What do you think?
Rate this book
Operation Sandworm: The Hunt for the Kremlin's Elite Cyber Army
'With the nuance of a reporter and the pace of a thriller writer, Andy Greenberg gives us a glimpse of the cyberwars of the future while at the same time placing his story in the long arc of Russian and Ukrainian history.' -Anne Applebaum, bestselling author of Twilight of Democracy
'A chilling account of a Kremlin-led cyberattack, a new front in global conflict" -Financial Times
The true story of the most devastating act of cyberwarfare in history and the desperate hunt to identify and track the elite Russian agents behind it.
In 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world's largest businesses. At the attack's epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage - the largest, most destructive cyberattack the world had ever seen.
This is the true story of the hunt to unmask the group of hackers behind the attacks working in service of Russia's military intelligence agency. Following the years-long, globe-spanning work of the detectives tracking them, Operation Sandworm also exposes the larger story of a new global arms race, and the geopolitical chaos it is unleashing on the world. A narrative full of twists and turns, it captures a chilling new in a war without borders, all of us live on the frontline.
'A chilling account of a Kremlin-led cyberattack, a new front in global conflict" -Financial Times
The true story of the most devastating act of cyberwarfare in history and the desperate hunt to identify and track the elite Russian agents behind it.
In 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world's largest businesses. At the attack's epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage - the largest, most destructive cyberattack the world had ever seen.
This is the true story of the hunt to unmask the group of hackers behind the attacks working in service of Russia's military intelligence agency. Following the years-long, globe-spanning work of the detectives tracking them, Operation Sandworm also exposes the larger story of a new global arms race, and the geopolitical chaos it is unleashing on the world. A narrative full of twists and turns, it captures a chilling new in a war without borders, all of us live on the frontline.
384 pages, Mass Market Paperback
First published November 5, 2019
2136 people are currently reading
18020 people want to read
About the author
Andy Greenberg
9 books573 followersAndy Greenberg is an award-winning senior writer for WIRED, covering security, privacy, information freedom, and hacker culture. He's the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His last book was Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.
The two books, as well as excerpts from them published in WIRED, have won awards including two Gerald Loeb Awards for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, three Deadline Club Awards from the New York Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. His first book, This Machine Kills Secrets: How WikiLeakers, Hacktivists and Cypherpunks Aim to Free the World’s Information, was named one of the top ten “greatest tech books of all time” by the Verge.
Before joining WIRED in 2014, Greenberg worked as a senior reporter for Forbes magazine. He lives in Brooklyn with his wife, filmmaker Malika Zouhali-Worrall.
The two books, as well as excerpts from them published in WIRED, have won awards including two Gerald Loeb Awards for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, three Deadline Club Awards from the New York Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. His first book, This Machine Kills Secrets: How WikiLeakers, Hacktivists and Cypherpunks Aim to Free the World’s Information, was named one of the top ten “greatest tech books of all time” by the Verge.
Before joining WIRED in 2014, Greenberg worked as a senior reporter for Forbes magazine. He lives in Brooklyn with his wife, filmmaker Malika Zouhali-Worrall.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 30 of 900 reviews
August 13, 2020
Sandworm is the name given to a Russian military hacking group by a U. S. based cybersecurity firm. Sandworm has deployed sophisticated malware that has taken down and taken over computer systems, networks and attached infrastructure across the globe. Their viruses can lie in wait undetected until a targeted time. Some are tailored to take control of industrial control systems. These are the computer interfaces that turn digital instructions into physical ones for automated machines, which use programs to define their operation. The malware can replace those programs with code that can, for example, shut down a power plant and potentially destroy its equipment. It can facilitate remote operation by the hackers. Sandworm and its cohorts have brought about a new state of cyber warfare, demonstrating the capability to paralyze an entire nation with devastating effect.
In 2014 Russia seized Crimea from Ukraine and initiated a war in eastern Ukraine. In Ukraine’s May 2014 elections Russia went on the offensive targeting the computer network of the Central Election Commission. First they took out the computers. Once the commission put its system back together the Russians slipped in phony election results which the Ukrainians caught and scrubbed before presenting the actual results. Interestingly Russian state television at the same time announced their favorite had won, matching the phony results they had put in the network. Then the Russian hackers launched a denial of service attack flooding the network with messages. The group responsible was later identified to be linked to the Russian hacking group Fancy Bear that interfered with the U. S. 2016 election.
In October 2015 two severs and a number of PCs went down together at StarLightMedia, Ukraine’s largest TV broadcaster. Their computer security chief investigated finding Sandworm’s virus had gotten into the system six months earlier through an infected attachment. The virus had been biding its time. Other Ukrainian media companies were simultaneously attacked some suffering worse damage.
In December 2015 Russia targeted Ukraine’s infrastructure infecting computers controlling the electrical grid and causing blackouts in large areas. The rogue code allowed Sandworm to remotely use the power station’s computers to trip circuit breakers shutting down the power supply at exactly midnight two days before Christmas. The facility’s operators were locked out helplessly watching the cursor move about the screen. Then the hackers wiped clean the interface hardware that converted the computer instructions for the equipment so the operators wouldn’t be able to turn them back on. Finally Sandworm shut down the backup batteries that were providing power for the plant, literally leaving the operators in the dark.
While the Obama administration had reacted angrily to the North Korean attack on Sony Pictures in 2014, it seemed to publicly downplay the importance of the Ukraine attack and the threat it could pose to the U. S. Internally it was more worried. Fancy Bear would strike the Democrats in the 2016 election stealing and releasing emails and documents to help Trump. The name Fancy Bear was created by CrowdStrike, the security firm the Democrats hired to investigate the hacking. The company uses the name Bear for any malware from Russia, Panda for China, Tiger for India, etc. Cozy Bear was also involved. These two groups had been identified previously conducting attacks on the State Department, White House and defense contractors. Needless to say, Obama was very upset about the election hacking and the U. S. responded with sanctions.
In the late 1990s Russia had engaged in massive cyber espionage against the U. S. taking troves of military and industrial files and documents. In the next decade they would escalate to cyberwar taking out multiple components of civilian infrastructure. In 2007 Russian hackers executed a massive denial of service attack on Estonia’s government agencies effectively taking down the country’s internet which was used by 95% of the people for banking and by 90% to pay taxes. Even voting was online. The attack lasted two months crippling the country which had recently joined NATO. NATO did nothing in response. In 2008 in Georgia the Russians combined similar cyber-attacks with conventional military force attacking Georgia which had been considering joining NATO.
In 2007 in a demonstration at the Idaho National Laboratories 30 lines of code were used to destroy a large generator connected to the grid. Deployed over the internet the code reprogrammed the machine interface to reverse a command which connected the generator to the grid when it was at the correct speed. Instead the code disconnected it sending it spinning wildly then connected it again which forced it to abruptly slow down to the correct speed at which point the commands were repeated. The generator soon flew apart.
The first country to use malware to physically destroy another country’s equipment was the U. S. Called Stuxnet, the code was developed by the NSA under the Bush and Obama administrations with Israeli help. It was deployed against Iran starting in 2009. The code specifically targeted centrifuges that were being used to enrich uranium for nuclear weapons. It was launched through USB drives. It would command a centrifuge to spin out of control and self-destruct. Sneakily it fed back false information to the operator that everything was fine. It started sporadically taking out one here and one there. In the end it took out thousands, but probably only set back the Iranian program a year at the most two. The target was military, a significant difference from the Russian attacks. State hackers over the world took notice once the malware was discovered and defined. Just like the first atom bomb, everyone knew there was a new weapon to use.
In December 2016, the Russians attacked Ukraine again deleting the files on the computers of the Ukraine’s pension administration, treasury, seaport authority, defense, finance, and infrastructure ministries. They took down the railway’s booking system in heavy use just before Christmas. On December 17 they hit the main power transmission station just outside of Kiev. One by one circuits went down finally leaving the station and a large area of the capital without power. This time the staff was able to restore service more quickly but they stood warned. Two security firms got copies of the malware and dissected it writing public reports in June 2017 that detailed its capabilities. They noted that the virus could be deployed against any country and any automated infrastructure with small modifications. The lead American researcher presented his findings to the National Security Council and representatives of other relevant agencies. The report made it to Dan Coats, U. S. Director of National Intelligence, who passed brief parts to Trump. The response back was that they didn’t want to discuss it. After the election Trump had no interest in anything involving Russian hacking. The virus had not been set up to physically destroy equipment, but could be in the future.
