Download high-resolution image Look inside
Listen to a clip from the audiobook
audio play button
0:00
0:00

Sandworm

A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

Look inside
Listen to a clip from the audiobook
audio play button
0:00
0:00
*Winner of the Cornelius Ryan Citation for Excellence from the Overseas Press Club of America*
 
Sandwormis the true story of the most devastating cyberattack in history and the desperate hunt to identify and track the elite Russian agents behind it.
 
In 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world’s largest businesses—from drug manufacturers to software developers to shipping companies. At the attack’s epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage—the largest, most destructive cyberattack the world had ever seen.

The hackers behind these attacks are quickly gaining a reputation as the most dangerous team of cyberwarriors in history: a group known as Sandworm. Working in the service of Russia’s military intelligence agency, they represent a persistent, highly skilled force, one whose talents are matched by their willingness to launch broad, unrestrained attacks on the most critical infrastructure of their adversaries. They target government and private sector, military and civilians alike.

A chilling, globe-spanning detective story, Sandworm considers the danger this force poses to our national security and stability. As the Kremlin’s role in foreign government manipulation comes into greater focus, Sandworm exposes the realities not just of Russia’s global digital offensive, but of an era where warfare ceases to be waged on the battlefield. It reveals how the lines between digital and physical conflict, between wartime and peacetime, have begun to blur—with world-shaking implications.
 
Sandworm is a sobering examination of an underreported story: The menace Russian hackers pose to the critical infrastructure of the West. With the nuance of a reporter and the pace of a thriller writer, Andy Greenberg gives us a glimpse of the cyberwars of the future while at the same time placing his story in the long arc of Russian and Ukrainian history.” —Anne Applebaum, Pulitzer Prize–winning author of Gulag and Red Famine

“As Russia has attacked, Greenberg has not been far behind, reporting on these incursions in Wired while searching for their perpetrators. Like the best true-crime writing, his narrative is both perversely entertaining and terrifying.” —New York Review of Books

Sandworm is much more than a true-life techno-thriller. It’s a tour through a realm that is both invisible and critical to the daily lives of every person alive in the 21st century.” —Los Angeles Times
 
“A terrifying and infuriating look at a future in which cyberwar hawks and cyberwar deniers join forces to literally threaten our ability to continue civilization. Sandworm shows how, in our leaders’ focus on maintaining digital weapons to attack our enemies, they've left our own critical infrastructure defenseless.” —Cory Doctorow, author of Little Brother and Radicalized

Sandworm hits that sweet spot of being both informative and entertaining as hell. In a journey that hopscotches from war-torn Ukraine to shadowy chatrooms to the halls of the UN, Greenberg takes readers on the hunt for the network of Russian hackers behind the most damaging cyberattack to occur so far. It is well worth your read.” —P.W. Singer, author of Ghost Fleet and LikeWar

“The good news about Andy Greenberg’s Sandworm is that no one has ever dived so deeply into a major hack to illuminate the evolving crisis of a never-ending cyberwar. The bad news is when you finish this gripping narrative, you won't be sleeping as soundly as you did before.” 
—Steven Levyauthor of In the Plex and Hackers

“Lucid and compelling, Sandworm shows us how high-tech warfare is waged today in Eastern Europe: battlefields of computer viruses, software vulnerabilities, and faked digital fingerprints. Where foreign hackers remotely black out cities and feed false election results to television networks. Where laptops become weapons and a word processor becomes a tool to invade a nation’s critical infrastructure. The first half of Greenberg’s meticulously researched book leaves us wondering: How long before it happens here? The second provides the chilling answer.” —Clifford Stoll, author of The Cuckoo's Egg

“An in-depth investigation of what the Russian military’s best cyber unit has already done to disrupt corporations, penetrate utilities, and prepare for cyberwar. Sandworm is a sword of Damocles over the US economy that any US president has to take into account when deciding on whether and how to counter the Kremlin.” —Richard Clarke, former White House counterterrorism coordinator, author of The Fifth Domain and Cyber War

