📗 Sandworm: A New Era of Cyberwar, by Andy Greenberg

This book is the thrilling account of the Ukranian power grid cyber attacks of 2015, and the search for who was behind them. This search takes us through many other attacks also attributed to the same source (Russian intelligence services) and Andy Greenberg skillfully weaves in key context: how the hacks worked, key players involved in the attribution effort, a history of state-sponsored cyber attacks, why Russia focused on Ukraine, ideas for further resilience, etc.

It was a gripping read on a really fascinating and under-discussed subject, which is only going to get more and more important…

Enjoy the notes!

PS: I enlisted our new friend ChatGPT to write a few sections, these are noted with (🤖)

“On the Internet, we are all Poland. We all get invaded on the Web. The inherent geography of this domain is that everything plays to the offense.”

General Michael Hayden, former CIA Director, 2010

Attacks on the Ukranian power grid

  • “Took down 3 power distribution centers, or oblenegros, in Ukraine in 2015.”
  • “Left 225,000 people without light or heat, in the dead of winter, for 1 to 6 hours.”
  • Very sophisticated attack, initial entry with the BlackEnergy trojan via PowerPoint
The different stages and attacks in the attacks on the Ukranian power grid

Sandworm naming

  • A security company called iSight coined the name after noticing common links between a bunch of attacks with that had Dune references (starting in 2009). The name was used to refer to those who were behind the Ukranian power attacks (but then it was discovered they were behind other attacks)

Soon he had a hit. Another BlackEnergy sample from four months earlier, in May 2014, was a rough duplicate of the one dropped by the Ukrainian PowerPoint. When Robinson dug up its campaign code, he found what he was looking for: houseatreides94, another unmistakable Dune reference. This time the BlackEnergy sample had been hidden in a Word document, a discussion of oil and gas prices apparently designed as a lure for a Polish energy company.

The Ukrainian Holomodor

As dark as Ukraine’s history has been, its greatest litany of horrors arguably came in just the last century or so of Russian hegemony. In World War I, 3.5 million Ukrainians were conscripted to fight for their Russian rulers. Even after Bolshevism swept Russia and pulled the country out of the war, a three-way conflict raged for years in Ukraine among the country’s own independence fighters, the “Whites,” who remained loyal to Russia’s czarist regime, and the socialist army of Vladimir Lenin.

It was the next decade between the wars, however, that for many Ukrainians still resonates as a memory of deep, even unforgivable oppression. The Soviet regime manufactured a famine in Ukraine that would kill 3.9 million people, a tragedy of unimaginable scope that’s known today as the Holodomor, a combination of the Ukrainian words for “hunger” and “extermination.

Further reading.

Ukraine’s Orange revolution

For a population inured to corruption and fed lies by state-run news for as long as they could remember, even so-called Kuchmagate failed to oust the president. Instead, he lasted until his chosen successor, Viktor Yanukovich, an oligarch with close ties to the Russian president, Vladimir Putin, ran for president in 2004. His opponent was Viktor Yushchenko, a Ukrainian nationalist, financier, and reformer who promised to finally bring the country out from under Russia’s thumb.

Sensing a shift, the Kremlin determined to tighten Ukraine’s leash. Russian political operatives began working secretly for Yanukovich, and soon Yushchenko was finding his speaking venues closed and his plane diverted from campaign stops. Then, a month before elections, Yushchenko was mysteriously poisoned with dioxin, falling deathly ill. He barely survived, his skin left scarred and disfigured by the attack. Later, two Russians were arrested in a failed attempt to blow up Yushchenko’s campaign headquarters in Kyiv.

When Yanukovich was declared the winner of the elections that November, the vote rigging was barely hidden. Yushchenko had, by this time, recovered enough from his poisoning to return to campaigning and was winning by double digits in polls. But the cheating was evident: Putin had gone so far as to send Yanukovich his congratulations before the results were even tallied.