In 2016 a Russian group calling itself the Shadow Brokers penetrated the U. S. NSA stealing the potent Eternal Blue and a mother lode of efficient hacking tools. An NSA employee had loaded the sensitive materials on his home computer which used Russian Kaspersky antivirus software. He received six years in prison. After taunting the NSA for months Shadow Brokers released all the malware to the public in 2017. Soon hackers unleashed these new weapons. Eternal Blue was used by North Korean hackers to spread its ransomware WannaCry. It caused havoc in the U. K. National Health System as appointment schedules were lost and emergency rooms closed. Telefonica in Spain, companies in Germany, France, India and China were attacked, even Sberbank in Russia. Paying the perpetrators did no good; the code had no way to decrypt the files it had encrypted.
In 2012 a French IT Manager reported a Windows vulnerability to Microsoft, which didn’t see it as a serious threat. Frustrated he wrote Mimikatz to show it could be exploited. Soon Mimikatz was in the hands of hackers. A sophisticated group like Sandworm took advantage of all the known tools, old ones like Black Energy and Kill Disk, and newer ones like Eternal Blue, the NSA tool kit, and Mimikatz. Sandworm would enhance them, customize them and tie them together into a virulent malware.
On June 17, 2017, Sandworm struck Ukraine again. This time through tax software that was used by nearly everyone in Ukraine to file taxes. Starting in the spring Sandworm had placed code on the tax company’s update server that sent out patches and updates to its many thousands of customers. Included was Sandworm’s latest creation called Notpetya. Notpetya not only infected the target computers but the computers and servers on their network. Notpetya presented itself as ransomware, but there was no way to get the data back. The intention was clearly just data destruction. Ukraine’s second largest bank had 90% of its computers taken down in seconds. Ukrainian power companies, railways, airports quickly succumbed. Some government agencies avoided the virus by shutting down all their networks and systems immediately upon learning about outages. But even though they saved their data from being destroyed, they were still out of business until the virus was eradicated from all the infected systems or a preventive patch could be provided. The postal service which also handled government pension payments was down with 70% of its 23,000 computers infected, the others shut down in time to prevent infection. Hospitals computers were infected and their data lost. Test results, appointment schedules, all gone. Credit card payment systems no longer worked neither did most ATMs. Many people couldn’t buy gas, metro tickets or food.
Notpetya also struck many international companies with offices in Ukraine. The virus leapt from their Ukraine office computers to their offices around the world. Within hours major companies across the globe were losing their computers and networks; for example Merck, Mondelez, Maersk, Reckitt Benckiser, TNT Express, and even companies in Russia which were probably unintended. The virus was so effective at spreading from one network to another that it may well have exceeded Sandworm’s expectations. Maersk, the mammoth worldwide shipping company, is a good example. It had an office in a Ukraine Black Sea port with one computer in the finance department that had the tax accounting software on it. The computer was infected by the tax company’s server. From there the virus jumped through Maersk’s worldwide network. Maersk’s facility in Elizabeth, New Jersey, five miles from Manhattan, encompasses a square mile with tens of thousands of modular containers stacked high. As many as 3,000 trucks a day enter the facility to deliver or pick up. On the morning of June 27, 2017 all that stopped. Trucks were backed up for miles. The facility closed for the day with no indication of when it would reopen. Truckers and cargo owners were frantic to find alternative shipping or temporary storage. Maersk’s computers were infected and down. They lost all track of shipments coming and going. The same scenario played out at Maersk facilities in Los Angeles, Rotterdam, Algeciras, Mumbai and many others. It would take a week for near normal function to return and that recovery was tenuous. A lone uninfected computer in Ghana contained information vital to the recovery which was hand carried back to the main data center in the U. K. The 18,000 container vessels that served Maersk harbors could then resume deliveries. Even companies not directly hit suffered collateral damage. Many hospitals from the U. S. to India were affected because the provider of their transcription service that puts doctor’s recordings into the computer system was down. The disruption lasted weeks, directly affecting lives. In money terms the total cost of the Notpetya attack was estimated at $10 billion.
Greenberg makes a convincing case that Sandworm is a unit within the GRU, Russian military intelligence. It may have combined resources from several units, some possibly in the FSB, successor to the KGB. Ukraine immediately identified Russia as responsible for notpetya as did many private security services. It would take a while for other governments to publicly acknowledge it though NATO did immediately identify the culprit as a state actor without naming Russia. NATO probably did not want to acknowledge what was an act of war. Interestingly when the giant conglomerate Mondelez filed a claim for damages with its cyber-attack damage insurer, Zurich Insurance Group, the claim was rejected as an act of war. That case is still not settled. In January 2018 the Washington Post reported that the CIA had concluded that Russia was responsible. Finally in February 2018, the White House issued a statement, “In June 2017, The Russian military launched the most destructive and costly cyber-attack in history…It was part of the Kremlin’s effort to destabilize Ukraine…” The U. K. had earlier named Russia and other countries followed. The U. S. imposed financial sanctions on some individual Russians. Unfazed, the GRU that same month disrupted the Olympic Games in South Korea taking out supporting computer systems, perhaps Russia’s response to the anti-doping investigation that punished its athletes. In July 2018 the U.S. Department of Justice indicted 12 GRU hackers for the 2016 election interference. Special Counsel Robert Mueller filed the indictments.
In November 2017, Brad Smith, President of Microsoft, gave a speech at the UN building in Geneva. Some snippets “We’re seeing nations attack civilians even in times of peace.” “We live in a world where the infrastructure of our lives is ultimately vulnerable to the weakest link.” “It’s clear where the world is going. We’re entering a world where every thermostat, every electrical heater, every air conditioner, every power plant, every medical device, every hospital, every traffic light, every automobile will be connected to the internet. Think about what it will mean for the world when those devices are the subject of attack.”
In 2014 Russia seized Crimea from Ukraine and initiated a war in eastern Ukraine. In Ukraine’s May 2014 elections Russia went on the offensive targeting the computer network of the Central Election Commission. First they took out the computers. Once the commission put its system back together the Russians slipped in phony election results which the Ukrainians caught and scrubbed before presenting the actual results. Interestingly Russian state television at the same time announced their favorite had won, matching the phony results they had put in the network. Then the Russian hackers launched a denial of service attack flooding the network with messages. The group responsible was later identified to be linked to the Russian hacking group Fancy Bear that interfered with the U. S. 2016 election.
In October 2015 two severs and a number of PCs went down together at StarLightMedia, Ukraine’s largest TV broadcaster. Their computer security chief investigated finding Sandworm’s virus had gotten into the system six months earlier through an infected attachment. The virus had been biding its time. Other Ukrainian media companies were simultaneously attacked some suffering worse damage.
In December 2015 Russia targeted Ukraine’s infrastructure infecting computers controlling the electrical grid and causing blackouts in large areas. The rogue code allowed Sandworm to remotely use the power station’s computers to trip circuit breakers shutting down the power supply at exactly midnight two days before Christmas. The facility’s operators were locked out helplessly watching the cursor move about the screen. Then the hackers wiped clean the interface hardware that converted the computer instructions for the equipment so the operators wouldn’t be able to turn them back on. Finally Sandworm shut down the backup batteries that were providing power for the plant, literally leaving the operators in the dark.
While the Obama administration had reacted angrily to the North Korean attack on Sony Pictures in 2014, it seemed to publicly downplay the importance of the Ukraine attack and the threat it could pose to the U. S. Internally it was more worried. Fancy Bear would strike the Democrats in the 2016 election stealing and releasing emails and documents to help Trump. The name Fancy Bear was created by CrowdStrike, the security firm the Democrats hired to investigate the hacking. The company uses the name Bear for any malware from Russia, Panda for China, Tiger for India, etc. Cozy Bear was also involved. These two groups had been identified previously conducting attacks on the State Department, White House and defense contractors. Needless to say, Obama was very upset about the election hacking and the U. S. responded with sanctions.
