Cybersecurity Canon Book Review: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

Posted: November 3, 2020

Cybersecurity Canon Book Review: "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers," Written by Andy Greenberg

Book review by: Canon Committee Member, Rick Howard


I recommend “Sandworm" to the Cybersecurity Canon Hall of Fame. It completes a triad of recent must-read Cybersecurity Canon Hall of Fame books that not only tells the history of the relatively new development of continuous low-level cyber conflict between nation states from about 2010 until present but also attempts to explain the current thinking of some of the key power cyber players like Russia, China, the United States, Iran, and North Korea. David Sanger’s “Perfect Weapon” covers the history and key thinking of all the power players. Richard Clarke and Robert Knake’s “The Fifth Domain” does too but leans toward the policy side of the discussion. Andy Greenberg’s “Sandworm" focuses on Russia.

The key take away from “Sandworm" is that, despite all the colorful adversary names that the commercial cybersecurity industry has used to describe Russian cyber adversaries for over a decade (Sandworm, Cozy Bear, Fancy Bear, the Shadow Brokers, CyberBerkut, Unit 26165, Unit 74455, and Guccifer 2.0), Greenberg has followed the trails from all that collective activity back to one singular organization: the Russian GRU or Main Intelligence Directorate. The GRU is not to be confused with the KGB that orchestrated the attack campaign made famous by another Cybersecurity Canon Hall of Fame author, Clifford Stoll, PhD. , in his book “The Cuckoo’s Egg," back in 1986. And we are still not sure which Russian intelligence organization to attribute the Moonlight Maze attacks in 1996. In fact, the Russians, just like the United States, have been in a bit of an internal political fight about which intel group is going to leverage cyber the most and to the best extent. After the Russian FSB (The Russian Federal Security Service) demonstrated initial DDOS (Distributed Denial of Service) successes in Estonia (2007) and Georgia (2008), the GRU had a come-to-Jesus moment about cyber operations. But where the FSB used a kind of cyber militia in Estonia and Georgia, the GRU began building its own internal hacking team. And commercial security researchers started seeing their fingerprints all over the place.

The book’s title, “Sandworm” is a reference to a famous and beloved science fiction book entitled “Dune” written by Frank Herbert back in 1965. From 2009 to 2015, the early hacker tools, like BlackEnergy, built by the GRU, came complete with Dune references (words buried deep in the malicious code):

• BasharoftheSardaukars: The Sardaukar were an elite military force and Bashar was the rank of colonel.
• SalusaSecundus2: A prison planet.
• epsiloneridani0: A trinary star system.
• houseatreides94: A major family house in the galactic empire where the main hero, Paul, was from.
• arrakis02: The planet name of the main “Dune" Story.

Clearly the GRU coding team were fans. iSightPartners, a commercial cyber intelligence company now owned by FireEye, gave the GRU hacking team the name of Sandworm. A sandworm in the “Dune” universe is a giant worm-like monster that can consume large volumes of critical infrastructure (mining equipment) and people (miners), very similar to the modern attack campaigns run by the GRU.

And the GRU had the perfect training lab to try out this new level of political power: Ukraine. Russia began offensive operations against Ukraine in February 2014. Shortly after, the GRU, calling itself CyberBerkut, targeted Ukraine’s Central Election Commission to discredit the voting system and then launched a DDOS campaign designed to keep the election servers off-line and prevent them from confirming the legitimate results. In 2015, the GRU launched waves of vicious cyberattacks designed to "strike Ukraine’s government, media, and transportation. They culminated in the first known blackouts ever caused by hackers, attacks that turned off power for hundreds of thousands of civilians.” Until this time, attacks on the electrical grid had been only hypothetical scenarios that the ICS (Industrial Control System) Cassandra’s of the world had been warning the network defender community about for years. Suddenly, this hypothetical became very real. 

The GRU’s attacks on Ukraine continued through 2017 and their attack sequence, their negotiation of the intrusion kill chain, did not change that much in the general sense: 

• Phishing email sent to target victims with attached hand-crafted and malicious Microsoft documents designed to entice.
• Delivery of the BlackEnergy tool kit to the victim’s machine. Sometimes they obfuscated their malicious code with a tool called Malicious Macro Generator.
• Standardized command and control server network distributed in Europe and elsewhere.
• Lateral recon looking for key ICS systems from General Electric, Siemens, and Advantech/Broadwin.
• Lateral movement using MimiKatz as the primary tool of expansion. Later, the GRU would leverage the MimiKatz tool in conjunction with NSA’s EternalBlue and EternalRomance exploit kit.
• The use of the KillDisk tool to destroy the boot sector of victim’s machines.