“Immensely readable. . . . A hair-raising, cautionary tale about the burgeoning, post-Stuxnet world of state-sponsored hackers. . . . Greenberg lays out in chilling detail how future wars will be waged in cyberspace and makes the case that we have done little, as of yet, to prevent it.” —Washington Post

“[A] chilling account of a Kremlin-led cyber attack, a new front in global conflict.” —Financial Times

“Shocking. . . . The book reads like a novel.” —Washington Independent Review of Books

“An important front-line view of the changing cyberthreats that are shaping our world, their creators, and the professionals who try to protect us.” —Nature 

“Sandworm offers both a ripping narrative of a hack that broke the world and a worrying glimpse at cyberwar’s rapidly evolving future.” —Wired

“The most detailed account yet of Russia’s most destructive government-backed hackers.”
—Axios

“The must-read guide to state-sponsored hacking.” —Business Insider

“Andy Greenberg’s Sandworm has achieved what I thought was no longer possible: it scares me. Sandworm is the story of the Russian GRU hacking team that has evolved in a few short years into the most methodical, persistent, and destructive intelligence agency cyber warriors. After reading Sandworm you will not doubt those superlatives.” —Forbes

“A beautifully written deep-dive into a group of Russian hackers blamed for the most disruptive cyberattack in history, NotPetya, This incredibly detailed investigative book leaves no stone unturned, unravelling the work of a highly secretive group that caused billions of dollars of damage.” —TechCrunch

“[A] fascinating historical document that renders the often bland world of cybersecurity as a human tale that warrants our deepest attention.” —Fast Company

“A taut inquiry. . . . Greenberg is an adroit investigator and gifted metaphorist. His lucid, dynamic exposé is a must-read for those worried about the vulnerabilities of the digital world.” 
—Publishers Weekly

“A credible, breathless account. . . . [Greenberg] effectively captures the disturbing nature of this new global threat.” —Kirkus

“Told with the fast-paced style of a thriller, this book is highly recommended for all fans of international intrigue and cyberwarfare. An exceptional account.” —Library Journal (starred review)

“Loaded with original reportage, Greenberg's urgent and clarifying book will inform and worry everyone concerned about national andcyber security. . . . Readers will revel in the details Greenberg provides.” —Booklist
Introduction

On June 27, 2017, something strange and terrible began to ripple out across the infrastructure of the world.

A group of hospitals in Pennsylvania began delaying surgeriesand turning away patients. A Cadbury factory in Tasmania stopped churning out chocolates. The pharmaceutical giant Merck ceased manufacturing vaccines for human papillomavirus.

Soon, seventeen terminals at ports across the globe, all owned by the world’s largest shipping firm, Maersk, found themselves paralyzed. Tens of thousands of eighteen-wheeler trucks carrying shippingcon tainers began to line up outside those ports’ gates. Massive ships arrived from journeys across oceans, each carrying hundreds of thousands of tons of cargo, only to find that no one could unload them. Like victims of a global outbreak of some brain-eating bacteria, major components in the intertwined, automated systems of the world seemed to have spontaneously forgotten how to function.

At the attack’s epicenter, in Ukraine, the effects of the technological doomsday were more concentrated. ATMs and credit card paymentsystems inexplicably dropped off-line. Mass transit in the country’s capital of Kyiv was crippled. Government agencies, airports, hospitals, the postal service, even scientists monitoring radioactivity levels atthe ruins of the Chernobyl nuclear power plant, all watched helplessly as practically every computer in their networks was infected and wiped by a mysterious piece of malicious code.

This is what cyberwar looks like: an invisible force capable of striking out from an unknown origin to sabotage, on a massive scale, the technologies that underpin civilization.

For decades, the Cassandras of internet security warned us this was coming. They cautioned that hackers would soon make the leap beyond mere crime or even state-sponsored espionage and begin to exploit vulnerabilities in the digitized, critical infrastructure of the modern world. In 2007, when Russian hackers bombarded Estonia with cyberattacks that tore practically every website in the country off-line, that blitz hinted at the potential scale of geopolitically motivated hacking. Two years later, when the NSA’s malicious software called Stuxnet silently accelerated Iran’s nuclear enrichment centrifuges until they destroyed themselves, the operation demonstrated another preview of what was in store: It showed that tools of cyberwar could reach out beyond the merely digital, into even the most closely guarded and sensitive components of the physical world.

