Key Takeaways
1. Sandworm: Emergence as Russian Espionage
He called the group Sandworm.
Early signs. In 2014, cybersecurity firm iSight Partners discovered a sophisticated hacking campaign using a zero-day vulnerability in Microsoft Office, dropping a variant of the BlackEnergy malware. The lures, like a list of "terrorists" over a Ukrainian flag, suggested political targeting. Analysis of an unsecured command-and-control server revealed instructions written in Russian.
Dune references. Further investigation by analyst Drew Robinson uncovered campaign codes like "arrakis02" and "houseatreides94" within the malware, revealing the hackers' unusual obsession with Frank Herbert's sci-fi epic "Dune." These unique fingerprints allowed researchers to link disparate attacks dating back to 2009, targeting:
- Ukrainian government and media
- Polish energy companies
- NATO-related events
- American academics focused on Russia
Identifying the threat. This long-running, sophisticated espionage campaign, with clear Russian fingerprints and a focus on geopolitical targets, led iSight to name the group Sandworm. While initially seen as state-sponsored spying, hints of infrastructure targeting soon suggested a more dangerous evolution.
2. Escalation: Targeting Critical Infrastructure
Intelligence-gathering operations don’t break into industrial control systems.
Beyond espionage. Shortly after iSight's discovery, Trend Micro researcher Kyle Wilhoit found a connection between Sandworm's infrastructure and a file designed for General Electric's Cimplicity industrial control system (ICS) software. This suggested Sandworm was probing systems that control physical machinery, moving beyond data theft to potential sabotage.
Reconnaissance for attack. This finding was confirmed by the Department of Homeland Security's ICS-CERT, which reported Sandworm had built tools for hacking ICS software from GE, Siemens, and Advantech/Broadwin. These intrusions, dating back to 2011, targeted critical infrastructure, including American utilities.
- ICS systems control power grids, water plants, factories, etc.
- An "air gap" is supposed to separate these systems from the internet.
- Sandworm's probes suggested they were bridging the digital and physical.
A new era. For analysts like John Hultquist, this shifted the understanding of Sandworm from cyberspying to cyberwar reconnaissance. The group was mapping out critical systems, potentially preparing for attacks with physical consequences, a threat far more immediate than traditional espionage.
3. Ukraine: The Cyberwar Test Lab
After years of lurking, spying, building their capabilities, and performing reconnaissance work, Sandworm had taken the step that no other hackers had ever dared to: They’d caused an actual blackout, indiscriminately disrupting the physical infrastructure of hundreds of thousands of civilians.
First blackout. On Christmas Eve 2015, Sandworm attacked power distribution companies in western Ukraine, cutting electricity to nearly a quarter-million people for several hours. The attack used BlackEnergy malware delivered via phishing emails, spreading through networks, and ultimately opening circuit breakers.
Escalating attacks. This marked the first known hacker-induced blackout and a significant escalation in Russia's ongoing hybrid war against Ukraine, which included:
- Physical invasion and conflict in the east
- Disinformation campaigns
- Cyberattacks on government, media, and finance
Second blackout. A year later, in December 2016, Sandworm hit Ukraine's transmission grid, blacking out a portion of Kiev. This attack was more sophisticated, using stolen credentials and hijacking remote access tools to control circuit breakers, even disabling backup power systems. Ukraine became a testing ground for cyberwar tactics.
4. Industroyer/Crash Override: The Automated Blackout Weapon
This was the first piece of malware to cause disruption to civilian infrastructure.
Uncovering the tool. Forensic analysis of the 2016 Kiev blackout by researchers like Anton Cherepanov at ESET revealed a new, highly sophisticated malware payload. Named Industroyer (by ESET) or Crash Override (by Dragos), this code was designed to directly interact with industrial control systems.
