. Back to that Friday afternoon call with 117. Claudia is frustrated with how unhelpful the first hotline call had been. So, she does what most people do in that situation. She calls again, hoping the next person might actually understand what's going on. But even the second person on the line doesn't take her seriously. Angry and fed up, Claudia decides to just shut down her PC and go home. It is Friday after all, and the weekend has already begun. [Music] On Monday morning, an IT staffer remotely logs into Claudia's machine and reinstalls Word, which of course doesn't fix anything. By the afternoon, someone finally comes in person, but even they don't catch that there's a Trojan on Claudia's PC. By this point, the hackers have already been inside the system for at least 2 weeks. And still, almost no one realizes that this might actually be a cyber attack. Meanwhile, over in the UK, a cyber security firm has been keeping an eye on a suspicious foreign server. one that had been used for previous cyber attacks. Suddenly, that server establishes a connection to machines inside the Bundesto network. The firm alerts the Federal Office for the Protection of the Constitution. A day later, the warning reaches both the Bundesto's classified information office and the Federal Office for Information Security, BSI, and bond. Thanks to German bureaucracy doing what German bureaucracy does, the warning takes a brisk 3 days to actually land. Finally, someone realizes what's happening. The BSI sends a special team to Berlin. Their job, comb through the logs. Those are automatic records on computers that track what happened, when, and how. Which programs were opened? What was clicked? What ran in the background? All of it. The BSI team needs to figure out three things. Is this a major attack? Yes. What are the hackers after? Probably stealing data. And are they still inside? Very much so. The team doesn't hesitate. They shut down the entire network. From the outside, it looks like someone just ripped the plug out of the wall. Claudia watches her computer power off like it has a mind of its own, like it's haunted. She half expects the lights to flicker next. That same day, Dbigel broke the story, the first media outlet to report on the cyber attack. Politicians found out from the news, not from internal channels. From that moment on, chaos took over. Lawmakers were furious. No one could work properly. No emails, no access to documents, no reports. And this isn't a movie. You don't just kick the hackers out and move on. The network is giant, messy, and hard to control. The response team had to fight their way through it, trying to stop any further data theft and rest back control. It took weeks to clean the system. During that time, MPs and their staff could only use certain parts of the network. No one knew if the hackers were still reading their emails. Important notes were suddenly written down by hand again just to stay safe. The Bundesto's IT security was clearly overwhelmed. It faced intense criticism in the months after. When the dust finally settles, the investigation into the perpetrators begins and the trail points to Russia right from the start. On Claudia Height's computer, investigators find malware called X Tunnel. X tunnel functions like a real tunnel, a direct continuous link that allows attackers to access the network whenever they want. Inside the code, analysts uncover connections to a server believed to be used by a group known as AP28. A stands for advanced persistent threat. It's a label used for hacker groups that are not only highly skilled, but also extremely patient. The kind of intruders who don't just strike and vanish, but stay deeply embedded, sometimes for years. By all accounts, AP28 is a Russian group, and it also goes by another name, Fancy Bear. Fancy Bear operates under the GRU, Russia's military intelligence service. The group is notorious. This is where they work and what's known as the Aquarium in Moscow. No one knows who they really are. No names, no faces, not even how many of them exist. But one thing is clear. They do whatever it takes. They'll stop at nothing, not even the computer of the sitting German chancellor. Ironically, it's there in that highly sensitive office where one of the hackers slips up. They managed to break into a computer in Angela Merkel's outer office, her personal machine, her inbox. It's exactly what they were after. To extract the emails, one of the hackers writes a custom program. The tool is designed to copy her Outlook inbox and send that copy to a server they control. The program is called VSC.exe. But there's a problem. While coding, the hackers make a mistake. To locate and extract the files, VSC.exe needs to follow a specific file path. And that path includes the words abort. But the program doesn't recognize the German oo. Instead, the character shows up as a garbled symbol, a question mark followed by R O. So, the program can't find the folder. For a moment, the entire operation stumbles over the quirks of the German language. Realizing the attack might be exposed at