In the late 1990s Russia had engaged in massive cyber espionage against the U. S. taking troves of military and industrial files and documents. In the next decade they would escalate to cyberwar taking out multiple components of civilian infrastructure. In 2007 Russian hackers executed a massive denial of service attack on Estonia’s government agencies effectively taking down the country’s internet which was used by 95% of the people for banking and by 90% to pay taxes. Even voting was online. The attack lasted two months crippling the country which had recently joined NATO. NATO did nothing in response. In 2008 in Georgia the Russians combined similar cyber-attacks with conventional military force attacking Georgia which had been considering joining NATO.
In 2007 in a demonstration at the Idaho National Laboratories 30 lines of code were used to destroy a large generator connected to the grid. Deployed over the internet the code reprogrammed the machine interface to reverse a command which connected the generator to the grid when it was at the correct speed. Instead the code disconnected it sending it spinning wildly then connected it again which forced it to abruptly slow down to the correct speed at which point the commands were repeated. The generator soon flew apart.
The first country to use malware to physically destroy another country’s equipment was the U. S. Called Stuxnet, the code was developed by the NSA under the Bush and Obama administrations with Israeli help. It was deployed against Iran starting in 2009. The code specifically targeted centrifuges that were being used to enrich uranium for nuclear weapons. It was launched through USB drives. It would command a centrifuge to spin out of control and self-destruct. Sneakily it fed back false information to the operator that everything was fine. It started sporadically taking out one here and one there. In the end it took out thousands, but probably only set back the Iranian program a year at the most two. The target was military, a significant difference from the Russian attacks. State hackers over the world took notice once the malware was discovered and defined. Just like the first atom bomb, everyone knew there was a new weapon to use.
In December 2016, the Russians attacked Ukraine again deleting the files on the computers of the Ukraine’s pension administration, treasury, seaport authority, defense, finance, and infrastructure ministries. They took down the railway’s booking system in heavy use just before Christmas. On December 17 they hit the main power transmission station just outside of Kiev. One by one circuits went down finally leaving the station and a large area of the capital without power. This time the staff was able to restore service more quickly but they stood warned. Two security firms got copies of the malware and dissected it writing public reports in June 2017 that detailed its capabilities. They noted that the virus could be deployed against any country and any automated infrastructure with small modifications. The lead American researcher presented his findings to the National Security Council and representatives of other relevant agencies. The report made it to Dan Coats, U. S. Director of National Intelligence, who passed brief parts to Trump. The response back was that they didn’t want to discuss it. After the election Trump had no interest in anything involving Russian hacking. The virus had not been set up to physically destroy equipment, but could be in the future.
In 2016 a Russian group calling itself the Shadow Brokers penetrated the U. S. NSA stealing the potent Eternal Blue and a mother lode of efficient hacking tools. An NSA employee had loaded the sensitive materials on his home computer which used Russian Kaspersky antivirus software. He received six years in prison. After taunting the NSA for months Shadow Brokers released all the malware to the public in 2017. Soon hackers unleashed these new weapons. Eternal Blue was used by North Korean hackers to spread its ransomware WannaCry. It caused havoc in the U. K. National Health System as appointment schedules were lost and emergency rooms closed. Telefonica in Spain, companies in Germany, France, India and China were attacked, even Sberbank in Russia. Paying the perpetrators did no good; the code had no way to decrypt the files it had encrypted.
In 2012 a French IT Manager reported a Windows vulnerability to Microsoft, which didn’t see it as a serious threat. Frustrated he wrote Mimikatz to show it could be exploited. Soon Mimikatz was in the hands of hackers. A sophisticated group like Sandworm took advantage of all the known tools, old ones like Black Energy and Kill Disk, and newer ones like Eternal Blue, the NSA tool kit, and Mimikatz. Sandworm would enhance them, customize them and tie them together into a virulent malware.
On June 17, 2017, Sandworm struck Ukraine again. This time through tax software that was used by nearly everyone in Ukraine to file taxes. Starting in the spring Sandworm had placed code on the tax company’s update server that sent out patches and updates to its many thousands of customers. Included was Sandworm’s latest creation called Notpetya. Notpetya not only infected the target computers but the computers and servers on their network. Notpetya presented itself as ransomware, but there was no way to get the data back. The intention was clearly just data destruction. Ukraine’s second largest bank had 90% of its computers taken down in seconds. Ukrainian power companies, railways, airports quickly succumbed. Some government agencies avoided the virus by shutting down all their networks and systems immediately upon learning about outages. But even though they saved their data from being destroyed, they were still out of business until the virus was eradicated from all the infected systems or a preventive patch could be provided. The postal service which also handled government pension payments was down with 70% of its 23,000 computers infected, the others shut down in time to prevent infection. Hospitals computers were infected and their data lost. Test results, appointment schedules, all gone. Credit card payment systems no longer worked neither did most ATMs. Many people couldn’t buy gas, metro tickets or food.
Notpetya also struck many international companies with offices in Ukraine. The virus leapt from their Ukraine office computers to their offices around the world. Within hours major companies across the globe were losing their computers and networks; for example Merck, Mondelez, Maersk, Reckitt Benckiser, TNT Express, and even companies in Russia which were probably unintended. The virus was so effective at spreading from one network to another that it may well have exceeded Sandworm’s expectations. Maersk, the mammoth worldwide shipping company, is a good example. It had an office in a Ukraine Black Sea port with one computer in the finance department that had the tax accounting software on it. The computer was infected by the tax company’s server. From there the virus jumped through Maersk’s worldwide network. Maersk’s facility in Elizabeth, New Jersey, five miles from Manhattan, encompasses a square mile with tens of thousands of modular containers stacked high. As many as 3,000 trucks a day enter the facility to deliver or pick up. On the morning of June 27, 2017 all that stopped. Trucks were backed up for miles. The facility closed for the day with no indication of when it would reopen. Truckers and cargo owners were frantic to find alternative shipping or temporary storage. Maersk’s computers were infected and down. They lost all track of shipments coming and going. The same scenario played out at Maersk facilities in Los Angeles, Rotterdam, Algeciras, Mumbai and many others. It would take a week for near normal function to return and that recovery was tenuous. A lone uninfected computer in Ghana contained information vital to the recovery which was hand carried back to the main data center in the U. K. The 18,000 container vessels that served Maersk harbors could then resume deliveries. Even companies not directly hit suffered collateral damage. Many hospitals from the U. S. to India were affected because the provider of their transcription service that puts doctor’s recordings into the computer system was down. The disruption lasted weeks, directly affecting lives. In money terms the total cost of the Notpetya attack was estimated at $10 billion.
Greenberg makes a convincing case that Sandworm is a unit within the GRU, Russian military intelligence. It may have combined resources from several units, some possibly in the FSB, successor to the KGB. Ukraine immediately identified Russia as responsible for notpetya as did many private security services. It would take a while for other governments to publicly acknowledge it though NATO did immediately identify the culprit as a state actor without naming Russia. NATO probably did not want to acknowledge what was an act of war. Interestingly when the giant conglomerate Mondelez filed a claim for damages with its cyber-attack damage insurer, Zurich Insurance Group, the claim was rejected as an act of war. That case is still not settled. In January 2018 the Washington Post reported that the CIA had concluded that Russia was responsible. Finally in February 2018, the White House issued a statement, “In June 2017, The Russian military launched the most destructive and costly cyber-attack in history…It was part of the Kremlin’s effort to destabilize Ukraine…” The U. K. had earlier named Russia and other countries followed. The U. S. imposed financial sanctions on some individual Russians. Unfazed, the GRU that same month disrupted the Olympic Games in South Korea taking out supporting computer systems, perhaps Russia’s response to the anti-doping investigation that punished its athletes. In July 2018 the U.S. Department of Justice indicted 12 GRU hackers for the 2016 election interference. Special Counsel Robert Mueller filed the indictments.
In November 2017, Brad Smith, President of Microsoft, gave a speech at the UN building in Geneva. Some snippets “We’re seeing nations attack civilians even in times of peace.” “We live in a world where the infrastructure of our lives is ultimately vulnerable to the weakest link.” “It’s clear where the world is going. We’re entering a world where every thermostat, every electrical heater, every air conditioner, every power plant, every medical device, every hospital, every traffic light, every automobile will be connected to the internet. Think about what it will mean for the world when those devices are the subject of attack.”