But for anyone watching Russia’s war in Ukraine since it beganin early 2014, there were clearer, more direct harbingers. Starting in2015, waves of vicious cyberattacks had begun to strike Ukraine’s government, media, and transportation. They culminated in the first known blackouts ever caused by hackers, attacks that turned off powerfor hundreds of thousands of civilians. A small group of researchers would begin to sound the alarm—largely in vain—that Russia was turning Ukraine into a test lab for cyberwar innovations. They cautioned that those advancements might soon be deployed against the United States, NATO, and a larger world that remained blithely unprepared for this new dimension of war. And they pointed to a single force of Kremlin- backed hackers that seemed to be launching these unprecedented weapons of mass disruption: a group known as Sandworm.

Over the next two years, Sandworm would ramp up its aggression, distinguishing itself as the most dangerous collection of hackers in the world and redefining cyberwar. Finally, on that fateful day inlate June 2017, the group would unleash the world-shaking wormknown as NotPetya, now considered the most devastating and costly malware in history. In the process, Sandworm would demonstrate as never before that highly sophisticated, state-sponsored hackers with the motivations of a military sabotage unit can attack acrossany distance to undermine the foundations of human life, hitting interlocked, interdependent systems with unpredictable, disastrous consequences.

Today, the full scale of the threat Sandworm and its ilk present looms over the future. If cyberwar escalation continues unchecked, the victims of state-sponsored hacking could be on a trajectory foreven more virulent and destructive worms. The digital attacks first demonstrated in Ukraine hint at a dystopia on the horizon, one where hackers induce blackouts that last days, weeks, or even longer—intentionally inflicted deprivations of electricity that could mirror the American tragedy of Puerto Rico after Hurricane Maria, causing vast economic harm and even loss of life. Or one where hackers destroy physical equipment at industrial sites to cause lethal mayhem. Or, as in the case of NotPetya, where they simply wipe hundreds of thousands of computers at a strategic moment to render brain-dead the digital systems of an enemy’s economy or critical infrastructure.

This book tells the story of Sandworm, the clearest example yet of the rogue actors advancing that cyberwar dystopia. It follows the years long work of the detectives tracking those hackers— as Sandworm’s fingerprints appeared on one digital disaster scene after another—to identify and locate them, and to call attention to the danger thegroup represented in the desperate hope that it could be stopped.

But Sandworm is not just the story of a single hacker group, or even of the wider threat of Russia’s reckless willingness to wage this new form of cyberwar around the world. It’s the story of a larger, global arms race that continues today. That race is one that the United States and the West have not only failed to stop but directly accelerated with our own headlong embrace of digital attack tools. And in doing so, we’ve invited a new, unchecked force of chaos into the world.


Prologue

The clocks read zero when the lights went out.

It was a Saturday night in December 2016, and Oleksii Yasinsky was sitting on the couch with his wife and teenage son in the living room of their Kyiv apartment. The forty-year-old Ukrainian cybersecurity researcher and his family were an hour into Oliver Stone’s film Snowden when their building abruptly lost power.

“The hackers don’t want us to fi nish the movie,” Yasinsky’s wife joked. She was referring to an event that had occurred a year earlier, a cyberattack that had cut electricity to nearly a quarter- million Ukrainians two days before Christmas in 2015.

Yasinsky, a chief forensic analyst at a Kyiv cybersecurity firm, didn’t laugh. He looked over at a portable clock on his desk: The time was 00:00. Precisely midnight. Yasinsky’s television was plugged into a surge protector with a battery backup, so only the flicker of images on-screen lit the room now. The power strip started beeping plaintively. Yasinsky got up and switched it off to save its charge, leaving the room suddenly silent.

He went to the kitchen, pulled out a handful of candles, and lit them. Then he stepped to the kitchen window. The thin, sandy blond engineer looked out on a view of the city as he’d never seen it before: The entire skyline around his apartment building was dark. Only the gray glow of distant lights reflected off the clouded sky, outlining blackened hulks of modern condos and Soviet high-rises. Noting the precise time and the date, almost exactly a year since the December 2015 grid attack, Yasinsky felt sure that this was no normal blackout. He thought of the cold outside— close to zero degrees Fahrenheit—the slowly sinking temperatures in thousands of homes, and the countdown until dead water pumps led to frozen pipes.