This time, Ukrainians had had enough. Hundreds of thousands of people flooded the streets of Kyiv, filling the Maidan and waving orange scarves, the chosen color of Yushchenko’s campaign. Facing a mass uprising, Yanukovich stepped down a month later. The Orange Revolution, finally, was Ukraine’s first step toward real independence. Yushchenko won a legitimate election the next month and declared a new era of the country’s history.

  • Putin invaded shortly afterwards

Rob Lee

  • NSA staffer

Naturally, Lee began asking around about who in the NSA was responsible for tracking hackers that threatened the security of industrial control systems. He was shocked to discover there was no devoted group with that mission.

So Lee offered to build one. He was amazed at how little bureaucracy he confronted; creating the agency’s first industrial control system threat intelligence team required filling out one form, he remembers. “So I became the lead of all of industrial control system threat discovery for NSA overnight,” Lee says.

He was twenty-two years old. “Pretty fucked-up, isn’t it?”


As early as 2007 the US has been setting up simulations of such ICS attacks:

  • Location: Aurora experiment took place at Idaho National Laboratory (INL) in Idaho Falls, Idaho.
  • Date: Conducted in 2007 by the US Department of Homeland Security.
  • Purpose: Demonstrate industrial control systems (ICS) vulnerability to cyberattacks targeting critical infrastructure.
  • Method: Researchers remotely accessed a power generator’s control systems, manipulating operations to create an “out-of-phase” condition, causing physical destruction.
  • Out-of-phase condition: Exploited electrical mismatch between power grid and generator, leading to mechanical stress and generator’s destruction.
  • (🤖)


  • WannaCry was a widespread ransomware attack that occurred in May 2017.
  • It exploited a vulnerability in Microsoft Windows called EternalBlue, which was stolen by a group called Shadow Brokers from the NSA. The attack encrypted files on infected systems, demanding a ransom payment in Bitcoin for decryption.
  • WannaCry affected more than 200,000 computers in over 150 countries, impacting various industries, including healthcare, transportation, and telecommunications. Notably, the UK’s National Health Service (NHS) was severely affected, causing disruptions to patient care.
  • The attack was halted by the discovery of a “kill switch” by Marcus Hutchins, which limited its spread. He discovered that WannaCry pinged this domain expecting nothing there, so he set up a server there: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
  • Attributed to the Lazarus Group, a cybercrime organization believed to have ties to North Korea.
  • (🤖)

NotPetya impact

Considered the most destructive attack in history.

Impact on Ukraine:

  • Government agencies: Ukraine’s central government experienced disruptions to its operations, affecting various ministries.
  • Banks: Major Ukrainian banks, such as PrivatBank and Oschadbank, reported disruptions to their services, hindering customer transactions.
  • Transportation systems: Kyiv’s Boryspil International Airport and the metro system faced operational difficulties due to the attack.
  • Energy companies: The Chernobyl nuclear power plant switched to manual radiation monitoring as a result of the cyberattack.
    • “A man’s voice read a message over the emergency loudspeaker system that reached every building in the complex. Thirty-one years after Chernobyl’s world-shaking nuclear disaster, the site reverberated with a warning for a very different sort of meltdown. “To all staff members, immediately turn off computers and unplug network cables. Await further instructions.””

Global Impact:

  • Maersk: The world’s largest shipping company experienced significant disruptions, stating that the attack cost them around $300 million. Quote from CEO Søren Skou: “We were basically collateral damage of a probably state-ordered cybercrime.”
    • They hired Deloitte to help them spin up all their infra again. They did it all from a war-room in a Maidenhead office
    • The only remaining backup of their domain controllers was in Ghana (there had been a power outage preventing the hack to spread there), they had someone fly to Nigeria and then the UK with the data (faster than uploading)!
  • Merck: The pharmaceutical giant’s manufacturing, research, and sales operations were disrupted. The company reported a financial impact of approximately $870 million due to the attack.
  • FedEx: The company’s subsidiary, TNT Express, suffered severe operational disruptions. FedEx reported a $300 million loss as a direct result of NotPetya.
  • Saint-Gobain: The French construction materials company reported damages of around €220 million during the first half of 2017, and an additional €65 million in the second half, due to the cyberattack.