December 12, 2019
I got this book for my husband, I had no intentions of reading it, but we were on a road trip and I put on the audio. I love books that expose me to new things that I turn out to be open to, this cyber world was shocking to me, I had no idea that such warfare was underway for such a long protracted time and the devastating consequences involved. There is no question in my mind our elections were interfered with upon after hearing the myriad of experiences in this dark world. To be honest, I found it terrifying, the harm we choose to inflict upon others is astounding, be it from a gun or cyberspace it’s all equally horrifying. Thought it was excellent and my ostrich head in the sand has been brutally awakened!
January 12, 2020
Just listen to the Darknet diaries podcast episode NotPetya, it's better than the book.
July 31, 2025
Operation Sandworm sees Andy Greenberg dig deep into the background and history of Russian state-sponsored cyber operations, and those who have worked to defend against, and recover the damage caused, as well as pinpoint the groups and individuals behind these.
As such, this research - the author's and others' - leads to Sandworm, as well as other Advanced Persistent Threats (APTs) emanating from the Russian agencies FSB, GRU and SVR teams such as Fancy Bear and Cozy Bear.
The book reads like a novel and covers key events leading to the works of Sandworm such as NotPetya, which caused huge damage to interconnected systems and devices worldwide. As such, we see how US cyber intrusion and intelligence programmes were spread via WikiLeaks and others into the world leading to Russian, and other state actors (China, Iran, North Korea, South Africa, Pakistan) to utilise these for their own dangerous means.
We also then learn how Sandworm (aka Telebots) attacked Ukrainian energy assets and infrastructure, as well as French and US elections, Georgian (country not US state) connected infrastructure, the Seoul Winter Olympics, and dumping credentials and other data useful to other hackers and organised crime out into the wider Internet.
The responses by governments and agencies are documented, including how these same entities went about tackling Russia in naming and seeking to limit action through sanctions.
The writing moves from large events to individuals placed to discover and protect assets plus the piecing together of what and why attacks happened.
All of this is done in clear prose with good explanations where technologies or terminology are covered. As such, no real cyber or tech background is needed.
For myself, it put useful background onto some specifics, and added new information, to what I had seen and worked against during the years covered in this book in my last senior security management role ending in 2023.
Recommended for those interested in Russian foreign policy and actions; technologies such as Internet-connected devices and networks and cyber intrusions; and any reader who enjoys a lively, well-researched account of these damaging, costly and continuing attacks on our way of life.
As such, this research - the author's and others' - leads to Sandworm, as well as other Advanced Persistent Threats (APTs) emanating from the Russian agencies FSB, GRU and SVR teams such as Fancy Bear and Cozy Bear.
The book reads like a novel and covers key events leading to the works of Sandworm such as NotPetya, which caused huge damage to interconnected systems and devices worldwide. As such, we see how US cyber intrusion and intelligence programmes were spread via WikiLeaks and others into the world leading to Russian, and other state actors (China, Iran, North Korea, South Africa, Pakistan) to utilise these for their own dangerous means.
We also then learn how Sandworm (aka Telebots) attacked Ukrainian energy assets and infrastructure, as well as French and US elections, Georgian (country not US state) connected infrastructure, the Seoul Winter Olympics, and dumping credentials and other data useful to other hackers and organised crime out into the wider Internet.
The responses by governments and agencies are documented, including how these same entities went about tackling Russia in naming and seeking to limit action through sanctions.
The writing moves from large events to individuals placed to discover and protect assets plus the piecing together of what and why attacks happened.
All of this is done in clear prose with good explanations where technologies or terminology are covered. As such, no real cyber or tech background is needed.
For myself, it put useful background onto some specifics, and added new information, to what I had seen and worked against during the years covered in this book in my last senior security management role ending in 2023.
Recommended for those interested in Russian foreign policy and actions; technologies such as Internet-connected devices and networks and cyber intrusions; and any reader who enjoys a lively, well-researched account of these damaging, costly and continuing attacks on our way of life.
April 16, 2022
Move over Stephen King. This book by Andy Greenberg, senior writer for Wired magazine, had my hair standing on end. And this is non-fiction. The author investigates the claims that Russian government personnel hacked the DNC in 2016, the Olympics, Ukrainian infrastructure and French elections. Yes, they did. Other hacking incidents happened before 2016 and new ones wreak havoc still into 2022.
The main practice ground for the Russians is the Ukraine. Some of their hacking has spread outside of the Ukraine into other countries. Many western corporations never admitted to being hacked because they don't want to scare their shareholders. As I write this review Russian tanks are sitting on the border of Ukraine and President Biden is planning on sending troops if they cross the border. Hopefully this is just a historical glitch and by the time you read this review the crises will be over.
But I don't think the hacking will be over anytime soon. The Russians are too good at it and have been very successful. What they lack in military might (its military budget is only a tenth of the USA) it makes up for in psychological warfare. It's unsettling to say the least not knowing where they will strike next.
NOTE: The title, Sandworm, was the hint a programmer found while investigating an attack that did serious damage. The Russian hacker must have been a fan of the Dune science fiction series because he/she used the names of its characters in the malware.
The main practice ground for the Russians is the Ukraine. Some of their hacking has spread outside of the Ukraine into other countries. Many western corporations never admitted to being hacked because they don't want to scare their shareholders. As I write this review Russian tanks are sitting on the border of Ukraine and President Biden is planning on sending troops if they cross the border. Hopefully this is just a historical glitch and by the time you read this review the crises will be over.
But I don't think the hacking will be over anytime soon. The Russians are too good at it and have been very successful. What they lack in military might (its military budget is only a tenth of the USA) it makes up for in psychological warfare. It's unsettling to say the least not knowing where they will strike next.
NOTE: The title, Sandworm, was the hint a programmer found while investigating an attack that did serious damage. The Russian hacker must have been a fan of the Dune science fiction series because he/she used the names of its characters in the malware.
November 13, 2019
One of the best books about modern infosecurity threats -- a detailed investigation into the activities of GRU in attacking infrastructure around the world (primarily in Ukraine), their motivations, and where the threat is evolving.
November 24, 2019
If I could give this book more than 5 stars, I would. Absolutely outstanding reporting e,bedded in historical context about Russia’s hacking capabilities, what it’s doing in Ukraine and how it impacts all of us.
It should be required reading for all cyber security, military, industry, and government officials. Everyone should read this book.
It should be required reading for all cyber security, military, industry, and government officials. Everyone should read this book.
April 19, 2021
DNF at about 10%.
This book is meant to be a fast-paced, thrilling story of the tense tech-and-mind standoff between hackers on one end and governments on the other, revolving around one of the largest cyber incidents in modern history.
Unfortunately, it reads like a blog post, designed for maximum awe and minimal depth.
The narrative feels forced. "Good" guys, "bad" guys, cliches. Just to name a few in the handful of pages I read, the author refers to cold weather in Ukraine, and drops a temperature reading - in Fahrenheit. Really. Ukraine, Fahrenheit? Or is this book only intended for American audience? Oh, well. The whole Eastern Block + always snowing is so yesterday.
Then, you have a team of hackers who work in a windowsless room, because somehow it makes more sense than a normal office. Yes, apparently, hackers need green neon fonts for better results.
Lastly, it's "Russian" hax0rs against the "free" world. This works great in a 80s movie plot, but the real world is a bit more nuanced, a bit more gray.
And finally, as someone who works in the IT industry and has decent familiarity with how operating systems work, how companies (mis)manage their IT, and what actual security issues are, how they manifest, and such, this whole deal feels so overrated and overblown. Servers get hacked because they aren't patched. Big deal. Patch them. Can't? Well, you have the wrong business model if critical infrastructure is Internet-facing and without the ability to patch. Simple.
Reading this book, I had the memory of the movie Swordfish in my head. Nah.
The author has talent, that's obvious from his style, but even this talent cannot work around the fact that the story just isn't interesting and compelling enough to be told in a book, and forcing it only creates more problems.
Sadly, DNF. I was actually hoping this would be a good read, but hey.