That’s when another paranoid thought began to work its way through Yasinsky’s mind: For the past fourteen months, he had found himself at the center of an enveloping crisis. A growing list of Ukrainian companies and government agencies had come to him to analyze a plague of cyberattacks that were hitting them in rapid, remorseless succession. A single group of hackers seemed to be behind all of it. Now he couldn’t suppress the sense that those same phantoms, whose fingerprints he had traced for more than a year, had reached back, out through the internet’s ether, into his home.


1

The Zero Day

Beyond the Beltway, where the D.C. intelligence-­industrial complex flattens out to an endless sea of parking lots and gray office buildings marked with logos and corporate names designed to be forgotten, there’s a building in Chantilly, Virginia, whose fourth floor houses a windowless internal room. The room’s walls are painted matte black, as if to carve out a negative space where no outside light penetrates.

In 2014, just over a year before the outbreak of Ukraine’s cyberwar, this was what the small, private intelligence firm iSight Partners called the black room. Inside worked the company’s two-­man team tasked with software vulnerability research, a job that required focus intense enough that its practitioners had insisted on the closest possible office layout to a sensory-­deprivation chamber.

It was this pair of highly skilled cave dwellers that John Hultquist first turned to one Wednesday morning that September with a rare request. When Hultquist had arrived at his desk earlier that day in a far-­better-­lit office, one with actual windows on the opposite side of the iSight building, he’d opened an email from one of his iSight colleagues in the company’s Ukraine satellite operation. Inside, he found a gift: The Kiev-­based staff believed they might have gotten their hands on a zero-­day vulnerability.

A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about. The name comes from the fact that the company has had “zero days” to respond and push out a patch to protect users. A powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own code on a target computer, can serve as a kind of global skeleton key—­a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet.

The file Hultquist had been passed from iSight’s Ukraine office was a PowerPoint attachment. It seemed to silently pull off exactly that sort of code execution, and in Microsoft Office, one of the world’s most ubiquitous pieces of software.

As he read the email, Klaxons sounded in Hultquist’s mind. If the discovery was what the Ukrainians believed it might be, it meant some unknown hackers possessed—­and had used—­a dangerous capa­bility that would allow them to hijack any of millions of computers. Microsoft needed to be warned of its flaw immediately. But in a more self-­interested sense, discovering a zero day represented a milestone for a small firm like iSight hoping to win glory and woo customers in the budding security subindustry of “threat intelligence.” The company turned up only two or three of those secret flaws a year. Each one was a kind of abstract, highly dangerous curiosity and a significant research coup. “For a small company, finding a nugget like this was very, very gratifying,” Hultquist says. “It was a huge deal for us.”

Hultquist, a loud and bearish army veteran from eastern Tennessee with a thick black beard and a perpetual smile, made a point of periodically shouting from his desk into a room next door known as the bull pen. One side of that space was lined with malware experts, and the other with threat analysts focused on understanding the geopolitical motives behind digital attacks. As soon as Hultquist read the email from iSight’s Ukrainian staff, he burst out of his office and into the bull pen, briefing the room and assigning tasks to triage what would become, unbeknownst then to any of them, one of the biggest finds in the small company’s history.

But it was down the hall, in the black room, that the hacker monks within would start to grapple with the significance of iSight’s discovery: a small, hidden marvel of malicious engineering.



Working on computers whose glowing monitors were the room’s only light source, the reverse engineers began by running the Ukrainians’ malware-­infected PowerPoint attachment again and again inside a series of virtual machines—­ephemeral simulations of a computer housed within a real, physical one, each one of them as sealed off from the rest of the computer as the black room was from the rest of the iSight offices.

