Sandworm A new era of cyberwar and the hunt for the Kremlin's most dangerous hackers

Andy Greenberg

Book - 2019

"In 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen, including the first-ever blackouts triggered by hackers. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world's largest companies--from drug manufacturing to software to shipping. At the attack's epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage--the largest, most devastating cyberattack the world had seen. The hackers behind these attacks are quickly gaining a reputation as the most dangerous team of cyberwarriors in history: Sandworm. Working in the service of Russia's military intelligence agency, they represent a persistent, highly skilled, state-sponsored force, one whose talents are matched by their willingness to launch broad, unrestrained attacks on the most critical infrastructure of their adversaries. They target government and private sector, military and civilians alike. A chilling, globe-spanning detective story, Sandworm considers the danger this force poses to our national stability and security. As the Kremlin's role in meddling in the 2016 election, manipulating foreign governments, and sparking chaos comes into greater focus, Sandworm exposes the realities not just of Russia's global digital offensive, but of an era where warfare ceases to be waged on the battlefield. It reveals how the line between digital and physical conflict, between wartime and peacetime, have begun to blur--with world-shaking implications"--

Saved in:

2nd Floor Show me where

2 / 2 copies available
Location Call Number   Status
2nd Floor 364.168/Greenberg Checked In
2nd Floor 364.168/Greenberg Checked In
New York : Doubleday [2019]
Main Author
Andy Greenberg (author)
First edition
Physical Description
xiii, 348 pages ; 25 cm
Includes bibliographical references and index.
  • Introduction
  • Prologue
  • Part I. Emergence
  • 1. The Zero Day
  • 2. BlackEnergy
  • 3. Arrakis02
  • 4. Force Multiplier
  • 5. StarLightMedia
  • 6. Holodomor to Chernobyl
  • 7. Maidan to Donbas
  • 8. Blackout
  • 9. The Delegation
  • Part II. Origins
  • 10. Flashback: Aurora
  • 11. Flashback: Moonlight Maze
  • 12. Flashback: Estonia
  • 13. Flashback: Georgia
  • 14. Flashback: Stuxnet
  • Part III. Evolution
  • 15. Warnings
  • 16. Fancy Bear
  • 17. FSociety
  • 18. Poligon
  • 19. Industroyer/Crash Override
  • Part IV. Apotheosis
  • 20. Maersk
  • 21. Shadow Brokers
  • 22. EternalBlue
  • 23. Mimikatz
  • 24. NotPetya
  • 25. National Disaster
  • 26. Breakdown
  • 27. The Cost
  • 28. Aftermath
  • 29. Distance
  • Part V. Identity
  • 30. GRU
  • 31. Defectors
  • 32. Informatsionnoye Protivoborstvo
  • 33. The Penalty
  • 34. Bad Rabbit, Olympic Destroyer
  • 35. False Flags
  • 36. 74455
  • 37. The Tower
  • 38. Russia
  • 39. The Elephant and the Insurgent
  • Part VI. Lessons
  • 40. Geneva
  • 41. Black Start
  • 42. Resilience
  • Epilogue
  • Appendix: Sandworms Connection to French Election Hacking
  • Acknowledgments
  • Source Notes
  • Bibliography
  • Index
Review by Booklist Review

Wired journalist Greenberg recounts recent cyberattacks and tracks private investigators who have sought their source. The care that intruders take to cover their digital fingerprints makes this a challenge even for experts, and readers will revel in the details Greenberg provides. To obviate suspense, the culprit they unveiled is the Russian military's intelligence agency, the GRU. This assertion stems from the forensic examinations of malware by Greenberg's interviewees, several of whom are former employees of the National Security Agency who like to use monikers for cybercriminals. ""Sandworm,"" for example, refers to perpetrators of attacks on Ukraine's government, industry, infrastructure, and media concurrent with the country's territorial losses to Russia, hackers who apparently admire the classic sf novel Dune (1965). Noting other targets of Russian cyberwarfare, including Estonia, NATO, various corporations, elections in the U.S. and France, and the 2018 Winter Olympics, Greenberg elaborates a particularly damaging worldwide offensive, dubbed ""NotPetya,"" that Russia conducted in 2017. Loaded with original reportage, Greenberg's urgent and clarifying book will inform and worry everyone concerned about national and cyber security.--Gilbert Taylor Copyright 2019 Booklist

From Booklist, Copyright (c) American Library Association. Used with permission.
Review by Publisher's Weekly Review

