Illustration by Darrel Frost

The Hacker

Runa Sandvik has made it her life’s work to protect journalists against cyberattacks. Authoritarian regimes are keeping her in business.

April 17, 2023

Sign up for The Media Today, CJR’s daily newsletter.

Getting hacked is very much like catching a nasty flu. It begins with an infection of malware—malicious software that spreads across a network—and ends with a feeling of deep enfeeblement. In late 2012, not long after the New York Times reported on a corruption scandal involving China’s former prime minister, the newsroom got a bad case. AT&T, which maintains the Times’ servers, notified the company that suspicious activity had been detected on its network. An internal investigation revealed an attack on a dramatic scale: Chinese hackers had broken into email accounts, stolen the passwords of every employee, installed forty-five pieces of customized malware, and begun spying on fifty-three employees, seeking information about anything related to the Chinese prime minister’s family. Day after day, using the methods of the Chinese military, the hackers started at 8am and worked sometimes until midnight, deploying remote-access tools, or RATs, that enabled them to steal a tremendous cache of sensitive information and even to activate a computer’s microphone and Web camera, transforming it into a secret recording device. It was a complicated and devastating infection—a near masterpiece.

It took four months of tracking for the Times to finally expel the hackers from its network. The Chinese government denied any involvement. But the more the newsroom looked into what happened, the more it became clear that the attack was part of a “far-reaching spying campaign,” according to a Times report, that pried into multiple outlets; the Wall Street Journal soon confirmed that Chinese hackers had broken into its system, and there were attempts made on the Washington Post and Bloomberg. The event ushered in a stunning realization for journalists: that the most powerful asset they had—confidentiality for their sources via secure channels of communication—could no longer be guaranteed. Not only were news organizations vulnerable to cyberattacks, they were targets.

Runa Sandvik was living in London when she first heard about the hack—and it stunned her. She was twenty-five at the time, a cybersecurity expert working for a grassroots operation aiming to help anonymize the internet. A few years later, she was called into an interview at the Times headquarters for a new role: head of information security. Sandvik was told that the newsroom wanted to hire someone who could ward off the possibility of another major attack and help reporters deal with cybersecurity threats as they arose. Sandvik was the obvious person for the job. “She’s been the first in so many instances,” Susan McGregor, a researcher at Columbia University’s Data Science Institute, told me. “She appreciates the vagaries of journalism and what it looks like to work through censorship resistance from inside a news organization.”

“It comes back to being really curious about things and really enjoying the puzzle that goes into figuring out how to secure a system or a person,” Sandvik told me recently. Now thirty-six, Sandvik lives in New York with her husband, Michael, who is also in cybersecurity. She departed from the Times a few years ago and has since started her own consulting firm, Granitt, where she advises journalists and other at-risk people (lawyers, activists) on how to keep their data safe from hackers—many of them the hired hands of authoritarian regimes. Sandvik is originally from Oslo; the name of her company is the Norwegian word for granite. “I wanted the name to reflect the work I do,” she said. “Something consistent and stable and solid.”

Sandvik speaks with an air of tranquil Scandinavian directness. Petite and sinewy, she often wears tight workout tanks and oversize hoodies, as if she is perpetually about to head to the gym. Extending the length of her right forearm is a veiny black tattoo designed by a French artist she discovered on Instagram. In addition to being one of the world’s top information security experts, Sandvik is something of a professional hobbyist: she has a motorcycle license and a scuba license; she enjoys snorkeling with sharks—“You float on the surface like a little snack,” she said—and pole dancing. For fun, a few years ago, she and Michael figured out how to hack into a Linux-powered sniper rifle. (When they emailed the vendor to report the safety flaw, the vendor ignored their message and notified clients of a potential security breach, with assurances that the guns were safe—“if you are confident no hackers are within 100 feet.”)

Over the course of our conversations, Sandvik maintained a guarded circumspection that at times verged on paranoia. We communicated exclusively through encrypted channels, even when discussing innocuous things, like making plans to meet up or sharing article links. She expressed a wariness of the internet, of how and where her data was stored. She was, in other words, privacy obsessed. When I asked Sandvik what would be required to make yourself entirely safe from cyber threats, she replied: you wouldn’t be online at all, and you would have to live in the forest. I often found her prudence perplexing. I wondered if there were things she was hiding from me—an awareness of risks that only someone with her expertise could appreciate. Or if, in her affable bluntness, she simply wanted to convey that most of us are blind to the surveillance dystopia in which we live.

