Sandworm | Andy Greenberg

11 mins read

Dune by Frank Herbert is a 1965 epic, where, Earth has been ravaged by a nuclear war against artificially intelligent machines. The rulers of Arrakis – also known as Dune are overthrown by the Harkonnens. The book’s hero Paul Atreides takes refuge in the planet’s vast desert, where thousand-foot-long sandworms roam underground, occasionally rising to the surface to consume everything in their path.

In the book, the story commences in 2014, when a malware analyst at iSIGHT Partners, a small, private cyber intelligence firm, while reverse engineering a malware based on MS Office vulnerability discovers that the malware has been designed to cause damage to physical infrastructure. Hackers use a ‘campaign codes’ which are tags associated with a specific version of the malware to sort and track victims, the malware has infected. A series of campaign codes were discovered during malware analysis by John Hultquist and his team at iSIGHT Partners. These campaign codes revealed the love of the hackers for Frank Herbert and his epic Dune. The campaign codes used by the hackers arrakis02, houseatreides94, BasharoftheSardaukars, SalusaSecundus2 and epsiloneridani0 had a direct association with the epic. The malware was initially thought to be Russian espionage efforts. The hack team which created the malware was to be named. They would need a catchy, attention-grabbing name and choosing it as per custom was the prerogative of iSight, the firm that had uncovered the group. John Hultquist, the boss of iSight, who wanted to send a message to the hackers that their campaign codes were busted named the hack team “Sandworm”.  The hack team, Sandworm later turned out to be the most dangerous hackers on the planet operating from Russian soil under the tutelage of the Russian government.

Andy Greenberg is an award-winning technology journalist at the Wired. The book Sandworm is a masterpiece and a product of extensive research on the cyberwar unleashed by Russia in Ukraine. In a post-Stuxnet world, he emphasises the role of state sponsored hackers who will not stop at anything and cause real damage in the physical infrastructure of the world. In about 40 short and crisp chapters divided into four sections, Andy has followed the rise of the Russian hack team “Sandworm” and their attacks especially in Ukraine, which has, in more ways than one, become the cyberwar laboratory for Russia. He has also discussed in detail about Stuxnet and its impact on malware design and development world over. Global cyberattacks “NotPetya” and role of APT Fancy Bear in the US elections have been analysed threadbare. Andy travelled to Russia to discover the Unit 74455 and its linkage to GRU and the Russian state.

The Ukraine Cyberattacks – The much talked about cyberwar / the future of warfare had come alive in Ukraine, not once but twice. As a proof of concept, the state sponsored hackers on two separate occasions (2015 and 2016) turned off the power grid long enough to send the engineers to manually bring the grid online. Backed by Russia, the hackers proved that gears of modern existence can be brought to a grinding halt. The sustained cyber assaults on Ukraine’s infrastructure were not isolated attacks but were part of a “digital blitzkrieg” launched by Russia undermining practically every sector to include media, finance, transportation, military, politics and energy. Repeated intrusions have wiped out data, rendered computers dysfunctional, crippled basic functions of various organizations. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador. Greenberg lays out a very detailed historical backgrounder of Ukraine to indicate how the country has been caught between the east and the west and that it has been invaded so many times by everybody from the Mongols to the Nazis to Putin, thanks to its peculiar geography. Ukraine means ‘borderland’. The book looks at the Ukrainian cyber war and the ways that cyber war spilled out into the rest of the world leading us to think that “on the Internet we are all Ukraine” in the sense that we all live on this borderland and we are all at the doorstep of our adversary, we are all vulnerable to this kind of cyberwar. That’s the big idea out of Ukraine cyberattack in this book. Distance is no longer a defence and we can no longer ignore these conflicts that are taking place in other parts of the world. The author clearly brings out that the Ukraine cyberwar should be of great concern to all of us.

Global NotPetya Attack – The worm, NotPetya was a game changer. Looking like a typical ransomware, it used a ‘back door’ in the Ukrainian accounting software ME Doc, Ukraine’s equivalent of Tally in India, nearly anyone who files taxes or does business in the country uses the software. NotPetya was intended to target Ukraine only, but its poor design and our connected world enabled the worm to spread across borders. Though the worm masqueraded as a ransomware, it did not offer any means to decrypt files, post infection. The author explains how NotPetya led to colossal losses in major corporations across the world. They included pharmaceuticals giant Merck, shipping conglomerate Maersk, FedEx subsidiary TNT Express, French construction company Saint-Gobain and US food producer Mondelēz amongst others. Total global losses estimated to US$10 billion. Andy describes the NotPetya attack in great detail and the play of Mimikatz, Eternal Blue leading to the NotPetya global crisis reads like a fast-paced action thriller. Linkos Group, a small family-run Ukrainian software business, which created the ME Doc accounting software had not imagined/factored in possibility that it could be a carrier for a worldwide digital contagion. Olesya Linnyk, the company’s founder said “They had simply never imagined that they might be a target. We do quite basic and simple things. We help out accountants. We saw ourselves as quite distant from cybersecurity issues.” NotPetya reminds us as Andy says, “that distance is no defence. Every barbarian is already at every gate. And the network of entanglements in that ether, which have unified and elevated the world for the past twenty-five years, can, over a few hours on a summer day, bring it to a crashing halt.”

Fancy Bear (APT28 or Sofacy etc) – This Russia based threat actor has been operating since 2008 and according to some experts is a significant threat to many worldwide organizations like aerospace, defence, energy, government, media etc. As Andy writes “On June 14, The Washington Post revealed that the Democratic National Committee had been penetrated for months by not one but two teams of state-sponsored Russian hackers. The security firm CrowdStrike, which the DNC had brought in to analyse its breach two months earlier, published a blog post identifying the pair of intrusion crews inside the Democrats’ network as Cozy Bear and Fancy Bear, teams it had watched carry out spying campaigns for years, hitting everyone from the U.S. State Department and the White House to aerospace and defence contractors.” Operations of Fancy Bear and Cozy Bear could hardly conceal Putin’s hatred of Hillary Clinton since her days as Secretary of State under Obama. A troll farm called the Internet Research Agency in Saint Petersburg as part of its influence operation strategy created numerous social media handles giving an impression of Americans supporting radical political groups and promoted Trump related events. These social media impressions comprising fake news, fabricated articles and other dis-information campaigns reached millions between 2013-2017. Fancy Bear’s real moment of glory came when Donald Trump won the U.S. presidential election.

Olympic Destroyer – During the 2018 Winter Olympics opening ceremony, Russia based hackers as retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping violations attacked the Olympics’ IT infrastructure. It was “false-flag operation” wherein it was made to appear that North Korea was responsible for the attack.

These are some of the major cyberwar / cyberattacks carried out by Sandworm and its sub-teams. The book goes into many more details which makes it a thrilling read and offers a front-seat view of the changing cyberthreats that are shaping our world. It is highly readable even by laypersons with no technical cybersecurity background. It is also a must read for anyone interested in cyberespionage, cyberterrorism, cyberwar and advanced persistent threats.

Buy at Amazon

Latest from Book Review

The Great Secret

The Great Secret: The Classified World War II Disaster that Launched the War on Cancer by…