any moment, the hackers panic a little. Under pressure, they decide to rewrite the code. This time, they tell the program, "Expect German. Expect that. Oo." Then they try again. And this time, it works. The tool successfully copies the inbox and sends it out. It's not Miracle's correspondence from the Chancellory, but still a huge win for the attackers. But the hackers messed up. Maybe from the rush, maybe out of nervousness. In the code of the program, investigators later discover a critical detail. The hacker forgot to delete the name of the computer he was working on. The path reads, "See users Scaramooch." Scaramu is a clown-like character from Italian theater. People might also recognize the name from Bohemian Rap City. [Music] That's the hacker's alias, his handle. In secret, Scaramush and his team become high priority targets. The Federal Public Prosecutor's Office opens an investigation on suspicion of espionage, and Glimmer Merkel later calls it an act of hybrid warfare. But publicly, the German government keeps quiet at first. No accusations, no pointing fingers. In total, around 16 GB of data is believed to have been stolen from the Bundesto network, though no one knows for sure. 16 GB doesn't sound like much, right? Just an old USB stick. But in context, it's a lot, especially if we're talking only emails. 16 GB contains a staggering amount of information. Hm. Is that really the end of the world, though? A little espionage here and there. Business as usual. Sure, they stole some files, but what could they really do with that? Then came the US presidential election in 2016. Putin's bears shows what they're really capable of. The Clinton campaign won't confirm or deny the veracity of any of the emails posted by Wikileaks. What lines they're willing to cross and just how much chaos a few gigabytes can unleash. [Music] Chapter 2, The Orange. In mid 2015, Donald Trump announces his candidacy. At first, no one really takes him seriously, but because he's so different, so unfiltered, saying things no one else would dare, the media can't stop talking about him. And Mexico will pay for the wall. I could stand in the middle of Fifth Avenue and shoot somebody and I wouldn't lose any voters. Okay. One outrageous statement after the next dominates the headlines. ISIS is honoring President Obama. He is the founder of ISIS. He's the founder of ISIS. There's public outrage, disbelief, and widespread support for him. I don't know what I said. Uh, I don't remember. By early 2016, Trump is no longer the oddball outsider. He's now the Republican front runner, going headto-head with Democrat Hillary Clinton. Half a world away in the Kremlin, Vladimir Putin is watching closely. He doesn't like Hillary Clinton, not one bit. The two have history. Back in 2011, Clinton was the US Secretary of State when Russia held national elections. She publicly questioned whether the vote had been rigged and massive protests followed across the country. Putin accused the US of stirring up those demonstrations. He never forgave her for that. Politically, she had been one of his toughest opponents for years. Later, the European Court of Human Rights confirmed that the 2011 Russian election was in fact manipulated. Putin clearly is rooting for the other guy, the loud billionaire. Trump, for his part, has repeatedly praised Putin in the past. He sees Putin as a strong leader, someone he thinks he could get along with as president. So Putin consults with his three intelligence agencies, and makes a call. March 19th, 2016, an email lands in the inbox of John Podesta, Clinton's campaign manager. The message looks like a standard Google security alert. Something about suspicious activity and a prompt to reset the password. But Podesta double checks with an IT staffer at the DNC to be sure. Unfortunately, the staffer replies that the email is legit when he actually meant the opposite. Just one typo with massive consequences. Podesta assumes the message is safe, clicks the link, and enters his login on a fake site. That's it. The hackers are in. They now have access to internal communications, emails, and nearly everything tied to the campaign. They're part of Fancy Bear, the same group tied to the Bundesto hack. They steal 50,000 of Podesta's emails. The tactic is known as fishing, casting bait and waiting for a bite. Spear fishing, more specifically, as it's tailored to a specific person. With the same approach, Fancy Bear targets 300 more people inside Clinton's campaign. No one knows how many fell for it. In early April, they go after another key target, the Democratic Congressional Campaign Committee, DCCC, a central player in the Democratic election machine. Using more convincingly real looking emails, they manage to steal the credentials of at least one DCCC employee. And just like that, they're in again. Once inside, Fancy Bear uses two main types of malware, X Agent and X Tunnel. The latter is the same tool used in the attack on Claudia Heights computer in Berlin. While digging through the DCCC, the hackers find something even more valuable. Credentials