Automated sabotage. Unlike the 2015 attack, which involved manual control, Industroyer could automatically:
- Discover and map industrial equipment
- Communicate using multiple ICS protocols
- Send commands to open circuit breakers repeatedly
Scalable threat. This modular, automated weapon meant Sandworm could potentially cause blackouts across multiple targets simultaneously with machine speed. Its design suggested it was built for reuse and adaptation, not just in Ukraine but potentially against grids using similar equipment worldwide, including in the United States.
5. Shadow Brokers & EternalBlue: NSA Tools Unleashed
Instead of an abstract fear that U.S. cyberweapons would inspire adversaries to develop their own, America’s hacking arsenal had fallen, suddenly and directly, into enemy hands.
NSA breach. In August 2016, a mysterious group calling themselves "the Shadow Brokers" claimed to have hacked the NSA's elite hacking team (Equation Group) and began leaking their tools. These leaks included powerful zero-day exploits, most notably EternalBlue, which targeted a vulnerability in Windows.
Global impact. EternalBlue allowed hackers to gain full remote control over millions of unpatched Windows computers worldwide. While Microsoft released a patch after being warned by the NSA, many systems remained vulnerable. The leak put sophisticated state-level hacking capabilities into the hands of any actor.
WannaCry pandemic. In May 2017, the WannaCry ransomware outbreak leveraged EternalBlue to spread rapidly across the globe, encrypting hundreds of thousands of computers, including those in hospitals and major corporations. This demonstrated the immense collateral damage possible when state-developed cyberweapons are leaked and weaponized by others.
6. NotPetya: The Global Cyber-Catastrophe
To an extent never seen before or—as of this writing—since, a single surprise cyberattack took a chunk out of the foundation of civilization, from pharmaceuticals to shipping to food.
Patient zero. On June 27, 2017, Sandworm launched NotPetya, piggybacking on the update mechanism of M.E.Doc, a widely used Ukrainian accounting software. This supply chain attack provided a perfect vector into thousands of networks.
Destructive power. NotPetya combined Mimikatz (for stealing credentials) and EternalBlue (for spreading via vulnerability) to rampage through networks, permanently wiping data under the guise of ransomware. It spread uncontrollably beyond Ukraine, crippling multinational corporations like Maersk, Merck, and FedEx.
Immense cost. NotPetya caused over $10 billion in damages globally, making it the most costly cyberattack in history. Its impact disrupted global shipping, pharmaceutical manufacturing, and even hospital operations, demonstrating the interconnectedness and fragility of modern infrastructure in the face of indiscriminate digital attacks.
7. The GRU Connection: Sandworm's Identity Revealed
The GRU, it now seemed, had masterminded the first-ever hacker-induced blackouts, the plot to interfere in a U.S. presidential election, and the most destructive cyberweapon ever released.
Attribution. While Sandworm's identity remained elusive for years, forensic links and intelligence reports increasingly pointed to the Russian government. In January 2018, the CIA reportedly concluded with "high confidence" that the Russian military's Main Center for Special Technology (GTsST), part of the GRU, was behind NotPetya.
Overlapping operations. Further investigation by FireEye and the U.S. Department of Justice indictment of 12 GRU hackers in July 2018 solidified the link. Evidence showed connections between Sandworm's infrastructure and attacks attributed to Fancy Bear (also GRU), including:
- Attacks on U.S. state boards of elections
- The Olympic Destroyer malware
- The Guccifer 2.0 persona and DCLeaks
Unit 74455. The indictment named specific GRU units, including Unit 74455, linked to election interference infrastructure. FireEye researchers theorized this unit was Sandworm, suggesting a single GRU entity was responsible for both disruptive cyberwar and political influence operations.
8. Russia's Doctrine: Hybrid Warfare & Informational Confrontation
The power to destroy a thing is the absolute control over it.
Blurring lines. Russian military thinking, as articulated by General Valery Gerasimov, emphasizes blurring the lines between war and peace and using "long-distance, contactless actions" against an enemy's entire territory, including critical infrastructure. This doctrine, known as "informational confrontation," encompasses both propaganda and disruptive cyberattacks.