Technology journalist Greenberg (This Machine Kills Secrets) delivers a taut inquiry into the "most devastating and costly malware in history" and the state-sponsored Russian hacker team that developed and deployed it. Housed within the GRU, Russia's military intelligence agency, the group has been nicknamed Sandworm for the references to science fiction novel Dune found in the code it used to shut down portions of Ukraine's power grid in December 2015. In June 2017, Sandworm launched a cyberattack that spread to "countless machines around the world" and caused billions of dollars in damages. Known as NotPetya, the malware used stolen NSA hacking tools to infect entire computer networks in a matter of seconds. Greenberg traces NotPetya's ripple effects and speaks with "the lonely club of Cassandras" who have been tracking Sandworm for years. According to at least one of his sources, the group also hacked into U.S. state boards of elections in 2016 and crashed the Wi-Fi at the 2018 Winter Olympics. Though much about Sandworm remains unknown, including its exact motivations, Greenberg is an adroit investigator and gifted metaphorist. His lucid, dynamic exposé is a must-read for those worried about the vulnerabilities of the digital world. (Nov.)

(c) Copyright PWxyz, LLC. All rights reserved
Review by Library Journal Review

In the summer of 2017, the worst digital attack in history paralyzed companies around the world. Financial institutions, shipping companies, and even drug manufacturers were impacted. The malware was named NotPetya and the group responsible was called Sandworm. Greenberg (senior writer, Wired; This Machine Kills Secrets) tells the engrossing tale of the hunt for those responsible. Three years earlier, the small net security firm iSight Partners found the precursor to the NotPetya malware. They immediately began to look for similar global attacks and realized the hackers all referred to Frank Herbert's epic "Dune" series, hence the Sandworm. The purpose of the 2017 attack was to cripple Urkraine's infrastructure. When it later became known that the hackers were being helped by Russian intelligence, the stakes became even higher. Throughout, Greenberg covers major hacking events in recent history that led to this incident. VERDICT Told with the fast-paced style of a thriller, this book is highly recommended for all fans of international intrigue and cyberwarfare. An exceptional account that will inform and possibly frighten--and a necessary purchase for all libraries.--Jason L. Steagall, Arapahoe Libs., COPolitical Science

(c) Copyright Library Journals LLC, a wholly owned subsidiary of Media Source, Inc. No redistribution permitted.
Review by Kirkus Book Review

Cyberwar Armageddon hasn't happened yet, but it's coming, according to this disturbing but convincing journalistic chronicle.Wired senior writer Greenberg (This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and Hacktivists Aim To Free the World's Information, 2012) begins in 2014, when an analyst at a small, private intelligence firm learned of a security flaw in Microsoft Office, "one of the world's most ubiquitous pieces of software," and Russian malware designed to take advantage of it. Reverse engineering soon revealed that this malicious software, Sandworm, was not the usual effort to spread disinformation or steal data but was instead meant to cause physical damage. The analyst, Greenberg writes, considered this a whole new ball game: "Like many others in the cybersecurity industry, and particularly those with a military background, he'd been expecting cyberwar's arrival: a new era that would finally apply hackers' digital abilities to the older, more familiar worlds of war and terrorism." In 42 short chapters, the author chronicles his travels around the world, with an emphasis on Ukraine, to describe the consequences of Sandworm and the efforts of software experts to analyze, ward off, and (ultimately) repair the damage. Ukraine, a test bed for cyberwarfare, remains in the crosshairs of Russian leader Vladimir Putin, who ordered the invasion of Crimea in 2014, supports a nasty insurgency in border areas, and opposes closer Ukrainian ties with Western Europe and NATO. Since the invasion, Russian hackers have been honing their skills on Ukraine's infrastructure, shutting down electric grids, internet, railroads, hospitals, and even ATMs. Confident that America's systems are less vulnerable and hobbled by Donald Trump's clear admiration of Putin, U.S. leaders have downplayed the risk, although Russia and a host of other hackers are already flexing their muscles and wreaking havoc across the world. Throughout, Greenberg writes in the fast-paced style that characterized his first book, and while the narrative is occasionally scattershot, he effectively captures the disturbing nature of this new global threat.A credible, breathless account of the discovery and defeat (perhaps) of major Russian computer cyberattacks. Copyright Kirkus Reviews, used with permission.

Copyright (c) Kirkus Reviews, used with permission.

