Searching...
English
EnglishEnglish
EspañolSpanish
简体中文Chinese
FrançaisFrench
DeutschGerman
日本語Japanese
PortuguêsPortuguese
ItalianoItalian
한국어Korean
РусскийRussian
NederlandsDutch
العربيةArabic
PolskiPolish
हिन्दीHindi
Tiếng ViệtVietnamese
SvenskaSwedish
ΕλληνικάGreek
TürkçeTurkish
ไทยThai
ČeštinaCzech
RomânăRomanian
MagyarHungarian
УкраїнськаUkrainian
Bahasa IndonesiaIndonesian
DanskDanish
SuomiFinnish
БългарскиBulgarian
עבריתHebrew
NorskNorwegian
HrvatskiCroatian
CatalàCatalan
SlovenčinaSlovak
LietuviųLithuanian
SlovenščinaSlovenian
СрпскиSerbian
EestiEstonian
LatviešuLatvian
فارسیPersian
മലയാളംMalayalam
தமிழ்Tamil
اردوUrdu
Sandworm

Sandworm

A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
by Andy Greenberg 2019 368 pages
4.35
9k+ ratings
Listen
Try Full Access for 7 Days
Unlock listening & more!
Continue

Key Takeaways

1. Sandworm: Emergence as Russian Espionage

He called the group Sandworm.

Early signs. In 2014, cybersecurity firm iSight Partners discovered a sophisticated hacking campaign using a zero-day vulnerability in Microsoft Office, dropping a variant of the BlackEnergy malware. The lures, like a list of "terrorists" over a Ukrainian flag, suggested political targeting. Analysis of an unsecured command-and-control server revealed instructions written in Russian.

Dune references. Further investigation by analyst Drew Robinson uncovered campaign codes like "arrakis02" and "houseatreides94" within the malware, revealing the hackers' unusual obsession with Frank Herbert's sci-fi epic "Dune." These unique fingerprints allowed researchers to link disparate attacks dating back to 2009, targeting:

  • Ukrainian government and media
  • Polish energy companies
  • NATO-related events
  • American academics focused on Russia

Identifying the threat. This long-running, sophisticated espionage campaign, with clear Russian fingerprints and a focus on geopolitical targets, led iSight to name the group Sandworm. While initially seen as state-sponsored spying, hints of infrastructure targeting soon suggested a more dangerous evolution.

2. Escalation: Targeting Critical Infrastructure

Intelligence-gathering operations don’t break into industrial control systems.

Beyond espionage. Shortly after iSight's discovery, Trend Micro researcher Kyle Wilhoit found a connection between Sandworm's infrastructure and a file designed for General Electric's Cimplicity industrial control system (ICS) software. This suggested Sandworm was probing systems that control physical machinery, moving beyond data theft to potential sabotage.

Reconnaissance for attack. This finding was confirmed by the Department of Homeland Security's ICS-CERT, which reported Sandworm had built tools for hacking ICS software from GE, Siemens, and Advantech/Broadwin. These intrusions, dating back to 2011, targeted critical infrastructure, including American utilities.

  • ICS systems control power grids, water plants, factories, etc.
  • An "air gap" is supposed to separate these systems from the internet.
  • Sandworm's probes suggested they were bridging the digital and physical.

A new era. For analysts like John Hultquist, this shifted the understanding of Sandworm from cyberspying to cyberwar reconnaissance. The group was mapping out critical systems, potentially preparing for attacks with physical consequences, a threat far more immediate than traditional espionage.

3. Ukraine: The Cyberwar Test Lab

After years of lurking, spying, building their capabilities, and performing reconnaissance work, Sandworm had taken the step that no other hackers had ever dared to: They’d caused an actual blackout, indiscriminately disrupting the physical infrastructure of hundreds of thousands of civilians.

First blackout. On Christmas Eve 2015, Sandworm attacked power distribution companies in western Ukraine, cutting electricity to nearly a quarter-million people for several hours. The attack used BlackEnergy malware delivered via phishing emails, spreading through networks, and ultimately opening circuit breakers.

Escalating attacks. This marked the first known hacker-induced blackout and a significant escalation in Russia's ongoing hybrid war against Ukraine, which included:

  • Physical invasion and conflict in the east
  • Disinformation campaigns
  • Cyberattacks on government, media, and finance

Second blackout. A year later, in December 2016, Sandworm hit Ukraine's transmission grid, blacking out a portion of Kiev. This attack was more sophisticated, using stolen credentials and hijacking remote access tools to control circuit breakers, even disabling backup power systems. Ukraine became a testing ground for cyberwar tactics.

4. Industroyer/Crash Override: The Automated Blackout Weapon

This was the first piece of malware to cause disruption to civilian infrastructure.

Uncovering the tool. Forensic analysis of the 2016 Kiev blackout by researchers like Anton Cherepanov at ESET revealed a new, highly sophisticated malware payload. Named Industroyer (by ESET) or Crash Override (by Dragos), this code was designed to directly interact with industrial control systems.