In those sealed containers, the code could be studied like a scorpion under an aquarium’s glass. They’d allow it to infect its virtual victims repeatedly, as the reverse engineers spun up simulations of different digital machines, running varied versions of Windows and Microsoft Office, to study the dimensions and flexibility of the attack. When they’d determined that the code could extract itself from the PowerPoint file and gain full control of even the latest, fully patched versions of the software, they had their confirmation: It was indeed a zero day, as rare and powerful as the Ukrainians and Hultquist had suspected. By late in the evening—­a passage of time that went almost entirely unmarked within their work space—­they’d produced a detailed report to share with Microsoft and their customers and coded their own version of it, a proof-­of-­concept rewrite that demonstrated its attack, like a pathogen in a test tube.

PowerPoint possesses “amazing powers,” as one of the black room’s two reverse engineers, Jon Erickson, explained to me. Over years of evolution, it’s become a Rube Goldberg machine packed with largely unnecessary features, so intricate that it practically serves as its own programming language. And whoever had exploited this zero day had deeply studied one feature that allowed anyone to place an information “object” inside a presentation, like a chart or video pulled from elsewhere in the PowerPoint file’s own bundle of data, or even from a remote computer over the internet.

In this case, the hackers had used the feature to carefully plant two chunks of data within the presentation. The first it loaded into a temporary folder on the target computer. The second took advantage of PowerPoint’s animation feature: PowerPoint’s animations don’t merely allow speakers to bore audiences with moving text and cartoons but actually execute commands on the computer on which the presentation is running. In this case, when the presentation loaded that animation file, it would run an automated script that right-­clicked on the first file the presentation had planted on the machine and click “install” on the resulting drop-­down menu, giving that code a foothold on the computer without tipping off its user. The result was something like a harmless-­looking package left on your doorstep that, after you bring it inside, sprouts an arm, cuts itself open, and releases tiny robots into your foyer. All of this would happen immediately and invisibly, the instant the victim double-­clicked the attachment to open it.

Erickson, the reverse engineer who first handled the zero day in iSight’s black room, remembers his work disassembling and defusing the attack as a somewhat rare, fascinating, but utterly impersonal event. In his career, he’d dealt with only a handful of real zero days found in the wild. But he’d analyzed thousands upon thousands of other malware samples and had learned to think of them as specimens for study without considering the author behind them—­the human who had rigged together their devious machinery. “It was just some unknown guy and some unknown thing I hadn’t seen before,” he said.

But zero days do have authors. And when Erickson had first begun to pull apart this one in his blacked-­out workshop that morning, he hadn’t simply been studying some naturally occurring, inanimate puzzle. He was admiring the first hints of a remote, malevolent intelligence.
© © Joe Pugliese
Andy Greenberg is an award-winning senior writer for Wired, covering security, privacy, information freedom, and hacker culture. He's the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His previous book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, as well as excerpts from it published in Wired, won awards including a Gerald Loeb Award for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. Before coming to Wired, Greenberg worked as a senior reporter for Forbes magazine. He lives in Brooklyn with his wife, filmmaker Malika Zouhali-Worrall. View titles by Andy Greenberg

About

*Winner of the Cornelius Ryan Citation for Excellence from the Overseas Press Club of America*
 
Sandwormis the true story of the most devastating cyberattack in history and the desperate hunt to identify and track the elite Russian agents behind it.
 
In 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world’s largest businesses—from drug manufacturers to software developers to shipping companies. At the attack’s epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage—the largest, most destructive cyberattack the world had ever seen.

The hackers behind these attacks are quickly gaining a reputation as the most dangerous team of cyberwarriors in history: a group known as Sandworm. Working in the service of Russia’s military intelligence agency, they represent a persistent, highly skilled force, one whose talents are matched by their willingness to launch broad, unrestrained attacks on the most critical infrastructure of their adversaries. They target government and private sector, military and civilians alike.

A chilling, globe-spanning detective story, Sandworm considers the danger this force poses to our national security and stability. As the Kremlin’s role in foreign government manipulation comes into greater focus, Sandworm exposes the realities not just of Russia’s global digital offensive, but of an era where warfare ceases to be waged on the battlefield. It reveals how the lines between digital and physical conflict, between wartime and peacetime, have begun to blur—with world-shaking implications.
 