Igor
This book is meant to be a fast-paced, thrilling story of the tense tech-and-mind standoff between hackers on one end and governments on the other, revolving around one of the largest cyber incidents in modern history.
Unfortunately, it reads like a blog post, designed for maximum awe and minimal depth.
The narrative feels forced. "Good" guys, "bad" guys, cliches. Just to name a few in the handful of pages I read, the author refers to cold weather in Ukraine, and drops a temperature reading - in Fahrenheit. Really. Ukraine, Fahrenheit? Or is this book only intended for American audience? Oh, well. The whole Eastern Block + always snowing is so yesterday.
Then, you have a team of hackers who work in a windowsless room, because somehow it makes more sense than a normal office. Yes, apparently, hackers need green neon fonts for better results.
Lastly, it's "Russian" hax0rs against the "free" world. This works great in a 80s movie plot, but the real world is a bit more nuanced, a bit more gray.
And finally, as someone who works in the IT industry and has decent familiarity with how operating systems work, how companies (mis)manage their IT, and what actual security issues are, how they manifest, and such, this whole deal feels so overrated and overblown. Servers get hacked because they aren't patched. Big deal. Patch them. Can't? Well, you have the wrong business model if critical infrastructure is Internet-facing and without the ability to patch. Simple.
Reading this book, I had the memory of the movie Swordfish in my head. Nah.
The author has talent, that's obvious from his style, but even this talent cannot work around the fact that the story just isn't interesting and compelling enough to be told in a book, and forcing it only creates more problems.
Sadly, DNF. I was actually hoping this would be a good read, but hey.
Igor
April 28, 2021
Greenberg writes for WIRED magazine and is a specialist in cyber security and privacy issues. This book is an extremely readable account of a Russian hacker group nicknamed Sandworm that succeeded in shutting down a substantial amount of infrastructure throughout the world but was aimed primarily at Ukraine. The attacks targeted every aspect of Ukrainian society: government servers, media organizations, transportation hubs. Ukrainian cyber experts could only watch as systems began to crash all around them. Public web sites, trains, banking systems and ATMs were disrupted. Finally, the electricity grid collapsed plunging hundreds of thousands of Ukrainians into darkness.
Having read several articles and books on Stuxnet, the successful destruction of Iranian nuclear centrifuges by the U.S. and Israel, I was anxious to read Greenberg's book. "Zero Day" security flaws are software holes that have never been used before so their vulnerability has yet to be discovered or fixed. Knowledge of these is precious to those wishing to penetrate systems. The Sandworm group (the name came from a Frank Herbert novel, Dune) has access to several and used them to great effect. The group went to great lengths to disguise themselves and hide. To Greenberg's credit he is able to explain how experts deciphered what group was responsible and he does it in language free of technical jargon.
Just a few months ago, a Netherlands researcher wanted to come to the U.S. to present a paper on the vulnerability of the industrial control system. There are almost 30,000 of these devices (programmable logic controllers) that control everything from wastewater plants to the electrical grid. The researcher, thanks to America's arcane and silly visa system, was not admitted and so unable to present these important findings. Fortunately he was able to post them to his blog. Whether that resulted in a wider dissemination of the information than had he delivered his talk is academic, perhaps. **
Researcher Wojciech, used standard OSINT techniques (the CIA has identified five main OSINT fields: Internet, media, geolocation, conferences, and online pictures) to analyze the exposed ICS devices. Many of these are used in critical infrastructure that would include dams, electrical grid, reactors, health treatment facilities, etc. Critical infrastructure developed by OSINT can be used not just by espionage agencies, but also criminal elements who may seek to gain monetary advantage by holding these devices hostage. OSINT techniques are passive, in that the target remains completely unaware it is being surveilled. Access may be gained by open ports, IP addresses, knowledge of details of the specific devices and how they work -- all freely available online and elsewhere -- and even responses from the device itself.
Here's an example of device information that's available that even includes the phone number:
There are several programs that permit searching the internet for active ICS devices (https://www.shodan.io for example.) The author lays out precisely how to go about searching. Many of these devices have open management ports that are convenient for technicians to access the devices remotely for maintenance. That, however, makes them extremely vulnerable to malicious actors. General contractors with government contracts are particularly vulnerable as they have a history of being more open and thus more vulnerable.
That hackers can cause innumerable problems has already been shown in Ukraine, Estonia, and Georgia where the Russians devastated each country's infrastructure. Andy Greenberg in Sandworm documents what happened in several cases. In Ukraine access to the banking system was eliminated.
It took forty-five seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub…was fully infected in sixteen seconds. Ukrenergo, the energy company…had also been struck yet again…the effect was like a vandal who first puts a library’s card catalog through a shredder, then moves on to methodically pulp its books, stack by stack.
Ukraine became a testing ground for Russian hacking. Disinformation to spread distrust in the election and tampering with the infrastructure were simply test runs for their successful attacks on United States electoral trust in 2016 and 2020. Ukraine had taken the brunt of Russian abuse for centuries and Greenberg's short history of those onslaughts was suitably horrifying. (See also Anne Applebaum's Red Famine: Stalin's War on Ukraine to understand why Ukraine at first welcomed the Nazis.)
US officials, typically heads in the sand, refused to admit something similar could happen in the U.S. yet we now know that Russian hackers infiltrated the U.S. election system and may well have manipulated the outcome in a variety of unorthodox ways. In 2016, Iranian hackers attacked several US banks causing millions in damages and shut down a dam presumably in retaliation for the Stuxnet attack. The attacks themselves were quite unsophisticated, mostly DDoS attacks that even the most unsophisticated hacker can pull off.
There is software (malware, really) that has been designed for specific purposes; Stuxnet is but one example. Another, discovered by the security firm Dragos, was CrashOverride***, only the fourth example of malware designed to attack and manipulate the controllers in electrical grids. "The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages."
Greenberg shows that a variety of software is available, even for sale, that permits relatively easy access for anyone, but can also be used to hide the origin of the attacker. To make matters worse, Greenberg wrote in Wired (https://www.wired.com/story/plundervo...) of researchers who had managed to access and control Intel processors (a vulnerability that has since been fixed) by manipulating the internal voltage of the processor. You can induce faults by lowering or changing the voltage and once you can do that you can change the output by manipulating the faults. The technique, called Plundervolt, was discovered concurrently by a researcher in Beijing. (Take from that what you will.)
In his book, Greenberg focuses on Sandworm, a group of hackers and software named after the malicious creature in Dune (cyberanalysts had discovered that preference while doing research on the code - don't ask me how.) They determined there was evidence that Sandworm had been infiltrating critical infrastructure—some of it in the United States—since 2011 and had already developed a weapon that could knock it out. When it was used against Ukraine, it had evolved even further.
The hackers had, in other words, created an automated cyberweapon that performed the same task they’d carried out the year before, but now with inhuman speed. Instead of manually clicking through circuit breakers with phantom hands, they’d created a piece of malware that carried out that attack with cruel, machine-quick efficiency.
PowerPoint users need take note that the program has become so large and now includes so many useless features that it has almost become its own programming language. The Sandworm group utilized the ability to place objects and run programs within slides to place malware within the users computer that would download or run other programs unbeknownst to the user.
They managed to fix the system in about an hour, but the point was made. Another group calling themselves ShadowBrokers made off with a whole set of penetration tools developed by the NSA and turned them loose in the wild where virtually anyone with a modicum of knowledge can make use of them. Shadow Brokers caused immense harm when they released EternalBlue, malware that spread faster than anything anyone had seen before. Within minutes it had disabled pharmaceutical companies, and Maersk, the huge shipping company was brought to its knees.
“ 'For days to come, one of the world’s most complex and interconnected distributed machines, underpinning the circulatory system of the global economy itself, would remain broken,” Greenberg writes of the attack on Maersk, calling it “a clusterfuck of clusterfucks.” The company was only able to get its ships and ports back in operation after nearly two weeks and hundreds of millions of dollars in losses, when an office in Ghana was found to have the single computer that hadn’t been connected to the Internet at the time of the attack.' " ****
I've been reading a lot of books and articles on the potential for cyberwarfare. The potential is there for even non-state actors to operate in the shadows and do tremendous harm. Then again shutting down most of our industry might solve the global warming worst case scenarios. One apocalypse preventing another.