that let them slip into the Democratic National Committee, DNC, the heart of the party. There they uncover detailed documents on campaign strategy, including a file on Trump full of potentially damaging information. In early May, the intrusion is finally detected. The DCCC and the DNC hire a cyber security firm to clean house, a process that will stretch all the way into October. But the Democrats should have discovered the hackers much sooner. [Music] In a small, unremarkable office in Moscow, another set of hackers is quietly at work. This group is known as Cozy Bear, most likely working under the SVR, Russia's foreign intelligence service. They've been inside the Democrats network since June 2015, far longer than Fancy Bear. As strange as it sounds, Cozy and Fancy Bear probably weren't even aware of each other. They had different bosses, didn't talk, didn't collaborate. Cozy Bear is known for being quiet and methodical, targeting all kinds of institutions without leaving much of a trace. But this time, someone's watching them. In 2014, Dutch intelligence pulled off an incredible hack. They gained access to surveillance cameras in the very building where Cozy Bear operates. They're literally watching the hackers at work. That's how they realize Cozy Bear is crawling through the DNC systems. So, the AIVD warns the American counterparts early on. That warning eventually reaches the FBI. By September 2015, an agent in Washington calls the DNC to let them know Russian hackers are inside their systems, but the warning goes nowhere. The call lands with lower level IT staff and is more or less ignored. Senior leadership at the DNC later claimed they didn't even know about it at the time. The hackers could have been discovered much earlier. If anyone had looked more closely at Cozy Bear, they likely would have seen Fancy Bear, too. And if that had happened, the summer of 2016 might have unfolded quite differently. But it didn't. Back to spring 2016, Fancy Bear launches a website, dcaksaks.com, and starting in June, they begin dropping bombshell after bombshell. They invent a fake identity, Guifer 2.0, a supposed Romanian lone wolf behind all the leaks. Guucifer gets a blog, reaches out to journalists, and offers up stolen files. The DNC hack dominates the headlines. It becomes breaking news on TV. Suddenly, internal dirt from within the Democratic Party. Rumors, backroom deals, tensions is out in the open. It's a major blow to Hillary Clinton's campaign. The emails appear to show the DNC clearly favoring Clinton over Bernie Sanders, even though they were supposed to stay neutral. There's content about what she earned for Wall Street speeches and even alleged anti-atholic bias. Trump jumps on the scandal. At a rally, he famously says, "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing. I think you will probably be rewarded mightily by our press. At that point, Clinton is already under pressure over her use of a private email server while serving as Secretary of State. The FBI confirms she also deleted private emails from that account, which makes people believe that she's hiding something. Trump seizes the moment, tying that controversy to the flood of new leaks. That very same day, Fancy Bear sent 76 spear fishing emails to Clinton's staff. The impact of the leaks on Clinton's campaign is huge. Maybe not the deciding factor, but they definitely give Trump a boost over and over again. What started as chaos turned into something more focused, a clear attempt to help Donald Trump. Just over a month before election day, the hackers hand over John Podesta's emails to Wikileaks. And then week after week, those emails are released strategically, some more dramatic than others, but all grabbing headlines. The constant drip of leak material creates a lasting impression. Something shady is going on inside the Democratic party. Clinton loses momentum. She's forced to shift her message and constantly defend herself in the press and directly against Trump in public debates. The leaks are part of something bigger. Fancy Bear is supported by a digital army of trolls. For example, operating out of this building in St. Petersburg. They flood social media with manipulated content and polarizing posts. Some even succeed in organizing real life protests across multiple US cities. [Music] Hillary Clinton loses. Donald Trump becomes president. It's nearly impossible to measure how much influence the hacks and disinformation had, whether they tipped the scales, but many experts like Kathleen Hall Jameson agree they had an impact. Russia to some extent successfully interfered with the 2016 US election. It's widely seen as the most effective hack and leak operation ever pulled off. steal data, release it strategically, and fan the flames of chaos. The idea that states spy on each other isn't new. But taking that intelligence and throwing it into the public to deliberately sway an election, that's something else entirely. If hackers can get their hands on internal data, release it at the perfect moment, and shape public opinion, what does that mean for