1 The Zero Day Beyond the Beltway, where the D.C. intelligence-­industrial complex flattens out to an endless sea of parking lots and gray office buildings marked with logos and corporate names designed to be forgotten, there's a building in Chantilly, Virginia, whose fourth floor houses a windowless internal room. The room's walls are painted matte black, as if to carve out a negative space where no outside light penetrates. In 2014, just over a year before the outbreak of Ukraine's cyberwar, this was what the small, private intelligence firm iSight Partners called the black room. Inside worked the company's two-­man team tasked with software vulnerability research, a job that required focus intense enough that its practitioners had insisted on the closest possible office layout to a sensory-­deprivation chamber. It was this pair of highly skilled cave dwellers that John Hultquist first turned to one Wednesday morning that September with a rare request. When Hultquist had arrived at his desk earlier that day in a far-­better-­lit office, one with actual windows on the opposite side of the iSight building, he'd opened an email from one of his iSight colleagues in the company's Ukraine satellite operation. Inside, he found a gift: The Kiev-­based staff believed they might have gotten their hands on a zero-­day vulnerability. A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software's code doesn't know about. The name comes from the fact that the company has had "zero days" to respond and push out a patch to protect users. A powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own code on a target computer, can serve as a kind of global skeleton key--­a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet. The file Hultquist had been passed from iSight's Ukraine office was a PowerPoint attachment. It seemed to silently pull off exactly that sort of code execution, and in Microsoft Office, one of the world's most ubiquitous pieces of software. As he read the email, Klaxons sounded in Hultquist's mind. If the discovery was what the Ukrainians believed it might be, it meant some unknown hackers possessed--­and had used--­a dangerous capa­bility that would allow them to hijack any of millions of computers. Microsoft needed to be warned of its flaw immediately. But in a more self-­interested sense, discovering a zero day represented a milestone for a small firm like iSight hoping to win glory and woo customers in the budding security subindustry of "threat intelligence." The company turned up only two or three of those secret flaws a year. Each one was a kind of abstract, highly dangerous curiosity and a significant research coup. "For a small company, finding a nugget like this was very, very gratifying," Hultquist says. "It was a huge deal for us." Hultquist, a loud and bearish army veteran from eastern Tennessee with a thick black beard and a perpetual smile, made a point of periodically shouting from his desk into a room next door known as the bull pen. One side of that space was lined with malware experts, and the other with threat analysts focused on understanding the geopolitical motives behind digital attacks. As soon as Hultquist read the email from iSight's Ukrainian staff, he burst out of his office and into the bull pen, briefing the room and assigning tasks to triage what would become, unbeknownst then to any of them, one of the biggest finds in the small company's history. But it was down the hall, in the black room, that the hacker monks within would start to grapple with the significance of iSight's discovery: a small, hidden marvel of malicious engineering. ■ Working on computers whose glowing monitors were the room's only light source, the reverse engineers began by running the Ukrainians' malware-­infected PowerPoint attachment again and again inside a series of virtual machines--­ephemeral simulations of a computer housed within a real, physical one, each one of them as sealed off from the rest of the computer as the black room was from the rest of the iSight offices. In those sealed containers, the code could be studied like a scorpion under an aquarium's glass. They'd allow it to infect its virtual victims repeatedly, as the reverse engineers spun up simulations of different digital machines, running varied versions of Windows and Microsoft Office, to study the dimensions and flexibility of the attack. When they'd determined that the code could extract itself from the PowerPoint file and gain full control of even the latest, fully patched versions of the software, they had their confirmation: It was indeed a zero day, as rare and powerful as the Ukrainians and Hultquist had suspected. By late in the evening--­a passage of time that went almost entirely unmarked within their work space--­they'd produced a detailed report to share with Microsoft and their customers and coded their own version of it, a proof-­of-­concept rewrite that demonstrated its attack, like a pathogen in a test tube. PowerPoint possesses "amazing powers," as one of the black room's two reverse engineers, Jon Erickson, explained to me. Over years of evolution, it's become a Rube Goldberg machine packed with largely unnecessary features, so intricate that it practically serves as its own programming language. And whoever had exploited this zero day had deeply studied one feature that allowed anyone to place an information "object" inside a presentation, like a chart or video pulled from elsewhere in the PowerPoint file's own bundle of data, or even from a remote computer over the internet. In this case, the hackers had used the feature to carefully plant two chunks of data within the presentation. The first it loaded into a temporary folder on the target computer. The second took advantage of PowerPoint's animation feature: PowerPoint's animations don't merely allow speakers to bore audiences with moving text and cartoons but actually execute commands on the computer on which the presentation is running. In this case, when the presentation loaded that animation file, it would run an automated script that right-­clicked on the first file the presentation had planted on the machine and click "install" on the resulting drop-­down menu, giving