**https://www.icscybersecurityconferenc...
***For a review of CrashOverride designed to attack electricity grids, see https://dragos.com/wp-content/uploads...
****https://www.i-cio.com/management/insi... Note that this source places the lone saved Domain Controller in Nigeria rather than the more accepted Ghana.
Having read several articles and books on Stuxnet, the successful destruction of Iranian nuclear centrifuges by the U.S. and Israel, I was anxious to read Greenberg's book. "Zero Day" security flaws are software holes that have never been used before so their vulnerability has yet to be discovered or fixed. Knowledge of these is precious to those wishing to penetrate systems. The Sandworm group (the name came from a Frank Herbert novel, Dune) has access to several and used them to great effect. The group went to great lengths to disguise themselves and hide. To Greenberg's credit he is able to explain how experts deciphered what group was responsible and he does it in language free of technical jargon.
Just a few months ago, a Netherlands researcher wanted to come to the U.S. to present a paper on the vulnerability of the industrial control system. There are almost 30,000 of these devices (programmable logic controllers) that control everything from wastewater plants to the electrical grid. The researcher, thanks to America's arcane and silly visa system, was not admitted and so unable to present these important findings. Fortunately he was able to post them to his blog. Whether that resulted in a wider dissemination of the information than had he delivered his talk is academic, perhaps. **
Researcher Wojciech, used standard OSINT techniques (the CIA has identified five main OSINT fields: Internet, media, geolocation, conferences, and online pictures) to analyze the exposed ICS devices. Many of these are used in critical infrastructure that would include dams, electrical grid, reactors, health treatment facilities, etc. Critical infrastructure developed by OSINT can be used not just by espionage agencies, but also criminal elements who may seek to gain monetary advantage by holding these devices hostage. OSINT techniques are passive, in that the target remains completely unaware it is being surveilled. Access may be gained by open ports, IP addresses, knowledge of details of the specific devices and how they work -- all freely available online and elsewhere -- and even responses from the device itself.
Here's an example of device information that's available that even includes the phone number:
There are several programs that permit searching the internet for active ICS devices (https://www.shodan.io for example.) The author lays out precisely how to go about searching. Many of these devices have open management ports that are convenient for technicians to access the devices remotely for maintenance. That, however, makes them extremely vulnerable to malicious actors. General contractors with government contracts are particularly vulnerable as they have a history of being more open and thus more vulnerable.
That hackers can cause innumerable problems has already been shown in Ukraine, Estonia, and Georgia where the Russians devastated each country's infrastructure. Andy Greenberg in Sandworm documents what happened in several cases. In Ukraine access to the banking system was eliminated.
It took forty-five seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub…was fully infected in sixteen seconds. Ukrenergo, the energy company…had also been struck yet again…the effect was like a vandal who first puts a library’s card catalog through a shredder, then moves on to methodically pulp its books, stack by stack.
Ukraine became a testing ground for Russian hacking. Disinformation to spread distrust in the election and tampering with the infrastructure were simply test runs for their successful attacks on United States electoral trust in 2016 and 2020. Ukraine had taken the brunt of Russian abuse for centuries and Greenberg's short history of those onslaughts was suitably horrifying. (See also Anne Applebaum's Red Famine: Stalin's War on Ukraine to understand why Ukraine at first welcomed the Nazis.)
US officials, typically heads in the sand, refused to admit something similar could happen in the U.S. yet we now know that Russian hackers infiltrated the U.S. election system and may well have manipulated the outcome in a variety of unorthodox ways. In 2016, Iranian hackers attacked several US banks causing millions in damages and shut down a dam presumably in retaliation for the Stuxnet attack. The attacks themselves were quite unsophisticated, mostly DDoS attacks that even the most unsophisticated hacker can pull off.
There is software (malware, really) that has been designed for specific purposes; Stuxnet is but one example. Another, discovered by the security firm Dragos, was CrashOverride***, only the fourth example of malware designed to attack and manipulate the controllers in electrical grids. "The functionality in the CRASHOVERRIDE framework serves no espionage purpose and the only real feature of the malware is for attacks which would lead to electric outages."
Greenberg shows that a variety of software is available, even for sale, that permits relatively easy access for anyone, but can also be used to hide the origin of the attacker. To make matters worse, Greenberg wrote in Wired (https://www.wired.com/story/plundervo...) of researchers who had managed to access and control Intel processors (a vulnerability that has since been fixed) by manipulating the internal voltage of the processor. You can induce faults by lowering or changing the voltage and once you can do that you can change the output by manipulating the faults. The technique, called Plundervolt, was discovered concurrently by a researcher in Beijing. (Take from that what you will.)
In his book, Greenberg focuses on Sandworm, a group of hackers and software named after the malicious creature in Dune (cyberanalysts had discovered that preference while doing research on the code - don't ask me how.) They determined there was evidence that Sandworm had been infiltrating critical infrastructure—some of it in the United States—since 2011 and had already developed a weapon that could knock it out. When it was used against Ukraine, it had evolved even further.
The hackers had, in other words, created an automated cyberweapon that performed the same task they’d carried out the year before, but now with inhuman speed. Instead of manually clicking through circuit breakers with phantom hands, they’d created a piece of malware that carried out that attack with cruel, machine-quick efficiency.
PowerPoint users need take note that the program has become so large and now includes so many useless features that it has almost become its own programming language. The Sandworm group utilized the ability to place objects and run programs within slides to place malware within the users computer that would download or run other programs unbeknownst to the user.
They managed to fix the system in about an hour, but the point was made. Another group calling themselves ShadowBrokers made off with a whole set of penetration tools developed by the NSA and turned them loose in the wild where virtually anyone with a modicum of knowledge can make use of them. Shadow Brokers caused immense harm when they released EternalBlue, malware that spread faster than anything anyone had seen before. Within minutes it had disabled pharmaceutical companies, and Maersk, the huge shipping company was brought to its knees.
“ 'For days to come, one of the world’s most complex and interconnected distributed machines, underpinning the circulatory system of the global economy itself, would remain broken,” Greenberg writes of the attack on Maersk, calling it “a clusterfuck of clusterfucks.” The company was only able to get its ships and ports back in operation after nearly two weeks and hundreds of millions of dollars in losses, when an office in Ghana was found to have the single computer that hadn’t been connected to the Internet at the time of the attack.' " ****
I've been reading a lot of books and articles on the potential for cyberwarfare. The potential is there for even non-state actors to operate in the shadows and do tremendous harm. Then again shutting down most of our industry might solve the global warming worst case scenarios. One apocalypse preventing another.
**https://www.icscybersecurityconferenc...
***For a review of CrashOverride designed to attack electricity grids, see https://dragos.com/wp-content/uploads...
****https://www.i-cio.com/management/insi... Note that this source places the lone saved Domain Controller in Nigeria rather than the more accepted Ghana.
November 20, 2023
A hell of a read. I will be recommending this book to any of my friend who say computers aren’t interesting. It was engaging till the end. It is very dense with information so I took a few breaks just to digest everything. The way the story flowed was well done. It’s a lot of work laying out this giant puzzle while adding in the appropriate amount of needed context. So bravo for that feat.
But my serious thoughts and takeaways below:
There’s so much to unpack it’s hard to know where to start.
This book really highlighted the important work of private security researchers, on an informational and political level. Due to the nature of cyber attacks, civilians get to investigate geopolitical conflicts in a way they haven’t before.
The U.S. actions clearly demonstrated their preference to classify by default, and makes me wonder how much they would have disclosed if it weren’t for the detailed reports from multiple private firms across several different nations.
Because of these independent reports, both the U.S. and Russia are having to learn to adapt their playbooks.
The U.S. government has to learn to be more transparent or they risk creating distrust with the public. Limiting communication will make them look incompetent, or shady.
And Russia can’t claim (with any credibility) the reports are U.S. anti Russia propaganda.
Moving on….
If the U.S. is one thing, it’s short sighted.
While I appreciate Corman’s candid comments on a “digital Geneva Convention.” They are certainly alarming.