the future of democracy? If a foreign power can mess with the core of another country's democratic process, that's not just hacking. That's destabilization. And it's part of a broader pattern made to erode public trust in democratic institutions. Democracies are at a disadvantage in this fight. A dictatorship can flood the internet with state media, bots, fake accounts, leak operations and watch as the public sphere and open society fragments and turns against itself. Meanwhile, inside the authoritarian regime, nothing wobbles. Descent is crushed quickly and publicly. The United States only realizes what just happened after the elections have already passed. The CIA, FBI, and NSA compiled their findings in a highly classified report. In early 2017, a redacted version is released to the public. One sentence stands out as especially alarming. We assess that Moscow will apply lessons learned from its campaign aimed at the US presidential election to future influence efforts worldwide. The sheer aggression and skills of these cyber operations, especially in the US, opens many people's eyes. They realize this isn't just spying, it's sabotage. In Germany, alarm bells start ringing, too. There's a federal election coming up in 2017. What does all of this mean for them? Then a new website pops up. Btleags.com. BT like Bundist. Just like dleaks.com. Suddenly, everyone is on edge. Variations like btleaks.org start appearing too. German authorities notice that someone is registering these sites and panic starts to set in. Is the world about to see a repeat of the US playbook? In early May 2017, Angela Merkel travels to Russia for the first time since the Bundesog hack. She meets Putin at his summer residence in Sochi. There she confronts him. Putin insists that Russia never interferes in the internal affairs of other nations. Merkel replies firmly, "I assume that German parties will handle their election campaigns among themselves. A clear warning, stay out." In the end, the 2017 German election isn't rocked by any major leaks. To this day, no one knows for sure what happened to the stolen 16 GB from the Bundesto hack. There's never been a single public leak directly tied to that data. But then again, maybe there doesn't need to be. Maybe the information was used in some other way. Quietly, tactically. Meanwhile, the hunt for Scaramooch continues. It'll be a while before his identity is finally confirmed. [Music] [Music] Some of his colleagues aren't so lucky. [Music] Chapter 3. The cleaning crew. April 10th, 2018, a passenger plane from Moscow lands at Skipple airport in the Netherlands. Among the passengers, four Russian men. They look like typical business travelers, Alexe Minion and Alexnikov. Both in their 40s, seem cheerful. Behind them walk two younger men, Yfgenei Seabriokov and Alexe Morenitz. According to their passports, they're diplomats. A sharply dressed man from the Russian embassy meets them in arrivals and escorts them out of the airport. But they aren't here on official duty. They're part of a special unit trained to carry out covert foreign operations. Minion and Sutnikov handle reconnaissance. Seriov and Minit are the hackers. They rent a small car and drive to the H. They stop at an electronic store to buy a heavy duty 12vt battery and a charger, then check into a hotel. The next day, Minion heads to OPCW, the Organization for the Prohibition of Chemical Weapons. That's an international body that investigates chemical weapons use and checks compliance with global conventions. The OPCW has just finalized its report on a high-profile case. Sergey Scrippal and his daughter Julia were found unconscious on a bench in Salsbury, UK, after being poisoned with Novach, a nerve agent developed in Russia. The OPCW report confirms the British findings. Minan scouts the site. He photographs the OPCW building and the Marriott Hotel next door. 2 days later, April 13th, the group plans to strike. Time is short. What they don't realize is that they're being watched. From the moment they set foot into the country, they've been under surveillance by the Dutch Military Intelligence Service, MIVD. For the original version of this documentary, we interviewed a senior MIVD official. Due to Wright's restrictions, we had to cut those segments from this adaptation. He couldn't help but grin when describing their transport. A rather small car for a bunch of guys tightly cramped in there. The agency follows them closely, but how did they even know to look for them? Apparently, the MIVD received intelligence that members of APT28 would be flying in. Fancy bear again. According to the Guardian, the original tip may have come from British intelligence. April 13th, the operation begins. The four men drive to the Marriott Hotel and park close to the OPCW building. The car's rear faces the compound. The trunk is packed with equipment. The battery and a voltage regulator power a computer which is connected to a laptop in the front. Sarah Briakov and Morinets use it to execute the hack. The key component is a flat panel Wi-Fi antenna hidden under a jacket