Just last week Merck won against insurers who were claiming NotPetya was an “act of war” so should not be covered. Court said act of war had to involve military action.

“Web War I” (Estonia)

The Estonian cyberattacks of 2007 were a series of large-scale, coordinated cyberattacks that targeted various Estonian institutions, including government agencies, banks, media outlets, and internet service providers. The attacks began in late April and continued throughout May 2007, causing significant disruptions to the country’s digital infrastructure and online services.

The attacks were triggered by a controversial decision by the Estonian government to relocate the Bronze Soldier, a Soviet World War II memorial in Tallinn, Estonia. The move sparked protests and unrest among Estonia’s ethnic Russian population and was met with strong disapproval from the Russian government.

The cyberattacks took the form of distributed denial-of-service (DDoS) attacks, which overwhelmed targeted websites and servers with an excessive amount of traffic, rendering them inaccessible to legitimate users. Additionally, the attackers employed various tactics such as spamming, defacing websites, and using botnets to amplify the scale and impact of the attacks.

Although no definitive attribution has been made, many experts believe that the attacks were either directly carried out or supported by Russian state-sponsored hackers, as the timing and targets of the attacks seemed to align with Russia’s political interests. However, other theories suggest that the attacks might have been initiated by independent, patriotic hackers or cybercriminals.

The 2007 Estonian cyberattacks were a watershed moment in the history of cybersecurity, as they demonstrated the potential of cyber warfare to disrupt critical services and infrastructure of a nation. In response, Estonia bolstered its cybersecurity defenses and became a global leader in cyber defense. The attacks also led to increased international cooperation and awareness of the need for robust cybersecurity measures to protect against similar incidents in the future. (🤖)


As that deadline grew ever closer, Bush’s national security team had laid out two options, neither remotely appealing. Either the United States could allow Iran’s unpredictable and highly aggressive government to obtain a devastating weapon, or it could launch a missile strike on Natanz—an act of war. In fact, war seemed inevitable on either horn of the dilemma. If Iran ventured too close to the cusp of fulfilling its nuclear ambitions, Israel’s hard-line government was poised to launch its own strike against the country. “I need a third option,” Bush had repeatedly told his advisers.

That option would be Stuxnet. It was a tantalizing notion: a piece of code designed to kneecap Iran’s nuclear program as effectively as an act of physical sabotage, carried out deep in the heart of Natanz, and without the risks or collateral damage of a full-blown military attack. Together with the NSA’s elite offensive hacking team, then known as Tailored Access Operations, or TAO, and the Israeli cybersecurity team known as Unit 8200, the Pentagon’s Strategic Command began developing a piece of malware unlike any before. It would be capable of not simply disrupting critical equipment in Natanz but destroying it.

  • Stuxnet: A highly sophisticated computer worm, first discovered in 2010, specifically designed to target industrial control systems (ICS).
  • Primary Target: Iran’s nuclear facilities, particularly the Natanz uranium enrichment plant, with the aim of sabotaging the country’s nuclear program.
  • Mode of Operation: Exploited multiple zero-day vulnerabilities in Microsoft Windows and Siemens Step7 software, infiltrating and taking control of programmable logic controllers (PLCs) to manipulate centrifuges.
  • Result: Caused significant damage to Iran’s nuclear centrifuges, setting back the country’s nuclear program by several months to years.
  • Attribution: Widely believed to be a joint effort between the United States and Israel, although no official confirmation has been provided by either government.
  • Impact: Stuxnet marked a turning point in cyber warfare, showcasing the potential for targeted, state-sponsored cyberattacks to cause physical damage to critical infrastructure.
  • (🤖)

Further reading: Countdown to Zero Day by Kim Zetter (I’m halfway 😉)


  • At the time of this first Sandworm disclosure China was seen as public enemy #1 in cyberspace due to IP theft: “the greatest wealth transfer in history” – NSA Director Keith Alexander

In 2014, for instance, after Chinese cyberspies had for years pillaged American intellectual property, the Obama Justice Department had identified and levied criminal charges against five members of a Chinese People’s Liberation Army hacking unit by name. The next year, the State Department threatened China with sanctions if the economic espionage continued. China’s president, Xi Jinping, more or less capitulated, signing an agreement that neither country would hack the other’s private sector targets. Security companies such as CrowdStrike and FireEye reported an almost immediate drop-off in Chinese intrusions—90 percent according to CrowdStrike—an unprecedented victory for cybersecurity diplomacy.

