Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers
- By Andy Greenberg
- 368 pp.
- Reviewed by Tom Glenn
- December 25, 2019
The threat of Russian malware is severe and ever present.
Andy Greenberg’s Sandworm is a shocking book. It describes and warns us about a thing called “cyberwar,” a concept I had barely heard of before. To the degree that we depend on computers and are connected to the internet, cyberwar could cripple us and bring destruction and death.
The author summarizes the dilemma in the introduction: “This is what cyberwar looks like: an invisible force capable of striking out from an unknown origin to sabotage, on a massive scale, the technologies that underpin civilization.
The cyberattack can disable the internet, electric grid, and telephones. It can close down hospitals and factories, airports and train travel, commercial enterprises and government. It can even destroy machinery.
Greenberg narrates the growth of cyberwar and the threat it poses to the U.S. and other advanced nations by illuminating the struggle against malware that researchers and scientists have been tirelessly conducting. At times, the book reads like a novel.
Along the way, the reader learns of the many names given to various bugs and worms — NotPetya, Mimikatz, Industroyer, Bad Rabbit, and others. Greenberg delves into the technical details of how malware works, often leaving me, a man with no background in software, befuddled.
The first state-sponsored espionage hack described in the book occurred in 1986. It was the work of West German miscreants who proposed to sell their illicitly gained information to the KGB — that is, the Committee for State Security, the principal security agency for the Soviet Union from 1954 until the USSR’s breakup in 1991.
In March 2007, an engineer at an Idaho National Laboratory facility demonstrated to U.S. government officials that cyberwar techniques could be exploited not just for spying but for actual destruction, known as cybersabotage. Hacking into computer networks, he altered the software controlling a 27-ton diesel generator so that it commanded the generator to destroy itself.
The next month, Russian hackers brought down the internet (and all machinery controlled by it) in Estonia. In 2008, coincident with Russian military attacks in the Republic of Georgia, that country’s computer networks were corrupted and disabled.
In 2010 came Stuxnet. It attacked Iranian computers controlling uranium enrichment at Natanz and destroyed 984 centrifuges, effectively bringing Iran’s uranium-enrichment efforts to a halt. Stuxnet represented a major advance in malware sophistication. There can be little doubt that the perpetrators of the attack were the U.S. and Israel. Stuxnet’s creation and use initiated a new era in cyberwar.
In the years that followed, the Democratic National Committee (DNC) was hacked, and damning information was leaked to WikiLeaks. Whether the leaked emails affected the outcome of the 2016 U.S. presidential election is still open to debate.
Ukraine was hit twice by cybersabotage attacks. In June 2017, A.P. Moller-Maersk, a Danish business conglomerate active in transport, logistics, and energy, with 574 offices in 130 countries, was crippled by a cyberattack. The list goes on and on.
Through it all, governments, including that of the U.S., failed to understand the enormity of the threat and largely ignored it. The attacks did not trigger Article 5 of NATO’s collective-defense provision that required member states to treat an attack against one as an act of war against all.
Politicians expressed indifference or worse. Then-candidate Donald Trump celebrated the hacks of the DNC and even expressed hope that the hackers had breached Hillary Clinton’s private server. The U.S. intelligence community was unified in its conclusion that Russia was behind the DNC hack, a finding that Trump continues to deny.
Behind many of Russia’s cyberwar efforts was a unit given the name “Sandworm.” Repeated hints in the makeup of the malware pointed to the identity of Sandworm as a Russian government entity. Sandworm was finally identified in late 2018 as an element called 74455, a subordinate unit of the Russian government’s GRU. (“GRU” is the English version of the Russian acronym ГРУ, which means Main Intelligence Directorate. The GRU is Russia's largest foreign intelligence agency.)
In short, we now know that Russia was behind the attacks in Estonia, Georgia, Ukraine, and many other locations. It possesses the means, in author Greenberg’s words, to “sabotage, on a massive scale, the technologies that underpin civilization.” The U.S. would be an obvious target for such a strike.
But the story may not be as grim as Greenberg suggests. I know from my years of working in the signals-intelligence business as an employee of the National Security Agency (NSA) that the U.S. government always knows more about foreign threats than is made public.
Classification of data is necessary because allowing the intelligence target knowledge of our methods and successes would mean losing the ability to gain that information and defend against an attack. I suspect that the NSA Cyber Security Directorate and other government agencies have a body of data about other nations’ efforts at cyberwar that far exceeds anything included in this book.
On the other hand, having knowledge and using it are not the same thing. I learned the hard way during my career that when intelligence is ignored, people die. We know that President Trump dislikes any suggestion of malfeasance on the part of Russia, particularly anything that might indicate it had a hand in getting him elected. We know that the president considers Vladimir Putin a fine man and a friend.
So we have a basis for serious concerns. A foreign-launched cyberattack could wreak havoc on our nation and cause countless deaths. We should take Andy Greenberg’s Sandworm as a warning.
Tom Glenn was an intelligence operative for the U.S. government for 35 years. He has written extensively about his 13 years of clandestine operations in Vietnam, but his work after 1975 is still classified. A linguist in seven languages, he has four novels and 17 short stories in print, with two more books due out in 2020.