Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers Review

Artwork by @laelcillustrate

As someone who works in the cybersecurity industry and reports on new cyber attacks daily, there are not many threats from the internet that can actually scare me. However, Andy Greenberg’s Sandworm did just that.

This book uncovers some of the first recorded instances of cyber warfare attributed to Russia’s Main Intelligence Directorate or GRU. The elite hackers that make up this military unit are the definition of an advanced persistent threat (APT). This vastly resourced group, mainly targets Russia’s neighbours such as Ukraine, Estonia, and Georgia. It is now commonly referred to and recognised by the USA, the UK, and NATO as Sandworm and is responsible for some of the most terrible cyberattacks in the last few years. Attacks such as NotPetya, Industroyer/Crash Override, Bad Rabbit, and Olympic Destroyer were all attributed to Sandworm. It’s tactics, techniques, and procedures (TTPs) have overlapped with another well-known Russian cyberespionage group, FancyBear, leading experts to believe that Sandworm and FancyBear are two units of the same GRU cyberarmy. 

What makes Sandworm in particular so terrifying is its penchant for targeting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) software. This software is used in the energy sector, hospitals, water treatment plants, manufacturing, telecommunications, and transportation among other utilities. 

The book highlights that the foremost successful attack on ICS environments was executed by the Stuxnet worm. Stuxnet was first uncovered in 2010, though it is thought to have been in development since at least 2005. Stuxnet targets Siemens ICS, SCADA, and programmable logic controllers (PLC) and is responsible for causing substantial damage to the nuclear program of Iran. It was a highly sophisticated malware which contained four zero-day vulnerabilities that were disclosed after the code was analysed. The rest of the world was shocked at the destructiveness of a cyber attack on such heavily defended networks of a nuclear power plant as well as the cyber capabilities that the US possessed. Likely spurred on by this event, Russia advanced its research and development into such cyber weapons, with zero-day vulnerabilities and ICS-specific malware of its own.

On 23 December 2015, the Ukrainian Kyivoblenergo (also known as Ukrenergo), a regional electricity distribution company, reported service outages to customers. This was due to a cyber attack using the BlackEnergy malware, linked to this elite GRU hacking team. Sandworm was the designated ICS attacker that was executing blackout attacks across Ukraine. Researchers from US cybersecurity firm, FireEye, were responsible for the name after reverse engineering and decrypting the BlackEnergy malware recovered from the attacks on Ukrenergo. The name ‘Sandworm’ came from a ‘campaign code’ left in the malware that the attackers could use to track its victims. The first ‘arrakis02’, followed by several others, were all references to the 1965 science-fiction novel Dune. In the Dune universe are giant Sandworms that roam beneath the surface - similar to the hackers invading networks. John Hultquist, now Lead Intelligence Analyst at FireEye, decided that Sandworm was a name befitting such terrible hackers who target civilian infrastructure.

Further wiper malware attacks rocked Ukraine after Sandworm (also known as Telebots by ESET) continued to use BlackEnergy and its wiper malware, Killdisk, to destroy data on a series of targeted attacks against government institutions and media companies. During some attacks the hackers had painstakingly coded in a graphic (Figure 1) from the Amazon Prime TV series, Mr. Robot, in an attempt to appear as if hacktivists or pranksters had invaded and wiped these systems. The interesting thing was that in the series the hackers go on to use ransomware on a global banking conglomerate, EvilCorp, erasing everyone’s debt and throwing the world’s economy into chaos. This was before the NotPetya ransomware attack which had an estimated cost of $10 billion USD, the most expensive single cyber attack in recorded history.