Automated sabotage. Unlike the 2015 attack, which involved manual control, Industroyer could automatically:

  • Discover and map industrial equipment
  • Communicate using multiple ICS protocols
  • Send commands to open circuit breakers repeatedly

Scalable threat. This modular, automated weapon meant Sandworm could potentially cause blackouts across multiple targets simultaneously with machine speed. Its design suggested it was built for reuse and adaptation, not just in Ukraine but potentially against grids using similar equipment worldwide, including in the United States.

5. Shadow Brokers & EternalBlue: NSA Tools Unleashed

Instead of an abstract fear that U.S. cyberweapons would inspire adversaries to develop their own, America’s hacking arsenal had fallen, suddenly and directly, into enemy hands.

NSA breach. In August 2016, a mysterious group calling themselves "the Shadow Brokers" claimed to have hacked the NSA's elite hacking team (Equation Group) and began leaking their tools. These leaks included powerful zero-day exploits, most notably EternalBlue, which targeted a vulnerability in Windows.

Global impact. EternalBlue allowed hackers to gain full remote control over millions of unpatched Windows computers worldwide. While Microsoft released a patch after being warned by the NSA, many systems remained vulnerable. The leak put sophisticated state-level hacking capabilities into the hands of any actor.

WannaCry pandemic. In May 2017, the WannaCry ransomware outbreak leveraged EternalBlue to spread rapidly across the globe, encrypting hundreds of thousands of computers, including those in hospitals and major corporations. This demonstrated the immense collateral damage possible when state-developed cyberweapons are leaked and weaponized by others.

6. NotPetya: The Global Cyber-Catastrophe

To an extent never seen before or—as of this writing—since, a single surprise cyberattack took a chunk out of the foundation of civilization, from pharmaceuticals to shipping to food.

Patient zero. On June 27, 2017, Sandworm launched NotPetya, piggybacking on the update mechanism of M.E.Doc, a widely used Ukrainian accounting software. This supply chain attack provided a perfect vector into thousands of networks.

Destructive power. NotPetya combined Mimikatz (for stealing credentials) and EternalBlue (for spreading via vulnerability) to rampage through networks, permanently wiping data under the guise of ransomware. It spread uncontrollably beyond Ukraine, crippling multinational corporations like Maersk, Merck, and FedEx.

Immense cost. NotPetya caused over $10 billion in damages globally, making it the most costly cyberattack in history. Its impact disrupted global shipping, pharmaceutical manufacturing, and even hospital operations, demonstrating the interconnectedness and fragility of modern infrastructure in the face of indiscriminate digital attacks.

7. The GRU Connection: Sandworm's Identity Revealed

The GRU, it now seemed, had masterminded the first-ever hacker-induced blackouts, the plot to interfere in a U.S. presidential election, and the most destructive cyberweapon ever released.

Attribution. While Sandworm's identity remained elusive for years, forensic links and intelligence reports increasingly pointed to the Russian government. In January 2018, the CIA reportedly concluded with "high confidence" that the Russian military's Main Center for Special Technology (GTsST), part of the GRU, was behind NotPetya.

Overlapping operations. Further investigation by FireEye and the U.S. Department of Justice indictment of 12 GRU hackers in July 2018 solidified the link. Evidence showed connections between Sandworm's infrastructure and attacks attributed to Fancy Bear (also GRU), including:

  • Attacks on U.S. state boards of elections
  • The Olympic Destroyer malware
  • The Guccifer 2.0 persona and DCLeaks

Unit 74455. The indictment named specific GRU units, including Unit 74455, linked to election interference infrastructure. FireEye researchers theorized this unit was Sandworm, suggesting a single GRU entity was responsible for both disruptive cyberwar and political influence operations.

8. Russia's Doctrine: Hybrid Warfare & Informational Confrontation

The power to destroy a thing is the absolute control over it.

Blurring lines. Russian military thinking, as articulated by General Valery Gerasimov, emphasizes blurring the lines between war and peace and using "long-distance, contactless actions" against an enemy's entire territory, including critical infrastructure. This doctrine, known as "informational confrontation," encompasses both propaganda and disruptive cyberattacks.

GRU's role. After being sidelined, the GRU reinvented itself as Russia's aggressive cyber agency, applying lessons from earlier conflicts like Georgia. Its culture, influenced by its spetsnaz special forces, rewards risk-taking and sees attacks on civilian infrastructure as a legitimate means to demoralize an enemy.

Psychological objective. Sandworm's attacks, from blackouts to NotPetya, align with this doctrine. Their purpose wasn't necessarily tactical military gain but psychological impact: to destabilize Ukraine, undermine faith in its government, and demonstrate Russia's capability to inflict pain far behind the front lines.

9. The Cost of Inaction: Western Silence & Escalation

The lack of any proper response is almost an invitation to escalate more.

Delayed response. Despite repeated warnings and clear evidence of Sandworm's escalating attacks on Ukraine's critical infrastructure, including two blackouts, the U.S. and other Western governments remained largely silent for years. This was partly due to attribution challenges, but also a reluctance to escalate with Russia and a view of Ukraine as outside NATO's immediate concern.