GRU's role. After being sidelined, the GRU reinvented itself as Russia's aggressive cyber agency, applying lessons from earlier conflicts like Georgia. Its culture, influenced by its spetsnaz special forces, rewards risk-taking and sees attacks on civilian infrastructure as a legitimate means to demoralize an enemy.
Psychological objective. Sandworm's attacks, from blackouts to NotPetya, align with this doctrine. Their purpose wasn't necessarily tactical military gain but psychological impact: to destabilize Ukraine, undermine faith in its government, and demonstrate Russia's capability to inflict pain far behind the front lines.
9. The Cost of Inaction: Western Silence & Escalation
The lack of any proper response is almost an invitation to escalate more.
Delayed response. Despite repeated warnings and clear evidence of Sandworm's escalating attacks on Ukraine's critical infrastructure, including two blackouts, the U.S. and other Western governments remained largely silent for years. This was partly due to attribution challenges, but also a reluctance to escalate with Russia and a view of Ukraine as outside NATO's immediate concern.
NotPetya's catalyst. Only after NotPetya caused billions in damages globally did the U.S. and its allies publicly attribute the attack to the Russian military in February 2018. Sanctions followed, but critics argued the response was too little, too late.
Permitting escalation. This perceived impunity allowed Sandworm and other Russian hackers to continue developing and deploying dangerous capabilities. The lack of clear red lines around civilian infrastructure attacks signaled to adversaries that such actions might be tolerated, potentially fueling a global cyber arms race.
10. The New Battlefield: Distance is No Defense
In those physics, NotPetya reminds us, distance is no defense.
Interconnected vulnerability. NotPetya demonstrated that in the digital realm, geographic distance offers no protection. A vulnerability in Ukrainian accounting software could instantly cripple global shipping, pharmaceutical production, and hospitals thousands of miles away.
New physics of war. Cyberwarfare operates outside traditional physical boundaries and intuitions. Attacks can originate from unknown locations and spread uncontrollably, impacting civilian life on an unprecedented scale.
- Supply chain attacks (like M.E.Doc) offer vectors into global networks.
- Leaked tools (like EternalBlue) amplify reach and impact.
- Collateral damage is often unpredictable and widespread.
Every gate. The NotPetya pandemic highlighted that modern society's reliance on interconnected digital systems means that vulnerabilities anywhere can become threats everywhere. The "barbarian" is no longer at a distant gate but potentially already inside the network.
11. The Future: Resilience and the Need for Norms
The world needs a new, digital Geneva Convention.
Lessons learned. The Sandworm saga, culminating in NotPetya, served as a stark wake-up call about the potential for devastating cyberattacks on critical infrastructure. It highlighted the need for better defenses, but also a fundamental rethinking of security.
Beyond prevention. Experts argue that preventing every attack is impossible. Instead, focus must shift to resilience: the ability to quickly detect, respond to, and recover from intrusions. This includes:
- Better network segmentation
- Reliable, disconnected backups
- Manual override capabilities for critical systems
Call for norms. Many advocate for international agreements, like a "digital Geneva Convention," to establish clear rules banning attacks on civilian infrastructure, hospitals, and political processes, even in peacetime. However, achieving consensus is difficult as nations are reluctant to limit their own offensive capabilities.
Last updated:
FAQ
1. What is Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg about?
- Chronicles rise of Sandworm: The book investigates the emergence and operations of Sandworm, a Russian GRU-backed hacker group responsible for some of the most destructive cyberattacks in history.
- Focus on Ukraine as battleground: It details how Ukraine became the primary testing ground for Russian cyberwarfare, with attacks escalating from power grid blackouts to global ransomware outbreaks.
- Explores global cyberwarfare evolution: Greenberg traces the shift from early cyber espionage to modern, indiscriminate attacks that threaten global infrastructure and politics.
- Warns of new era: The narrative highlights the risks of unchecked cyberwar escalation and the potential for widespread disruption of civilian life worldwide.