About a decade before the rest of the world started to realize that the internet was not a private place, Sandvik was deeply enmeshed in the “small and growing community of computer geeks” trying to make it more secure. Sandvik was self-taught: her first contact with a computer came at the age of fifteen, in 2002, when her mother brought home a brand-new HP Compaq Windows Millennium Edition. The computer was boxy and took up a lot of space. Sandvik was eager, as she put it, “to understand how to do things I wasn’t supposed to do.” She quickly figured out how to hack into other computers using something called a Trojan—malware disguised as an image file or a website link—which gave her access to a target’s entire interface. “I didn’t feel like I was invading or doing something illegal,” she said. She tried it out on friends, many of them fellow members of Oslo’s burgeoning hacker community. She’d go to Local Area Network (LAN) parties, where teenagers gathered with their laptops, sound systems, strobe lights, and energy drinks for sleepless weekends to play computer games, break into one another’s networks, and “chat” online. When I asked Sandvik whether she ever just talked with the person sitting next to her at one of these parties, she furrowed her brow and said, “That’d be weird.”

Life in Oslo was generally quiet. Sandvik’s father worked for a big pharmaceutical company; her mother worked at a hospital. “I wasn’t a superfan of the school I went to; socially I was having a hard time,” she said. “I was like, ‘Okay, well, it’s either going to get better, or it’s going to be the same. So might as well try to make it better.’” She left home at seventeen. In Trondheim, to the north, she enrolled at the Norwegian University of Science and Technology. Then she followed a guy to London for a while. She got a job as an “ethical hacker” at a consulting company, where she was tasked, essentially, with attempting to break into clients’ networks to reveal security flaws in their systems. The position was a stable nine-to-five, but she was bored.

In 2009, Sandvik started hearing whispers about Tor, open-source software that could guard against surveillance and censorship. When I met up with Sandvik at a coffee shop, she explained how Tor worked by creating a maze of paper cups on the table. When someone is using a virtual private network—a VPN, which disguises an internet user’s identity and location—that person’s connection goes from the browser on her computer to a VPN server in, say, Germany: coffee cup number one. The person’s internet service provider sees that she has connected to that server in Germany, but the website she’s visiting—say, Google, or coffee cup number two—will see just the server in Germany. VPNs are commonly used in countries with authoritarian governments, or anywhere people face restrictions on internet use. But they don’t necessarily provide anonymity, because a VPN provider knows who is browsing where. With Tor, she said, rather than pass through one VPN server, an internet user will pass through randomly selected coffee cups one, two, and three—until they are entirely untraceable.

Tor fascinated Sandvik. “Growing up in Norway,” she said, “the rest of the world was always just the rest of the world. The idea that I could in some way be censored or punished for saying something for my writing or expressing something was not even on my radar.” Tor made her feel connected to people across the internet, those with fewer rights than she enjoyed—and it presented a way for her to help them secure their privacy and freedom. Sandvik went to work at the Tor Project, a nonprofit dedicated to building Tor software. The relationship with the guy in London ended; she met Michael at a hacker conference. After a year of dating, they eloped, and she moved to be with him in Washington, DC.

Sandvik arrived in the United States in 2013, in the wake of the Arab Spring. Activists were using the internet in unprecedented ways. They were also being tracked as never before. “I saw how it was harder for people to access social media; governments started looking for ways to block Tor,” she said. In her new job, Sandvik worked with activists and journalists, and started asking herself questions: “Why is it that people in Ethiopia are having a hard time using the Tor sideboard?” “Exactly what is going on in Ethiopia?” “Why isn’t this piece of technology working the way that it should?” “Why is what these people are doing—the activists, the researchers, the journalists—somehow so contentious or problematic in the eyes of the government?” These questions led her into a new alcove of the tech industry: working as a privacy and security researcher for a nonprofit called the Freedom of the Press Foundation.

Sandvik had found her niche. She traveled the world, meeting far-flung members of her cohort at conferences and parties. One day in 2012, she and Michael headed for a vacation to Hawai‘i. Before the trip, Sandvik sent out a tweet advertising Tor swag. She received an email from a guy who introduced himself as Ed. “If shirts are available, black is preferable,” he wrote. Sandvik replied, saying that she’d be happy to supply him Tor attire. Then Ed wrote back, asking if she wanted to cohost a “CryptoParty” while she was in Honolulu—an underground gathering of Evangelists for Digital-Surveillance Wariness. Together, in a designer showroom, they gave presentations to about twenty people on how to encrypt their hard drives and browse the internet anonymously. “Ed” turned out to be Edward Snowden.