The governments avoidance on hashing out issues regarding nation state hacking and civil infrastructure sabotage, because the U.S. wants to keep that door open for themselves, only makes sense if your view point is “that won’t happen here.”
It’s an irresponsible approach, bordering on negligent.
Our infrastructure is largely privatized, for profit, and ran by people who are concerned with protecting their shareholders. This inevitably leads to cyber security being deprioritized for the sake of profits. Because cyber security is always viewed as an expense, which (in the capitalistic view) should be minimized. This coupled with the U.S. underplaying the risk of these attacks is a very dangerous combination.
Another comment from Corman that particularly stood out to me was “cybers going to cyber, but you’d better be damn flawless in your execution. You fuck up and hit a hospital, you get the international war crime”
Which is obviously yes?? Launching any type of attack against another nation *especially* one that has potential to impact civilian life, should be flawless. You should be held up to scrutiny for your negligence. I think this comment captures the private sentiments of the U.S. and their cyber operations, that most of us aren’t privy to.
Next…
Geers seems eccentric and a bit extreme, but I don’t think it’s unwarranted.
digitalizing everything has become a presumed conclusion and not enough people are considering “just because we can doesn’t mean we should”
Often times going digital isn’t even cost effective or more convenient. But it’s pushed because there’s a profit to be made.
Lastly, the comments regarding Smith’s speech at Geneva were cathartic. I think Microsoft would like to distance themselves from the blowback or their inaction (mimikatz being one example of many) this speech felt like an attempt to control the narrative. Why they constantly discard reports of responsible disclosure is a mystery to me. I suspect it’s either ego driven or they lack imagination.
/rant
But my serious thoughts and takeaways below:
There’s so much to unpack it’s hard to know where to start.
This book really highlighted the important work of private security researchers, on an informational and political level. Due to the nature of cyber attacks, civilians get to investigate geopolitical conflicts in a way they haven’t before.
The U.S. actions clearly demonstrated their preference to classify by default, and makes me wonder how much they would have disclosed if it weren’t for the detailed reports from multiple private firms across several different nations.
Because of these independent reports, both the U.S. and Russia are having to learn to adapt their playbooks.
The U.S. government has to learn to be more transparent or they risk creating distrust with the public. Limiting communication will make them look incompetent, or shady.
And Russia can’t claim (with any credibility) the reports are U.S. anti Russia propaganda.
Moving on….
If the U.S. is one thing, it’s short sighted.
While I appreciate Corman’s candid comments on a “digital Geneva Convention.” They are certainly alarming.
The governments avoidance on hashing out issues regarding nation state hacking and civil infrastructure sabotage, because the U.S. wants to keep that door open for themselves, only makes sense if your view point is “that won’t happen here.”
It’s an irresponsible approach, bordering on negligent.
Our infrastructure is largely privatized, for profit, and ran by people who are concerned with protecting their shareholders. This inevitably leads to cyber security being deprioritized for the sake of profits. Because cyber security is always viewed as an expense, which (in the capitalistic view) should be minimized. This coupled with the U.S. underplaying the risk of these attacks is a very dangerous combination.
Another comment from Corman that particularly stood out to me was “cybers going to cyber, but you’d better be damn flawless in your execution. You fuck up and hit a hospital, you get the international war crime”
Which is obviously yes?? Launching any type of attack against another nation *especially* one that has potential to impact civilian life, should be flawless. You should be held up to scrutiny for your negligence. I think this comment captures the private sentiments of the U.S. and their cyber operations, that most of us aren’t privy to.
Next…
Geers seems eccentric and a bit extreme, but I don’t think it’s unwarranted.
digitalizing everything has become a presumed conclusion and not enough people are considering “just because we can doesn’t mean we should”
Often times going digital isn’t even cost effective or more convenient. But it’s pushed because there’s a profit to be made.
Lastly, the comments regarding Smith’s speech at Geneva were cathartic. I think Microsoft would like to distance themselves from the blowback or their inaction (mimikatz being one example of many) this speech felt like an attempt to control the narrative. Why they constantly discard reports of responsible disclosure is a mystery to me. I suspect it’s either ego driven or they lack imagination.
/rant
December 28, 2022
Šī grāmata ir kā The Matrix sarkanā tablete, pēc kuras apēšanas redzi, ka mūsdienu pasaules digitālais ietvars ir daudz trauslāks, nekā mēs naivi un uzticīgi esam iedomājušies.
Diezgan baisi.
Diezgan baisi.
February 12, 2020
While reading “Sandworm”, One is tempted to recall the dialog of Slim Pickens in Kubrick’s movie Doctor Strangelove - “Nuclear Combat, toe to toe with the Russkies!” Or when he rides a bomb down to the end of the world.
Andy Greenberg’s new book is about cyber war and focuses on the Russian teams, linked to the GRU organization, that were behind the cyber attacks on Ukraine and other countries, including the US since 2016 (and before). The title comes with a reference to Frank Herbert’s Dune stories for one of the teams. I am not blessed with excessive knowledge of code of any sort, especially industrial controls or other ways that the Internet reaches out and touches us. I am thrown into chaos when I miss a key update and do not find out about it until later. This makes me recognize just how vulnerable modern urban society would be to cyber war.
So in reading Greenberg’s book about the Russian cyber attacks, how they worked, the damage they caused, and the difficulties that cyber security researchers encountered in just figuring out what they were, my reaction was Yikes!. It is a scary book that is convincingly argued. I have no doubt that more of this will happen and I have no idea what to do about it that I am not already doing.
The book is a well written spy thriller that does a good job in linking the world of post-cold war diplomacy with the new technologies of networked computer systems that are coming to control everything. ...and the book hardly touched on threats from China. It also provides an introduction to the world of cyber security that can be looked into further if one wishes.
If you need to read more on cyber warfare, this seems like a good book to start with.
Andy Greenberg’s new book is about cyber war and focuses on the Russian teams, linked to the GRU organization, that were behind the cyber attacks on Ukraine and other countries, including the US since 2016 (and before). The title comes with a reference to Frank Herbert’s Dune stories for one of the teams. I am not blessed with excessive knowledge of code of any sort, especially industrial controls or other ways that the Internet reaches out and touches us. I am thrown into chaos when I miss a key update and do not find out about it until later. This makes me recognize just how vulnerable modern urban society would be to cyber war.
So in reading Greenberg’s book about the Russian cyber attacks, how they worked, the damage they caused, and the difficulties that cyber security researchers encountered in just figuring out what they were, my reaction was Yikes!. It is a scary book that is convincingly argued. I have no doubt that more of this will happen and I have no idea what to do about it that I am not already doing.
The book is a well written spy thriller that does a good job in linking the world of post-cold war diplomacy with the new technologies of networked computer systems that are coming to control everything. ...and the book hardly touched on threats from China. It also provides an introduction to the world of cyber security that can be looked into further if one wishes.
If you need to read more on cyber warfare, this seems like a good book to start with.
December 5, 2020
Excellent book about cyber-security and Russian hacker. If you think it's not related to you, think again! Among their targets were big ports, hospitals in different countries, bank machines in Ukraine, etc. Nobody could be safe with such level of technology spread that we depend more and more each day. USA and Israel did attacks on Iran nuclear program using StuxNet (for excellent account of that check Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon). But apparently not just USA and Israel can do that, China, North Korea, Russia and other countries are using hackers more than conventional weapons now - and it make sense, cheaper and less dangerous for those who initiated attacks. With coming year we'll see more and more of such issues, so read the book to be prepared to what is coming.
January 27, 2026
I thought this was a really great, engaging book. As someone who knows virtually nothing about cyber war and security and as someone who is not very techy, I found this book to be accessible. It read with the similar cadence of an espionage story and yet was informative and foundational.
June 11, 2021
Very well researched journey with GRU hacking unit for several years, including Not Petya virus. Story how Maersk was struck is just fascinating. Raising also some important questions about use of cyberwarfare in recent years.
June 22, 2021
I wish that I could rate this book 6/5 stars. It was THAT good. Couldn’t put this one down!