NotPetya's catalyst. Only after NotPetya caused billions in damages globally did the U.S. and its allies publicly attribute the attack to the Russian military in February 2018. Sanctions followed, but critics argued the response was too little, too late.

Permitting escalation. This perceived impunity allowed Sandworm and other Russian hackers to continue developing and deploying dangerous capabilities. The lack of clear red lines around civilian infrastructure attacks signaled to adversaries that such actions might be tolerated, potentially fueling a global cyber arms race.

10. The New Battlefield: Distance is No Defense

In those physics, NotPetya reminds us, distance is no defense.

Interconnected vulnerability. NotPetya demonstrated that in the digital realm, geographic distance offers no protection. A vulnerability in Ukrainian accounting software could instantly cripple global shipping, pharmaceutical production, and hospitals thousands of miles away.

New physics of war. Cyberwarfare operates outside traditional physical boundaries and intuitions. Attacks can originate from unknown locations and spread uncontrollably, impacting civilian life on an unprecedented scale.

  • Supply chain attacks (like M.E.Doc) offer vectors into global networks.
  • Leaked tools (like EternalBlue) amplify reach and impact.
  • Collateral damage is often unpredictable and widespread.

Every gate. The NotPetya pandemic highlighted that modern society's reliance on interconnected digital systems means that vulnerabilities anywhere can become threats everywhere. The "barbarian" is no longer at a distant gate but potentially already inside the network.

11. The Future: Resilience and the Need for Norms

The world needs a new, digital Geneva Convention.

Lessons learned. The Sandworm saga, culminating in NotPetya, served as a stark wake-up call about the potential for devastating cyberattacks on critical infrastructure. It highlighted the need for better defenses, but also a fundamental rethinking of security.

Beyond prevention. Experts argue that preventing every attack is impossible. Instead, focus must shift to resilience: the ability to quickly detect, respond to, and recover from intrusions. This includes:

  • Better network segmentation
  • Reliable, disconnected backups
  • Manual override capabilities for critical systems

Call for norms. Many advocate for international agreements, like a "digital Geneva Convention," to establish clear rules banning attacks on civilian infrastructure, hospitals, and political processes, even in peacetime. However, achieving consensus is difficult as nations are reluctant to limit their own offensive capabilities.

Last updated:

Review Summary

4.35 out of 5
Average of 9k+ ratings from Goodreads and Amazon.

Sandworm is praised as a compelling and informative book about Russian cyber warfare, focusing on attacks against Ukraine and global infrastructure. Readers appreciate Greenberg's ability to explain complex technical concepts in an engaging manner. The book is described as eye-opening and terrifying, highlighting the vulnerability of modern systems to cyber attacks. Some readers found it dense at times but overall highly recommended. Critics note occasional partisan statements and anti-Russian bias. The book is considered essential reading for understanding current geopolitical tensions and cybersecurity threats.

Your rating:
Be the first to rate!

About the Author

Andy Greenberg is an award-winning senior writer for WIRED, specializing in security, privacy, and hacker culture. He has authored three books, including "Sandworm" and "Tracers in the Dark," which have received multiple accolades such as Gerald Loeb Awards and Sigma Delta Chi Awards. His first book was named one of the top ten greatest tech books by the Verge. Before joining WIRED in 2014, Greenberg worked as a senior reporter for Forbes magazine. His writing focuses on cybersecurity, cryptocurrency, and information freedom. Greenberg resides in Brooklyn with his wife, filmmaker Malika Zouhali-Worrall.

Listen to Summary
0:00
-0:00
1x
Dan
Andrew
Michelle
Lauren
Select Speed
1.0×
+
200 words per minute
Home
Library
Get App
Create a free account to unlock:
Requests: Request new book summaries
Bookmarks: Save your favorite books
History: Revisit books later
Recommendations: Personalized for you
Ratings: Rate books & see your ratings
100,000+ readers
Try Full Access for 7 Days
Listen, bookmark, and more
Compare Features Free Pro
📖 Read Summaries
All summaries are free to read in 40 languages
🎧 Listen to Summaries
Listen to unlimited summaries in 40 languages
❤️ Unlimited Bookmarks
Free users are limited to 10
📜 Unlimited History
Free users are limited to 10
Risk-Free Timeline
Today: Get Instant Access
Listen to full summaries of 73,530 books. That's 12,000+ hours of audio!
Day 4: Trial Reminder
We'll send you a notification that your trial is ending soon.
Day 7: Your subscription begins
You'll be charged on May 16,
cancel anytime before.
Consume 2.8x More Books
2.8x more books Listening Reading
Our users love us
100,000+ readers
"...I can 10x the number of books I can read..."
"...exceptionally accurate, engaging, and beautifully presented..."
"...better than any amazon review when I'm making a book-buying decision..."
Save 62%
Yearly
$119.88 $44.99/year
$3.75/mo
Monthly
$9.99/mo
Try Free & Unlock
7 days free, then $44.99/year. Cancel anytime.
Scanner
Find a barcode to scan

Settings
General
Widget
Loading...