2. Why should I read Sandworm by Andy Greenberg?
- Reveals hidden cyberwar threats: The book exposes the real-world consequences of state-sponsored hacking, showing how digital attacks can disrupt societies and economies.
- Timely and relevant: As cyberwarfare increasingly affects global politics, infrastructure, and daily life, understanding these threats is crucial for individuals and organizations.
- Engaging investigative journalism: Greenberg combines in-depth research, interviews, and on-the-ground reporting to create a compelling narrative that reads like a thriller.
- Offers practical lessons: The book provides insights into resilience, the importance of analog backups, and the need for international norms in cyberspace.
3. Who or what is Sandworm, and why are they significant in Andy Greenberg’s Sandworm?
- Russian GRU hacking unit: Sandworm is identified as Unit 74455 of the GRU, Russia’s military intelligence agency, specializing in cyber sabotage and election interference.
- Pioneers of cyberwarfare: They redefined cyberwar by moving from espionage to destructive attacks, including the first hacker-induced power grid blackouts.
- Global threat: Sandworm’s operations demonstrate the potential for state-sponsored hackers to target critical infrastructure worldwide, posing risks to the U.S., NATO, and beyond.
- Linked to major incidents: Their campaigns include the Ukrainian blackouts, NotPetya, Olympic Destroyer, and election interference in the U.S. and France.
4. What are the key cyberattacks detailed in Sandworm by Andy Greenberg, and what were their impacts?
- 2015 and 2016 Ukrainian blackouts: Sandworm caused the first known cyber-induced power outages, affecting hundreds of thousands and demonstrating the vulnerability of critical infrastructure.
- 2017 NotPetya attack: This destructive malware caused over $10 billion in global damages, crippling companies like Maersk and Merck, and spreading far beyond its initial Ukrainian targets.
- Olympic Destroyer and election hacks: Sandworm also targeted the 2018 Winter Olympics and interfered in U.S. and French elections, blending sabotage with political warfare.
- Escalation of cyberwarfare: These attacks marked a shift from espionage to large-scale, indiscriminate digital destruction.
5. How does Andy Greenberg explain the evolution of cyberwarfare in Sandworm?
- From espionage to sabotage: The book traces the progression from early cyber spying (like Moonlight Maze and Stuxnet) to attacks that cause real-world physical damage.
- Technological advancements: Innovations such as zero-day exploits, malware for industrial control systems, and automated attack tools have increased the scale and impact of cyberwarfare.
- Hybrid warfare context: Cyberattacks are integrated into Russia’s broader strategy, combining digital, military, and psychological operations to destabilize adversaries.
- Blurring war domains: The narrative shows how cyberwarfare extends conflict into civilian infrastructure and political processes.
6. What is the significance of the NotPetya attack in Sandworm by Andy Greenberg?
- Most destructive cyberattack: NotPetya caused unprecedented global economic damage, with losses exceeding $10 billion and affecting multinational corporations.
- Designed for destruction: Unlike typical ransomware, NotPetya’s encryption was irreversible, revealing its true purpose as sabotage rather than financial gain.
- Indiscriminate global impact: Though aimed at Ukraine, the malware spread worldwide, highlighting the uncontrollable nature of modern cyberweapons.
- Wake-up call for cybersecurity: The attack demonstrated the vulnerability of interconnected systems and the risks of state-sponsored cyber aggression.
7. What are the key malware and hacking tools discussed in Sandworm by Andy Greenberg, and why are they important?
- BlackEnergy: Evolved from a DDoS tool to a multi-functional malware used for both espionage and sabotage, notably in the 2015 Ukrainian blackout.
- KillDisk: A destructive tool used to wipe data and disable recovery, amplifying the impact of attacks.
- Industroyer/Crash Override: Modular malware capable of automating attacks on power grid equipment, representing a new level of cyber-physical sabotage.
- Mimikatz and EternalBlue: Tools for credential theft and rapid malware propagation, the latter being an NSA exploit leaked by the Shadow Brokers and used in NotPetya and WannaCry.