Tools used/built by Sandworm

#ToolDescriptionAttack vectorSourceCreation
1BlackEnergyDelivers a payload for data theft and wiping data; has evolved to include modules for ICS attacksUsers may encounter it through spear-phishing emails with malicious attachments or compromised websites. Once executed, the malware infects the system and downloads additional modules.Sandworm (Russian GRU)2007 (First version), 2014 (Adoption by Sandworm)
2EternalBlueExploits a vulnerability in Windows’ SMBv1 protocol, allowing remote code executionUsers may be infected by a worm or malware that leverages the EternalBlue exploit. It can spread through local networks without any user interaction or from an infected device connected to the network.NSA (Leaked by Shadow Brokers)2017 (Leak)
3MimikatzExtracts Windows plaintext passwords, hashes, PINs, and Kerberos tickets from memoryUsers might encounter it if their system is compromised by an attacker who uses Mimikatz to extract credentials. This could happen through phishing, malware infection, or exploiting other vulnerabilities.Benjamin Delpy2014
4Petya RansomwareEncrypts the Master File Table on Windows computers, demanding a ransom to restore accessUsers might encounter Petya through malicious email attachments, infected software installers, or compromised websites. Once executed, the ransomware encrypts the Master File Table and displays a ransom message.Unknown2016
5Olympic DestroyerDisrupts systems, wipes data, spreads through Windows SMB protocol, disguises its originUsers might encounter it through targeted spear-phishing campaigns or by connecting to a compromised network. Once executed, the malware spreads through the network and begins wiping data and disrupting systems.Sandworm (Russian GRU)2018
6Industroyer/CrashOverrideDesigned to target ICS, disrupts and manipulates control systems, can cause blackoutsUsers in industrial facilities might encounter it through spear-phishing emails or compromised devices connected to the control system network. Once executed, the malware disrupts and manipulates ICS operations, potentially causing blackouts.Sandworm (Russian GRU)2016
Table: Key Tools and Exploits Used by Sandworm (🤖)

History of attacks believed to have been from Russia

#Operation NameDateDescription
1Moonlight Maze1996-1999A series of cyber espionage attacks targeting US military and government networks, as well as universities.
2Titan Rain2003-2005Cyber espionage campaign targeting sensitive information from US defense contractors and government agencies.
3Agent.BTZ2008Malware that infected US military networks, leading to the creation of US Cyber Command.
4SandWorm2015-2016Targeted Ukrainian power grid, causing widespread blackouts.
5DNC Hack2016Cyberattack on the Democratic National Committee (DNC) during the US presidential election campaign.
6Dragonfly/Energetic Bear2011-2018A series of attacks targeting energy infrastructure and ICS in Europe, the US, and other regions.
7NotPetyaJune 2017Global ransomware attack causing significant damage to multiple industries and companies worldwide.
8Bad RabbitOctober 2017Ransomware attack targeting organizations mainly in Russia, Ukraine, Germany, and Turkey.
9Olympic DestroyerFebruary 2018Cyberattack on the 2018 Winter Olympics in Pyeongchang, South Korea, disrupting the opening ceremony.
Table: Major International Cybersecurity Hacks Believed to Be Linked to Russia (🤖)