Figure 1. Picture displayed by KillDisk component - drawn in real-time using the Windows GDI. (ESET)

One year later, on December 17th 2016, the Ukrainian capital Kiev was hit by a blackout. Local investigators later confirmed that the energy outage was caused by a cyberattack. The ICS-targeting malware to blame was called Industroyer (but is also known as Crash Override). This was declared as the second greatest threat to ICS environments since Stuxnet. This was a landmark incident in the history of cyber attacks, since it confirmed Russia possesses the same capabilities as the US, but used it on Ukrainian civilian infrastructure - opposed to an Iranian nuclear weapon procurement facility. The Kiev power grid went offline for six hours before it was restored manually by engineers. This incident sent a message to the rest of the world, Russia’s cyber offensive capacity was a force to be reckoned with.

Six months after the Industroyer event, the NotPetya ransomware was unleashed on Ukraine and other organisations around the world. Tens of thousands of systems in more than 65 countries, including ones belonging to major firms such as Rosneft, Maersk, Merck, FedEx, Mondelez International, Nuance Communications, Reckitt Benckiser and Saint-Gobain. The main concentration of victims were in Ukraine, the home of a tax software firm, M.E. Doc, whose update server was used as the initial infection vector. Ukraine’s government institutions, public transportation, banks, even the Chernobyl site were all knocked offline. NotPetya’s voraciousness came from its ability to rapidly spread and encrypt the master boot record (MBR) of Windows systems across entire networks, leaving them functionless. Similar to WannaCry, NotPetya abused the NSA hacking tools leaked by the Shadow Brokers in 2016. This includes the EternalBlue vulnerability and the Doublepulsar backdoor. When combined with Mimikatz, a tool that could harvest credentials out of system memory, NotPetya could enumerate entire networks in a matter of minutes. The book recounts a Maersk IT employee’s attempts at heading off the attack but ultimately failed, leaving the entire firm paralyzed and shipping ports around the world frozen. Months after the incident, the CIA came out and confirmed that the Russian military was responsible. More specifically, that the GRU and Sandworm was.

Even after the devastating NotPetya attacks, Sandworm was not finished and carried out further ransomware attacks involving a new variant known as Bad Rabbit. ESET researchers found that it mainly targeted Ukraine, but also certain parts of Russia too, which seemed to them to be part of a smokescreen that might throw security researchers off Sandworm’s scent. Bad Rabbit struck Odessa airport and the Kiev Metro, forcing closures and suspending the services. It was later found that Bad Rabbit was delivered via watering hole attacks with a fake version of Adobe Flash Player that contained the ransomware. 

After months of silence, during the opening ceremony for the South Korean Winter Olympics 2018, the Kremlin’s hackers would strike once again. This time with a malware called Olympic Destroyer after it wiped the main domain controllers used by the South Korean Olympics committee during the countdown of the opening ceremony. At first, due to the largest amount of false flags present in one piece of malware, security researchers were unsure quite who was behind this attack. Some would falsely attribute it to North Korea or China because of reused pieces of code used by their APTs. However, Kaspersky analysts eventually scoured over the code and eliminated both China and North Korea from being responsible for this attack. Although, the Moscow-based security firm would refuse to declare the GRU responsible for such an attack. The group behind Olympic Destroyer are now commonly known by the security community as ‘Hades’, due to the Greek origins of the Olympics. As Russia is banned from being represented at all sporting events, Hades could possibly make a return at the next Olympic games.
Figure 2. The previous logo of the GRU, prior to political shifts inside Kremlin

Hades, Sandworm, and FancyBear are believed to ultimately all belong to the same organisation, the GRU. Each attack campaign has overlapping TTPs that helps experts to attribute these attacks. Attribution is one of the hardest parts of malware analysis, but understanding a campaign's origins helps learn more about the threat. The GRU is the same organisation that is responsible for other ruthless attacks such as the downing of MH17 over Ukraine and the assassination attempt of Sergei Skripal in the UK. Not much is known about these hacking units. The author, Andy Greenberg, took a trip to Russia to find out more and even got close to the buildings mentioned in the US Department of Justice’s indictment to learn more about these hackers. At a Russian hacking conference that Greenberg attended he heard that some hackers are recruited by the FSB to avoid prison time, others at the conference also theorised that the some attacks could have been assisted by contractors, much like Booz Allen Hamilton. 