December 7, 2019
It is a rare feat to write a non-fiction book that manages to be both factually informative and absolutely compelling to read. This book is one that does. It could not be more timely or important given the current need to mis-direct attention with spurious charges of meddling BY Ukrainian actors when the truth is ENTIRELY the opposite. They have been and will continue to be the targets of Russian interference. And, of course, so are we. I love the way Mr. Greenberg includes enough of the technical hacking information to feed my interest but never lets it bog down the flow of the story. He connects the dots starting with dot 1 and running through to dot 256 (or wherever we are now). It is exactly the kind of reporting that used to be undeniable before 2016 when nearly half of the country decided to be delusional and only believe what they wanted. This book does scare me but I know that we have intelligent people, one might call them "elites", working to protect our important systems and I hope they can continue to do their work without interference from idiotic despots.
November 19, 2019
The counterpart to malware is what some people, mainly techies, call “scareware”—articles written in the popular press about threats to our digital way of life. This book is certainly an example. Nonetheless, it is very sobering. You should read it. The hazards it describes are real and must be addressed before we go too much farther down the path toward connecting our doorbells and refrigerators and driverless cars to the Internet of Things. Not to mention connecting our ATMs and grocery stores and traffic signals and medical records and electric power grids.
What sets this book apart is that it isn’t just another true-hacker-crime story. In his reporting on cyberattacks against infrastructure in Ukraine, Greenberg gives a glimpse into the rapidly evolving nature of modern asymmetric warfare and, perhaps, into the dawn of a new arms race. For that reason alone, you should read this book.
What sets this book apart is that it isn’t just another true-hacker-crime story. In his reporting on cyberattacks against infrastructure in Ukraine, Greenberg gives a glimpse into the rapidly evolving nature of modern asymmetric warfare and, perhaps, into the dawn of a new arms race. For that reason alone, you should read this book.
January 17, 2020
I have mixed feelings about this book. I feel like Greenberg did a monumental amount of work to provide us with an extensive history of Russia's switch to preferring cyber attacks and social destabilization to advance their geopolitical agenda. However, he interjects his own political beliefs too often and makes the book slightly partisan. Additionally, for some of the partisan statements he makes, I feel like he really needs to go over the evidence if he wants to make such an assertion.
When he stays on point - documenting Sandworm, the GRU, Ukrainian cyber attacks, and the US's lack of infrastructure preparedness - he does a phenomenal job. Its a shame that he allows recurrent partisan statements to diminish his work.
When he stays on point - documenting Sandworm, the GRU, Ukrainian cyber attacks, and the US's lack of infrastructure preparedness - he does a phenomenal job. Its a shame that he allows recurrent partisan statements to diminish his work.
November 30, 2019
Fantastic read. This was like a history of hacking for me, and I was in awe of all the events I had never heard of because the news is so focused on the president’s latest tweets. I feel I have a foundational understanding finally of the politics of Ukraine and Russia and the major codenames for hackers and malware. It is written well and keeps your attention. I started taking notes halfway through because I know I will come back to them as this landscape develops. This is another book I really think should be required reading!
Want to read
December 2, 2019Too technical for me, but a very important topic. I hope I'll get back to it someday. It seems to me that if they want to reach a non-tech crowd like me, the Dune series discovery angle could be very interesting.
January 27, 2023
There was a lot of amazing stuff in this. I'm sure I'll be rereading it soon. Some things in this book surprised the heck out of me. The interviews are quite revealing. At times, I felt naive, but I hadn't given this any real thought before. As I said, this is an amazing book
March 25, 2025
Andy Greenberg je u knjizi o hakerskoj grupi Sandworm napravio pravi master class o tome kako se piše vrsna publicistika. Ako izuzmemo jednu generalnu antirusku predrasudu u kratkim opisima istorijskih okolnosti njihovog sukoba sa Ukrajinom, reč je o vrlo temeljnom, a ako uzmemo u obzir temu, zapravo pitkom izlaganju složene teme.
Greenberg je uspeo da sagleda širi istorijat hakovanja infrastrukturnih postrojenja a onda je dao istorijat Sandworma i njihovih visokoorganizovanih i raznornih napada u akcijama kao što je NotPetya.
Sagovornici su relevantni, opisi su atmosferični, i uprkos tome što sam deo ovog izveštavanja ispratio čitajući Greenberga u Wiredu, u knjizi sam uživao od početka do kraja kao u vrsnom trileru.
U onom ideološkom pogledu, Greenbergu fali malo skrupuloznosti, oseća se da dolazi iz miljea u kom se ipak isključivo obraća istomišljenicima ali to je nedostatak koji se lako da ispraviti.
Greenberg je uspeo da sagleda širi istorijat hakovanja infrastrukturnih postrojenja a onda je dao istorijat Sandworma i njihovih visokoorganizovanih i raznornih napada u akcijama kao što je NotPetya.
Sagovornici su relevantni, opisi su atmosferični, i uprkos tome što sam deo ovog izveštavanja ispratio čitajući Greenberga u Wiredu, u knjizi sam uživao od početka do kraja kao u vrsnom trileru.
U onom ideološkom pogledu, Greenbergu fali malo skrupuloznosti, oseća se da dolazi iz miljea u kom se ipak isključivo obraća istomišljenicima ali to je nedostatak koji se lako da ispraviti.
January 8, 2025
this book took me about a month to get through, not because it was a hard read, but simply because of the magnitude of the content. there were countless times where I had to put the book down to digest a passage. this book is scary, but it truly an essential read. Greenberg does an incredible job at explaining the intricacies of the technological details in palatable way.
October 23, 2022
This book has forever changed the way I view both my digital footprint and the future of war. It’s an uncertain and terrifying future we venture into…
August 6, 2025
Throwing my phone, computer and WiFi router into the ocean.
April 6, 2022
This book is one of the most educational and terrifying things I’ve ever read. The threats mentioned and already carried out over the past 8 years signal a future filled with disaster, and I’d never heard of them until now. Sandworm is jargon heavy and a little dense at times, but the message is clear as day. The technology that we depend on is fragile, and governments are doing a shit job of protecting it all from falling apart. Also, highly relevant to the current Russia/Ukraine conflict, with great context for their turbulent history. 10/10 would recommend to anyone
March 6, 2021
Though I did feel at parts of reading I was studying for the Security+ exam again, this book blew me away. Book is current, relevant, and downright scary!
September 2, 2025
Re-read this for a book club, and it was interesting to read this again in the ongoing context of the war between Ukraine and Russia.
This was a very interesting read that really helped me better understand the lead up to the invasion of Ukraine - which is particularly interesting considering the fact that this book was published in 2019. Even though the invasion was yet to happen at that time, you could see all the arrows pointing to it. I also enjoyed learning more about the rise of cyberwarfare. I knew about bits and pieces of that history, but it was fascinating reading about all the connecting threads of what I already knew. My biggest qualms with the book were the constant jumping back and forth through time, and the fact that the author didn't seem to quite know what his thesis was. It would have been a much better book told in a more linear fashion with a tighter focus on following the history - it broke down a bit at the end when we got into a lot of speculation and flying to Russia and asking Russian hackers what they know about the Kremlin hacking. Although, that last bit made me laugh because I'm not entirely sure what he thought he would accomplish with that.
This was a very interesting read that really helped me better understand the lead up to the invasion of Ukraine - which is particularly interesting considering the fact that this book was published in 2019. Even though the invasion was yet to happen at that time, you could see all the arrows pointing to it. I also enjoyed learning more about the rise of cyberwarfare. I knew about bits and pieces of that history, but it was fascinating reading about all the connecting threads of what I already knew. My biggest qualms with the book were the constant jumping back and forth through time, and the fact that the author didn't seem to quite know what his thesis was. It would have been a much better book told in a more linear fashion with a tighter focus on following the history - it broke down a bit at the end when we got into a lot of speculation and flying to Russia and asking Russian hackers what they know about the Kremlin hacking. Although, that last bit made me laugh because I'm not entirely sure what he thought he would accomplish with that.
February 17, 2022
As I listened to this audiobook, Russian forces are seemingly posed for battle along the border of Ukraine. This book helped fill me in on details surrounding the conflict between these two countries and make connections between events I’ve read about in the news across the years. As a sci-fi fan, I also got a kick out of the references to Dune in the hackers’ lingo. Very exciting and informative book!
Displaying 1 - 30 of 900 reviews