Afterward, they kept in touch. Six months later, Snowden’s face was plastered on the front page of every major news outlet in the world. Sandvik was stunned by his decision to leak highly classified material, but she thought it was courageous. “There was definitely a ‘Holy shit, this is huge’ moment in my mind,” she said. She’d seen firsthand how authoritarian regimes censored their citizens by controlling the flow of information, though she hadn’t suspected that it was happening in the United States. Reading what Snowden exposed was revelatory. “That really demonstrated that not only does the government have the tools and the ability,” she said, “but they’re doing it.” She began to see privacy as a cornerstone of a healthy democracy, one that was now under threat. She also viewed privacy as a basic human right. To surveil someone’s personal online data is not just a violation of their privacy, she told me: “What you’re taking away from me would be autonomy.”

The Snowden revelations coincided with rising awareness among newsrooms that they were likely targets of cybersecurity attacks. At the Times, Sandvik was sent to bureaus in DC, London, Hong Kong, mainland China, Moscow, and Sydney to check out and upgrade their digital security. She was also on call whenever journalists needed advice. It was a dream job. “I’d walk home from work and know what was going to land on the front page of the New York Times the next morning,” she recalled. She developed a protocol for advising reporters in basic digital hygiene: use a password manager that generates unique and complicated passwords, set up two-step verification codes to access accounts, communicate exclusively on encrypted apps such as Signal, be wary of third-party services that produce quick AI-transcribed interviews. However familiar that advice may seem now, it wasn’t common practice then. “I remember straightaway being impressed by how helpful she was,” Malachy Browne, who works on the visual-investigations team at the Times, told me.

Sandvik also dealt with unconventional scenarios, like what to do if Chelsea Manning left you a voicemail, and how to safely send a reporter to North Korea. Browne met with Sandvik while conducting an investigation into a Russian bomb attack on Syria; after working on another sensitive story about Russia, he discovered that someone had created a Facebook account duplicating his own. Soon, the dummy account was shut down and Browne was handed a device called a YubiKey: a physical key that can be used to unlock two-step verification. Sandvik showed me her own YubiKey, a small black USB stick. When I asked what accounts she used the key for, she pursed her lips sternly. “No comment.”

During Sandvik’s tenure at the Times, one of the biggest security threats to journalists in the history of digital surveillance was unfolding: an Israeli startup called NSO Group unveiled spyware that provided invisible access to a target’s smartphone. Pegasus, as it was called, could turn someone’s phone into a secret recording device, activate its camera, and extract text messages, contacts, emails, and GPS locations. According to Citizen Lab, a research organization focused on internet security, starting around 2016, Pegasus was deployed by government agencies in at least forty-five countries—some known for authoritarianism, others putatively democratic—all willing to pay a hefty baseline installation fee of five hundred thousand dollars and, depending on the scale of the project, to spend as much as ten to two hundred fifty million dollars on a successful hack.

For journalists, Pegasus was a disaster. The first confirmed case at the Times came from Ben Hubbard, who was then a correspondent in the Middle East. One day, Hubbard received an odd link, written in Arabic, inviting him to attend a protest at the Saudi embassy in DC. He knew not to click on the link, but it didn’t matter. Only years later did he come to learn that hackers had infiltrated his phone multiple times, using an eerie new “zero click” technology that was able to access, in real time, Hubbard’s contacts, photos, messages, possibly even his bank accounts. The hack also involved wiping evidence of its first entry into the device. “It’s like being robbed by a ghost,” Hubbard wrote. “Picture a thief breaking back into a jewelry store he had robbed to erase fingerprints.”

From a “purely technical point of view,” Sandvik found Pegasus “fascinating.” Here was malware that could hack into someone’s device without their knowledge, finding ways to leverage already installed apps and bugs in the Apple and Android operating systems. “I’d always thought something like Pegasus was within the realm of possibility,” she said. But how NSO Group made it work was like nothing she’d ever seen. She created a public database to keep a record of those who had been infected. The list quickly grew to more than six hundred—and included many journalists.

Lately, Sandvik has been consulting on a major Pegasus case: reporters at El Faro, a newspaper in El Salvador, were infected last year, and they are now involved in the first lawsuit on US soil against NSO Group. Their lawyer, Carrie DeCell, a senior staff attorney at the Knight First Amendment Institute, hopes to call into question a key element of what makes Pegasus so dangerous: the inability to identify the perpetrator of a hack. (As DeCell told me, “We want governments around the world to know that that’s not necessarily the case, that they might be uncovered.”) As part of her work with DeCell, Sandvik has helped advise the El Faro staff on how to keep their digital communications safe. But Pegasus is so advanced that there is little that she—or anyone—can do to prevent another attack. “We were already using Signal,” Nelson Rauda, an El Faro journalist whose phone was infected, told me. “It doesn’t matter. You feel defenseless.”