Between August 2016 and April 2017, the GRU’s ShadowBrokers began dumping large tranches, four in total, of classified NSA documents and hacker tool kits to the public sphere. They got the classified information by compromising home computers of NSA workers who broke the NSA rules and brought classified work home with them. In the last dump in April 2017, the GRU released the NSA exploit toolkit codenamed EternalBlue. Around the same time frame, they launched major attack campaigns against the U.S. election infrastructure including the Democratic National Committee (DNC), the World Anti-Doping Agency, and they doubled down on Ukraine. But in May 2017, they took a programming note from their brethren in North Korea as the Lazarus Group launched WannaCry into the wild destroying critical infrastructure in the British National Health Service and other hospitals, police departments, Telefonica, Sberbank, Deutsche Bahn, and Renault using EternalBlue. Just over a month later, June 2017, the GRU launched NotPetya into the wild with the one-two punch of MimiKatz and EternalBlue. It was devastating.

The GRU’s campaign innovation for NotPetya centered on how they delivered their malicious code. Instead of the traditional phishing lures, they infiltrated a common European supply chain mechanism called M.E.Doc made by Linkos. M.E.Doc is the European equivalent of TurboTax or Quicken in the states. If you own a European business, there is a good chance that you use M.E.Doc. The GRU NotPetya hackers penetrated the Linkos software update system and used it to deliver the malicious package to its victims. The impact was that they compromised some 300 companies within seconds of delivery and a Ukrainian ISP estimated that at least 30 of those companies were totally burned to the ground. Big companies were brought to their knees too like Merck ($870 million in recovery costs), FedEx TNT ($400 million), Saint-Gobain ($384 million), and Maersk ($300 million.) The White House lowball estimate of the total damage was just over $10 billion, that’s billion with a “B." For comparison, the estimate on WannaCry was only $4 billion.

As far back as 1997, U.S. Deputy Secretary of Defense John Hamre warned congress to get ready for a potential “electronic Pearl Harbor.” Network defenders of all sorts used that scare tactic for over a decade to get a bigger cybersecurity budget in the commercial sector and to focus government leaders on the importance of the issue in the policy sector. But as this new continuous low-level cyber conflict between nation states became the norm in the last decade, the network defender community started to think that there would not be one large Pearl-Harbor-like cyberattack.  Instead, the direction was pointing to a death by a thousand cuts.  From Greenberg’s point of view though, if anything could come close to a cyber Pearl Harbor or a Cyber 9/11, NotPetya is a candidate in terms of scope.

The last big take-away from the book is the description of the Russian’s philosophy regarding nation states they consider are their enemies. From a speech given by General Valery Gerasimov, Chief of the General Staff of the Russian Federation back in 2013:

●    Reduction of the military-economic potential of the state by the destruction of critically important facilities of its military and civilian infrastructure in a short time. [Like in Ukraine]
●    Warfare simultaneously in all physical environments and the information space. [Like in Ukraine]
●    The use of asymmetric and indirect operations. [Like in Ukraine but also in America with influence operations on the culture and the hacking campaign against the Democratic National Committee (DNC).]

With all of that said, Greenberg’s “Sandworm” is the perfect book to induct into the Cybersecurity Canon Hall of Fame. It is a comprehensive history and explanation of Russian cyber operations run by the GRU for the past decade and demonstrates an ever escalating cyber operational impact from turning out the lights in Ukraine for a couple of hours to causing $10 billion dollars of damage with NotPetya to weakening the cultural and belief system of the United States. You should have read this by now.

This is the format guide for writing book reviews for the Cybersecurity Canon Project. It contains the names of key elements to include in your review, the format for those key elements, and examples of what a typical entry would look like. Use this format. Write your book review in a text document, a Microsoft Word Document, or a Google Docs document and send it to Helen Patton:

You will hear from a Canon Committee member within five business days that they received the review.