that code a foothold on the computer without tipping off its user. The result was something like a harmless-­looking package left on your doorstep that, after you bring it inside, sprouts an arm, cuts itself open, and releases tiny robots into your foyer. All of this would happen immediately and invisibly, the instant the victim double-­clicked the attachment to open it. Erickson, the reverse engineer who first handled the zero day in iSight's black room, remembers his work disassembling and defusing the attack as a somewhat rare, fascinating, but utterly impersonal event. In his career, he'd dealt with only a handful of real zero days found in the wild. But he'd analyzed thousands upon thousands of other malware samples and had learned to think of them as specimens for study without considering the author behind them--­the human who had rigged together their devious machinery. "It was just some unknown guy and some unknown thing I hadn't seen before," he said. But zero days do have authors. And when Erickson had first begun to pull apart this one in his blacked-­out workshop that morning, he hadn't simply been studying some naturally occurring, inanimate puzzle. He was admiring the first hints of a remote, malevolent intelligence. 2 BlackEnergy Once iSight's initial frenzy surrounding its zero-­day discovery had subsided, the questions remained: Who had written the attack code? Whom were they targeting with it, and why? Those questions fell to Drew Robinson, a malware analyst at iSight whom John Hultquist described as a "daywalker": Robinson possessed most of the same reverse-­engineering skills as the black room's vampire crew but sat in the sunlit bull pen next to Hultquist's office, responsible for a far wider angle analysis of hacking campaigns, from the personnel who carried them out to their political motives. It would be Robinson's job to follow the technical clues within that PowerPoint to solve the larger mysteries of the hidden operation it represented. Minutes after Hultquist had walked into the bull pen to announce the all-­hands-­on-­deck discovery of the PowerPoint zero day that Wednesday morning, Robinson was poring over the contents of the booby-­trapped attachment. The actual presentation itself seemed to be a list of names written in Cyrillic characters over a blue-­and-­yellow Ukrainian flag, with a watermark of the Ukrainian coat of arms, a pale blue trident over a yellow shield. Those names, Robinson found after using Google Translate, were a list of supposed "terrorists"--­those who sided with Russia in the Ukrainian conflict that had begun earlier that year when Russian troops invaded the east of the country and its Crimean peninsula, igniting separatist movements there and sparking an ongoing war. That the hackers had chosen an anti-­Russian message to carry their zero-­day infection was Robinson's first clue that the email was likely a Russian operation with Ukrainian targets, playing on the country's patriotism and fears of internal Kremlin sympathizers. But as he searched for clues about the hackers behind that ploy, he quickly found another loose thread to pull. When the PowerPoint zero day executed, the file it dropped on a victim's system turned out to be a variant of a piece of notorious malware, soon to become far more notorious still. It was called BlackEnergy. BlackEnergy's short history up to that point already contained, in some sense, its own primer on the taxonomy of common hacking operations, from the lowliest "script kiddies"--­hackers so unskilled that they could generally only use tools written by someone more knowledgeable--­to professional cybercriminals. The tool had originally been created by a Russian hacker named Dmytro Oleksiuk, also known by his handle, Cr4sh. Around 2007, Oleksiuk had sold BlackEnergy on Russian-­language hacker forums, priced at around $40, with his handle emblazoned like a graffiti tag in a corner of its control panel. The tool was designed for one express purpose: so-­called distributed denial-­of-­service, or DDoS, attacks designed to flood websites with fraudulent requests for information from hundreds or thousands of computers simultaneously, knocking them off-­line. Infect a victim machine with BlackEnergy, and it became a member of a so-­called botnet, a collection of hijacked computers, or bots. A botnet operator could configure Oleksiuk's user-­friendly software to control which web target its enslaved machines would pummel with spoofed requests as well as the type and rate of that digital bombardment. By late 2007, the security firm Arbor Networks counted more than thirty botnets built with BlackEnergy, mostly aiming their attacks at Russian websites. But on the spectrum of cyberattack sophistication, distributed denial-­of-­service attacks were largely crude and blunt. After all, they could cause costly downtime but not the serious data breaches inflicted by more penetrating hacking techniques. In the years that followed, however, BlackEnergy had evolved. Security firms began to detect a new version of the software, now equipped with an arsenal of interchangeable features. This revamped version of the tool could still hit websites with junk traffic, but it could also be programmed to send spam email, destroy files on the computers it had infested, and steal banking usernames and passwords. Now, before Robinson's eyes, BlackEnergy had resurfaced in yet another form. The version he was looking at from his seat in iSight's bull pen seemed different from any he'd read about before--­certainly not a simple website attack tool, and likely not a tool of financial fraud, either. After all, why would a fraud-­focused cybercrime scheme be using a list of pro-­Russian terrorists as its bait? The ruse seemed politically targeted. From his first look at the Ukrainian BlackEnergy sample, he began to suspect he was looking at a variant of the code with a new goal: not mere crime, but espionage. Excerpted from Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg All rights reserved by the original copyright owners. Excerpts are provided for display purposes only and may not be reproduced, reprinted or distributed without the written permission of the publisher.