In 2019, Sandvik left the Times. On Twitter, she described having problems with her boss and being called “difficult, nasty, fragile, territorial, controlling.” According to a Times spokesperson, “Runa’s role at the Times was eliminated in an organizational restructuring of the information security department.” Snowden tweeted support for his friend: “They’re so incredibly wrong on this that [it] is mystifying they could arrive at such a decision. This is going to haunt them.” Sandvik felt blindsided. She took some time off to heal, adopted a cat, baked a lot of banana bread, and attended a “shark-diving and yoga retreat” in Florida.

Before long, she started receiving a stream of emails from journalists asking for advice about digital security. She was sought out to advise the Ford Foundation; she became a senior adviser for the Norwegian Armed Forces Cyber Defense Force and a member of the Technical Advisory Council for the US Cybersecurity and Infrastructure Security Agency. (She found it strange, at first, to assist the government, but as she told me, “Over the years I’ve gained recognition that we all need to work together if we are actually going to keep the world safe.”) She founded Granitt last June. So far, Sandvik is the firm’s sole employee. “She’s focused specifically on reporter protection, which is something I hadn’t heard before thought of as being a distinct subspecialty of security,” Scott Klein, an editor she’s worked with, said.

Granitt’s website consists entirely of a simple black-and-white logo. There is no description of the firm’s services, only links to social media accounts. Sandvik relies on her reputation, and word of mouth, to bring in clients. That has worked out pretty well so far: she’s been hired as a consultant to large news organizations, including Reuters and the Associated Press, and she’s taken some one-off assignments with independent journalists. Her hourly fee can run up to several hundred dollars, though she’ll sometimes do pro bono work, too. “The threat of foreign interference and stuff like that is real right now,” Ankur Ahluwalia, the vice president of technology solutions at the Associated Press, said. “Pegasus really came from left field, right? We weren’t ready for something like that. It was scary.” Patrick Boehler, an editor at Radio Free Europe/Radio Liberty, told me that, before he met Sandvik, he assumed that journalists were at the mercy of authoritarian governments. “She really taught us how to push back and reclaim some agency,” he said. 

When I met Sandvik, I’d hoped to sit in on a few client sessions. But she immediately objected: “Given the nature” of her work, my presence would pose obvious privacy problems. “When I talk to a client, the conversation is around how I can help them do their work safely, which means that they are being very open and vulnerable with me in terms of what they’re facing or lacking,” she said. “In some cases, that could mean ‘Hey, I think my phone is compromised’ or ‘We are filing a lawsuit.’” She added, “It becomes very high stakes and personal.” Instead, she suggested that I join her for an alternative form of self-exposure that she seemed comfortable with: pole dancing.

One morning, I tagged along for a class at Body & Pole, a cavernous studio in Midtown Manhattan, where she’s been going for the past five years, attending classes five to six times a week. Hoops and ropes dangled from the ceilings of strobe-lit rooms. Sandvik told me that the students included lawyers and engineers and entrepreneurs, as well as sex workers and strippers and a woman who said she was a competitive shooter. When I asked Sandvik why she loved pole dancing so much, she paused, as if she’d never considered the question. “I guess—you know that feeling when you’ve had a frustrating day, and you just want to scream out loud?” She demonstrated, making a contorted shrieking face. “That’s pole dancing for me.”

There were four pole-dancing levels at Body & Pole. Sandvik said she was around a 3.5, but she generously offered to take an introductory class with me. We met in the dressing room, where Sandvik introduced me to a few of her friends. Only a few knew she was a cybersecurity expert—it wasn’t necessarily something she hid, but as she told me, “It’s not really something that comes up in this space.” We entered a heated room, dim in the glow of red lights. Alex, the instructor, who moved jauntily around in bootie shorts, led us, as a warm-up, to whip our necks in circles, hair flying. “Move until you feel your bones!” Then we took turns mounting the poles.

Sandvik swung herself in circles around a pole like a dexterous double-limbed cat, arching her back and squatting to the ground in rhythm with the music. Alex told us to work our “Beyoncé arms”; I stared at my rigid body in the mirror while Sandvik flexed her wrists, circling around and around, feet and arms flying. It was the first and only time during the course of our encounters in which I’d seen her relax and let go—as if, in this room, offline, she could cast off the burdens of her mind.