connected via USB. It mimics the OPCW's real Wi-Fi network. Devices inside might autoconnect, believing it's legit. Once they connect, the hackers can steal credentials. With those, they could slip into the OPCW's internal network. The likely goal, steal or undermine the scrile findings or discredit the organization through a leak. But they don't get that far. Dutch authorities move in. Two unmarked vehicles roll quietly onto the lot. Then sudden action. Doors fly open. The four men are taken down. One tries to destroy his phone, kicking it repeatedly, but fails. Then comes the search. There's a plastic bag filled with trash from their hotel room, beer cans, receipts, a half-hearted attempt to cover their tracks. Also, €20,000 and $20,000 in Chris bills. Most incriminating of all, a taxi receipt in Morin's bag, documenting a ride from the GRU barracks to the airport on the day of departure. The team's devices tell an even bigger story. One phone was activated just the day before their trip. Its first signal pinged a tower right next to the GRU headquarters. The laptops reveal a broader mission trail. Seriov had been in Lusan in 2016 likely targeting the World Anti-Doping Agency. Breaking news out of Loausanne, Switzerland, where Russia has been handed a 4-year ban by the World Anti-Doping Agency. In December 2017, he was in Koala Lumpur where he reportedly tried to hack the Malaysian police. The agency then investigating the MH7 plane crash. Malaysia Airlines flight MH17 crash landed in eastern Ukraine. That flight was brought down by a Russian-made missile over eastern Ukraine. And the team wasn't planning to stop at the OPCW. They trained tickets from UTF to burn Switzerland, likely headed for the SPE laboratory, which was also analyzing Novach. Sometimes hackers need to get physically close to their targets. Sending fishing emails isn't enough. You need to know what kind of networks are in place, what security measures are active, and sometimes even watch the people going in and out. German journalists have nicknamed them the cleaning crew because they show up after something major has gone wrong and try to clean up or spin the story. For the MIVD, this was a major win and they decided to take it public. Usually, they don't disclose their operations, but this time they had a press conference 5 months later. The four men were eventually released and sent back to Russia, likely for diplomatic reasons. Their mistakes seem amateur-ish. Why keep that taxi receipt? Well, these aren't mythical hooded figures. They're civil servants, hackers on a schedule, assigned tasks, bad coffee, strict rules. They just happen to work for an authoritarian regime and weaponized code. Russia, of course, denies everything. The men were supposedly just on a routine trip. Of course, nothing screams routine like a flat panel antenna in the trunk. This strange hotel parking lot escapade shows something important. Putin's bears can be stopped. Germany has fended them off. A conservative linked NGO was targeted, but the attack failed. In France, McClo's 2017 campaign fended off a similar attack. And in the US, the response came loud and clear. In 2018, they decide to send a message. That February, the US Department of Justice indictes 13 Russian nationals and three Russian companies. They're accused of deliberately interfering with the American political system. Not long after, another sweeping indictment is released. This one focused specifically on Fancy Bear. The FBI outlines exactly how they trace the DNC hack back to individual Russian operatives. Multiple names are listed, all Russian citizens. According to the investigators, they work for Russian intelligence. The hackers remain safe in Russia. No arrests follow. But one thing is clear, much of the world is now off limits to them. And this isn't just about naming names. It's a clear line in the sand. There are boundaries and these operatives cross them. One name stands out to German investigators. One of the men listed is believed to use the alias Scaramoosh. The same alias linked to the VSC.exe program. His real name is Dmitri Badin. He's the man who broke into Angla Merkel's computer. Today he's 32 years old. Investigators found out quite a lot about him. They have photos of him. Young face, dark blonde hair, shoulder length now. He's from Kursk, married, reportedly has a daughter, lives in a town just south of Moscow. He listens to music while he works. Russian rock, techno. According to forensics, he even string football matches while hacking. He's a big fan of Cristiano Ronaldo, apparently. In many ways, he seems like an average guy, but he's a government hacker serving in a regime that targets Western democracies. In May 2020, the German federal public prosecutor files charges against Bodin as well. After the first wave of indictments in 2018, Vladimir Putin sat down with NBC for an interview. There he was confronted with the allegations. 