Key people in the book

#NameShort BioInvolvement in Sandworm Investigations
1John HultquistSenior director of intelligence analysis at FireEye, an expert in tracking cyber-espionage campaignsAnalyzed and identified Sandworm’s cyber activities
2Oleksii YasinskyCybersecurity researcher at ISSP, a Kyiv-based cybersecurity firmInvestigated Sandworm’s attacks on Ukrainian infrastructure
3Rob LeeFounder and CEO of Dragos, a leading industrial control system (ICS) security companyStudied Sandworm’s ICS-targeted attacks and methods
4Mike AssanteLate cybersecurity expert, known for his work on ICS and critical infrastructure securityAnalyzed Sandworm’s ICS-targeted attacks and methods
5Michael MatonisCybersecurity researcher and former FBI special agentInvestigated Sandworm’s cyber activities and targets
6Benjamin DelpyFrench cybersecurity researcher, developer of the Mimikatz hacking toolCreator of Mimikatz, a tool used by Sandworm in some attacks
Summary of some of the key actors in the book (🤖)

2018 South Korea Winter Olympic Games

Sang-jin Oh was technology director:

As the opening ceremony got underway, thousands of fireworks exploded around the stadium on cue, and dozens of massive puppets and Korean dancers entered the stage. Oh saw none of it. He was texting furiously with his staff as they watched their entire IT setup go dark. He quickly realized that what the partner company reported wasn’t a mere glitch. It was the first sign of an unfolding attack. He needed to get to his technology operations center.


All nine of the Olympic staff’s domain controllers, the same backbone servers whose erasure had nearly crippled Maersk, had somehow been paralyzed. The staff decided to respond with a temporary workaround, setting all surviving servers that powered critical services, such as Wi-Fi and the Olympic app, to simply bypass those dead domain controllers. They managed to bring those systems back online just minutes before the end of the ceremony. Over the next two hours, as they attempted to rebuild the domain controllers to re-create a more long-term, secure network, the staffers would find that the servers were mysteriously crippled again and again. Some malicious presence in their network remained, disrupting the servers faster than they could be rebuilt.


Thousands of athletes and millions of spectators remained blissfully unaware that the Olympics’ IT staff had spent the prior night fighting off an invisible enemy that threatened to throw the entire event into chaos.

Even so, Oh still smoldered when he thought back to the night of the opening ceremony. “For me, the Olympics are about peace. It still makes me furious that without any clear purpose, someone hacked this event,” he told me months later. “If we hadn’t solved it, it would have been a huge black mark on these games of peace. I can only hope that the international community can figure out a way that this will never happen again.”


  • GRU: Russia’s military intelligence agency, responsible for intelligence, counterintelligence, and special operations.
  • Full Name: Main Directorate of the General Staff of the Armed Forces of the Russian Federation.
  • Sandworm: Believed to be part of GRU’s Unit 74455, also known as the Main Center for Special Technologies.
  • Unit 74455: Known for cyber warfare capabilities and executing sophisticated cyber operations.
The three highlighted men are believed to be from Unit 74455

Difference between the FSB and GRU

  • FSB: The Federal Security Service of the Russian Federation, responsible for domestic security, counterintelligence, and counterterrorism.
  • Scope: While the GRU focuses on military intelligence and foreign operations, the FSB primarily deals with internal security matters.
  • Origins: The FSB is the successor to the Soviet-era KGB, whereas the GRU has its roots in the Soviet military intelligence service.
  • Cyber Operations: Both GRU and FSB have their own cyber units, but they focus on different aspects of cyber warfare. The GRU’s cyber units, like Sandworm, tend to focus on offensive operations and strategic targets, while the FSB’s cyber units often target dissidents, activists, and foreign intelligence services.
  • Coordination: Although both agencies operate under the Russian government, they may have different objectives and often act independently of each other, sometimes even competing for influence and resources.


Dan Geer

  • Dan Geer is CISO of In-Q-Tel the venture arm of the CIA, and a legend in the security world
  • He stresses the importance of having reliability in the system- maintaining analog versions of everything critical and several layers of redundency

Also see

A one-hour recap talk of Andy Greenberg’s quest to uncover Sandworm:

Andy Greenberg – Sandworm: Lessons From the Cyberwar video

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s