The book also expands on the history of the GRU, since its creation to a shift in the Kremlin internal politics that could have resulted in the GRU being disbanded. An interview with members of the Chatham House think tank, described inter-agency political tension as “like watching bulldogs fighting under the rug”, the details have not been disclosed. Many of these elaborate cyber attacks on critical infrastructure are thought to be part of the GRU’s attempt to prove itself as a utility and the “tip of the spear” for the Russian military, and to prevent itself from being disbanded, like the KGB.

In a little known article in the West, General Valery Gerasimov states that “Long distance, contactless actions against the enemy are the main means of achieving combat and operational goals. The defeat of the enemy’s objectives is conducted throughout the entire depth of his territory.” This idea is more applicable than any moment in time, it cements how current and future wars will be fought.

CEO of ICS security firm, Dragos, Robert M. Lee, said in the book that attacks on critical infrastructure have been worringly exponentially growing. Since Russia and the US possess these powers, all other nation states have been working to acquire them too. Dragos was only tracking three ICS-targeting groups a few years ago, now there are 10 APT actors that are looking to shut down power grids around the world. Microsoft made a presentation in Geneva, Switzerland, that the world requires a ‘Cyber Geneva Convention’. In the actual Geneva Convention, it is prohibited to target and kill civilians and medical staff during wartime. Yet, cyber attacks on power grids and hospitals by nation states, during peacetime, could and have cost lives. It was only until years later that the US CISA acknowledged Sandworm, but never outright condemned the attacks in Ukraine or blamed Russia for them. Speaking with senior US cybersecurity advisors and homeland security, Greenberg learned that the US will not advocate a Cyber Geneva Convention is not likely to. This is because the US wants to wage cyberwar themselves. The US officials admit that foreign governments probe each other all the time and even infect critical infrastructure with malware, but never "pull the trigger". It is also worth noting that Sandworm never went as far as it could have. From analysing all the attacks, the hackers appear to always hold back from irreversible damage against ICS products on power grids, never to reveal their full cyber arsenal. It is unlikely this was out of compassion, but due to Sandworm saving its true capabilities for something more sinister in the future. 


Before I came across this book I had read about the NotPetya attacks, particularly how it affected Maersk, and had listened to the Darknet Diaries podcast with Andy Greenberg. I was facisnated by the story and just had to know more. Now that I have read it, I now realise all these different cyber attacks, APTs, hacking tools, and malware all fit together like pieces of a giant jigsaw puzzle called Sandworm.

One of the things I found so interesting about this book was how the security researchers from TrendMicro, FireEye, ESET, and Dragos all unravelled the same mystery from different aspects of the same group. Each firm has its own speciality, capabilities, and information repositories from antivirus solutions installed around the world. Without these firms being able to capture, reverse engineer, and analyse these malware samples I assume we would all be completely unaware about Sandworm. The United States was extremely unlikely to ever disclose the group after the fact it refused to condemn the attacks in Ukraine in an effort to maintain its ability to wage cyberwar.

Most book reviews leave a rating at the end, but I never find these particularly useful. I will say that I highly recommend this book if you are interested in various topics such as geopolitics, cyber threat intelligence, espionage, sabotage, malware analysis, advanced persistent threat actors, security vulnerabilities, and the conflict between Russia and Ukraine. This book covers each aspect in great detail and fits each partr together to create the full picture of what the adversaries of the West look like. With the capability to create Industroyer and the ruthlessness to unleash NotPetya, Sandworm is certainly one of the greatest threats in existance.

Lastly, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter is repeatedly mentioned in this book and is certainly on my list in the near future.

Twitter account that recorded NotPetya payments:

Popular posts from this blog

Deep-dive: The DarkHotel APT

Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns

My first year in Cyber Threat Intelligence