8. How did the Shadow Brokers leak of NSA tools affect the cyberwar landscape in Sandworm by Andy Greenberg?
- Exposed NSA cyberweapons: The leak made powerful U.S. hacking tools, like EternalBlue, available to adversaries and criminals worldwide.
- Enabled global ransomware outbreaks: EternalBlue was used in both WannaCry and NotPetya, causing massive disruption and economic loss.
- Escalated cyber arms race: The incident forced governments and companies to confront new threats and vulnerabilities, intensifying the global cyber conflict.
- Undermined U.S. cyber advantage: The leak diminished the effectiveness of U.S. cyber capabilities and highlighted the dangers of stockpiling digital weapons.
9. What does Sandworm by Andy Greenberg reveal about the U.S. government’s response to cyberwarfare threats?
- Delayed and muted reactions: The book describes the frustration of cybersecurity experts over the U.S. government’s slow and secretive response to Russian cyberattacks.
- Political considerations: Concerns about international relations and election interference controversies influenced the lack of public condemnation or decisive action.
- Missed opportunities for deterrence: The U.S. failed to establish clear norms or consequences for attacks on civilian infrastructure, emboldening adversaries like Sandworm.
- Need for stronger leadership: Greenberg suggests that more proactive and transparent responses are necessary to counter escalating cyber threats.
10. How does Sandworm by Andy Greenberg connect cyberwarfare to traditional military conflict and hybrid warfare?
- Integral to hybrid warfare: Cyberattacks are shown as a core component of Russia’s strategy, complementing military operations with digital disruption and influence campaigns.
- Blurring of war domains: The book illustrates how cyberwarfare extends the battlefield into civilian life, media, and political systems.
- Psychological and strategic impact: Attacks aim to sow confusion, undermine trust, and intimidate populations, amplifying their effect beyond physical damage.
- Redefining modern conflict: Greenberg argues that cyberwarfare challenges traditional notions of war and peace, requiring new frameworks for defense and response.
11. What lessons and advice about cybersecurity and resilience does Andy Greenberg offer in Sandworm?
- Resilience over prevention: The book argues that preventing all cyberattacks is impossible; focus should be on rapid recovery and minimizing cascading failures.
- Importance of analog backups: Maintaining manual or analog systems, as Ukraine did with its power grid, can help mitigate the impact of digital attacks.
- Call for international norms: Greenberg advocates for agreements like a “digital Geneva Convention” to protect civilians and infrastructure, though political challenges remain.
- Preparation and awareness: Societies must invest in cybersecurity, incident response, and public awareness to withstand future cyberwarfare.
12. What are the best quotes from Sandworm by Andy Greenberg, and what do they mean?
- “On the Internet, we are all Ukraine.” This quote underscores the universal vulnerability to cyberwarfare, as attacks in one country can quickly affect the entire world.
- “The physics of cyberspace are wholly different from every other war domain.” It highlights how cyberwarfare defies traditional concepts of distance and defense, making every networked society susceptible.
- “It’s not about turning out the lights. It’s about letting people know you can turn out the lights.” This reflects the psychological objective of cyberattacks: to intimidate and undermine confidence, not just cause physical damage.
- Quotes reinforce key themes: These statements encapsulate the book’s warnings about the global, psychological, and unpredictable nature of modern cyberwarfare.
Review Summary
Sandworm is praised as a compelling and informative book about Russian cyber warfare, focusing on attacks against Ukraine and global infrastructure. Readers appreciate Greenberg's ability to explain complex technical concepts in an engaging manner. The book is described as eye-opening and terrifying, highlighting the vulnerability of modern systems to cyber attacks. Some readers found it dense at times but overall highly recommended. Critics note occasional partisan statements and anti-Russian bias. The book is considered essential reading for understanding current geopolitical tensions and cybersecurity threats.
Similar Books









Download PDF
Download EPUB
.epub
digital book format is ideal for reading ebooks on phones, tablets, and e-readers.