13 Russians and three Russian-owned companies have been indicted by a special prosecutor named Robert Mueller in the United States for interfering in our election. Why would you allow an attack like this on the United States? Why have you decided the Russian authorities, myself included, gave anybody permission to do this? If the 13 Russian nationals plus three Russian companies did in fact interfere in our elections, is that okay with you? I don't care. I couldn't care less. Putin's bears were never captured. Their operations weren't dismantled. This isn't a story with a clean, satisfying ending. Quite the opposite. Chapter 4. The satellite. February 24th, 2022. A cold night in Moscow. The day has barely begun. [Music] A quiet man heads to work earlier than usual. He's riding the metro [Music] at Polyska station. He gets off. From there, it's a 10-minute walk. He's a little on edge. Lights a cigarette. He works for the GRU in the aquarium. He's part of unit 74455, better known abroad as Sandworm or Voodoo Bear. At his desk, he pulls up a chair. Time to go to work. [Music] He and his colleagues have spent months preparing for this moment. Now it's just a few final clicks. [Music] Meanwhile, in Austin, Texas, it's still February 23rd. A senior executive at Viasat, a satellite internet provider, is just settling into his evening. Visiat's tech is known for being dependable, especially in remote areas. Suddenly, his devices start lining up with automated warnings. They're coming from Ukraine. Two of Viasat's ground stations are under attack, flooded with malicious data packets. Internet from satellites doesn't actually come from space. It's routed through ground stations. If those crash, nothing gets through. And now they're overwhelmed. So overloaded, they can't deliver connectivity at all. But the Voodoo Bear operative in Moscow isn't finished yet. These kind of attacks can sometimes be fended off, but this one keeps escalating. Internet providers usually have remote access to their customers modems. That's how they push software updates. That access, of course, should be highly secure. In VSAT's case, it wasn't. Voodoo Bear had already infiltrated months earlier. The hackers send a command to the modems, forcing them to download malicious code that wipes login credentials stored on the devices. Without those credentials, the modems can't authenticate, can't connect, and go completely offline. The attack spreads fast. The senior manager stares at his screen in disbelief. 30,000 modems across Europe are now nothing but e-waste. In Germany, 5,800 wind turbines go offline. In a small village in Sweden, the internet vanishes. And in Ukraine, VSAT's biggest customer is the military. Suddenly, across army installations, there's tension. The communication infrastructure is being hit. Write as reports flood in from the borders. Russian troops and armored vehicles are pouring in. The invasion, long looming like fog, has begun. Ukraine is hit from three directions. Missile strikes. Commands are shouted. And amid the chaos, a terrifying thought spreads. What if the comms go down? What if the command dashboards fail? Surveillance feeds cut to black. The VSAD attack was a highly effective cyber strike, perfectly timed with the invasion. But for Ukraine, it wasn't a new experience. Ukraine has been in Russia's cyber crosshairs for years, not just since the invasion in 2022, but dating back to 2014 after the annexation of Crimea. That year, Russia tried to hack Ukraine's elections. In 2015 and 2016, Voodar took down parts of the country's power grid, each time for hours. In 2022, they tried again. This time, they failed. Russia often tests tactics like election interference in Ukraine before deploying them elsewhere. That's why Ukraine is sometimes called Russia's cyber test battlefield. The war has now been raging for over 3 years and all of Putin's bears are involved. They attack government systems and major companies. They spy, they leak, they fuel disinformation campaigns. But Ukraine, it seems, is defending itself formidably, not just on the ground, but also in cyerspace. And they're not alone. Today the country is supported by several leading western cyber security firms. Epilogue trains. Putin's bears are still out there as dangerous as ever. As ever. Harken Tan Rivera is one of the journalists we interviewed for this video. Not long ago, a colleague of his received a mysterious leak. A batch of internal documents from a Russian company called NTC Vulcan. It supplies Russian intelligence services and the military with cyber weapons of all kinds, and their internal documents are chilling. Among other things, Russia seems to have been mapping out what to do once a territory is conquered, how to bend it, break it, remake it. Beyond that, they're experimenting with control over foreign critical infrastructure. For example, they're testing if they can slow down trains. And if you can slow down a train, well, then you can speed it up, too. One thing is certain. We haven't heard the last of the bears. Not by a long shot. And in the years ahead, we'll have to stay alert. Learn to spot their traps, their tricks, their carefully laid bait. Because once they're inside, it rarely ends well. [Music]