Sandvik was once the victim of a targeted data breach. One day in 2015, she received an email from Twitter with the subject line “Important Safety Information.” “As a precaution,” the email read, “we are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors.” She later discovered, through a Times reporter, that the culprit had been an engineer working for Twitter who doubled as an agent for the Saudi government and monitored the accounts of dissidents. Eventually, the employee was charged with espionage. The episode continued to haunt her. “I don’t know what they accessed or for how long they were there,” she said. “Maybe they just checked which IP address I was using at that point in time. Or maybe they downloaded all of my direct messages. I don’t know. Because Twitter has not told me.”

More than most, Sandvik has always been keenly aware of the risks posed by merely existing online, but even with all of her cybersecurity knowledge, she hasn’t been able to immunize herself. She maintains that being hacked is not just a possibility but a likelihood; she fears that most people are too naively comfortable when it comes to their digital communications. Governments, institutions—spies in various forms—are always lurking. In 2020, after the pandemic hit, she started spending her free time collecting biographies of undercover spies who got jobs working in media, not unlike her hacker. Last year, she created a Substack, Journalist and Spy, to publish her findings. “I’ve always been very fascinated with stories about cloak-and-dagger espionage and mystery,” she told me. “I kept finding mentions of spies that used journalism to cover for their work. So I got curious.”

There’s always more to worry about. Sandvik told me that another “mercenary spyware” had entered the arena. It was developed by Candiru, an Israeli company that sells spyware solely to governments. The Candiru spyware, which Microsoft calls “DevilsTongue,” had already been detected on more than seven hundred and fifty websites; according to CitizenLab, many of the infected domains were impersonating advocacy sites like Amnesty International and Black Lives Matter. There were at least a hundred victims, including journalists, in at least ten countries. Sandvik predicted that it was only the beginning. “I think it’s just this arms race between companies like Apple and companies like NSO,” she said. “NSO found a way to install Pegasus on a phone that doesn’t require the individual to click on the link, and then Apple at that point figures out there’s a bug there that needs to be patched, causing NSO to find a new one.” 

State-sponsored hackers are in constant need of ways to overcome the cybersecurity measures developed by big tech companies, which in turn constantly require new shields. That dynamic depends largely on an assumption that Big Tech’s code will always have flaws. And Sandvik’s work depends on the fact that there will alwaysbe an arms race—that authoritarian leaders will continue to pursue sensitive material from journalists. Her business seems safe. For more than a decade, a nonprofit called Freedom House has been indexing global internet freedom; by its estimate, the world is on its twelfth consecutive downturn—like a leaf spinning into a slow-moving waterfall. And in countries such as Russia and China, where the internet is already state-controlled, the advancement of technology—Pegasus, Candiru’s spyware, whatever comes next—will only play to their advantage.

But for now, at least, the race is still on. “You reach a point where hackers need to be very skilled, have a lot of time and patience, and be quite resourceful to get in,” Sandvik told me. “When the hackers run out of options, that’s when the threats shift from digital to physical and legal.” As president, Joe Biden blacklisted NSO Group from operating on US soil. Yet the extent of the ban was ambiguous, and, just five days later, the Times reported that the US government struck a secret deal with NSO Group under a fronted company called Cleopatra Holdings. Nor is NSO Group the last name in the cyberattack business. Sandvik speculated that malware may someday be able to install itself silently on a phone, steal all the data—including by recording conversations or taking videos—and uninstall itself without ever leaving a trace. It was a frightening thought. “Spyware targeting activists and journalists—it’s not going to go away,” she said.

One evening in late February, I met Sandvik for pizza. She told me she’d spent hours that day creating a database similar to the one she’d made for Pegasus, to keep track of who’d been infected with Candiru’s spyware. It was a time-consuming project, combing through news sites and dumping information into Excel. And not only was the work laborious, but it seemed, according to her logic, that by the time she finished one database, she would have to get started on another, and another, as spyware evolved.      

She didn’t mind. As Sandvik saw it, that was all she could do in the face of an overwhelming digital threat. “There is just no guarantee for us that we’re never going to be hacked,” she said. “The question is, just how difficult are we going to make it for the attacker?” Sometimes, information security comes down to keeping a record of small technical adjustments. “It’s the right thing to do,” she said. She shrugged. “Also, no one else is going to do it.”

Maddy Crowell is a freelance journalist based in New York.