Sandworm is a sobering examination of an underreported story: The menace Russian hackers pose to the critical infrastructure of the West. With the nuance of a reporter and the pace of a thriller writer, Andy Greenberg gives us a glimpse of the cyberwars of the future while at the same time placing his story in the long arc of Russian and Ukrainian history.” —Anne Applebaum, Pulitzer Prize–winning author of Gulag and Red Famine

“As Russia has attacked, Greenberg has not been far behind, reporting on these incursions in Wired while searching for their perpetrators. Like the best true-crime writing, his narrative is both perversely entertaining and terrifying.” —New York Review of Books

Sandworm is much more than a true-life techno-thriller. It’s a tour through a realm that is both invisible and critical to the daily lives of every person alive in the 21st century.” —Los Angeles Times
 
“A terrifying and infuriating look at a future in which cyberwar hawks and cyberwar deniers join forces to literally threaten our ability to continue civilization. Sandworm shows how, in our leaders’ focus on maintaining digital weapons to attack our enemies, they've left our own critical infrastructure defenseless.” —Cory Doctorow, author of Little Brother and Radicalized

Sandworm hits that sweet spot of being both informative and entertaining as hell. In a journey that hopscotches from war-torn Ukraine to shadowy chatrooms to the halls of the UN, Greenberg takes readers on the hunt for the network of Russian hackers behind the most damaging cyberattack to occur so far. It is well worth your read.” —P.W. Singer, author of Ghost Fleet and LikeWar

“The good news about Andy Greenberg’s Sandworm is that no one has ever dived so deeply into a major hack to illuminate the evolving crisis of a never-ending cyberwar. The bad news is when you finish this gripping narrative, you won't be sleeping as soundly as you did before.” 
—Steven Levyauthor of In the Plex and Hackers

“Lucid and compelling, Sandworm shows us how high-tech warfare is waged today in Eastern Europe: battlefields of computer viruses, software vulnerabilities, and faked digital fingerprints. Where foreign hackers remotely black out cities and feed false election results to television networks. Where laptops become weapons and a word processor becomes a tool to invade a nation’s critical infrastructure. The first half of Greenberg’s meticulously researched book leaves us wondering: How long before it happens here? The second provides the chilling answer.” —Clifford Stoll, author of The Cuckoo's Egg

“An in-depth investigation of what the Russian military’s best cyber unit has already done to disrupt corporations, penetrate utilities, and prepare for cyberwar. Sandworm is a sword of Damocles over the US economy that any US president has to take into account when deciding on whether and how to counter the Kremlin.” —Richard Clarke, former White House counterterrorism coordinator, author of The Fifth Domain and Cyber War

“Immensely readable. . . . A hair-raising, cautionary tale about the burgeoning, post-Stuxnet world of state-sponsored hackers. . . . Greenberg lays out in chilling detail how future wars will be waged in cyberspace and makes the case that we have done little, as of yet, to prevent it.” —Washington Post

“[A] chilling account of a Kremlin-led cyber attack, a new front in global conflict.” —Financial Times

“Shocking. . . . The book reads like a novel.” —Washington Independent Review of Books

“An important front-line view of the changing cyberthreats that are shaping our world, their creators, and the professionals who try to protect us.” —Nature 

“Sandworm offers both a ripping narrative of a hack that broke the world and a worrying glimpse at cyberwar’s rapidly evolving future.” —Wired

“The most detailed account yet of Russia’s most destructive government-backed hackers.”
—Axios

“The must-read guide to state-sponsored hacking.” —Business Insider

“Andy Greenberg’s Sandworm has achieved what I thought was no longer possible: it scares me. Sandworm is the story of the Russian GRU hacking team that has evolved in a few short years into the most methodical, persistent, and destructive intelligence agency cyber warriors. After reading Sandworm you will not doubt those superlatives.” —Forbes

“A beautifully written deep-dive into a group of Russian hackers blamed for the most disruptive cyberattack in history, NotPetya, This incredibly detailed investigative book leaves no stone unturned, unravelling the work of a highly secretive group that caused billions of dollars of damage.” —TechCrunch

“[A] fascinating historical document that renders the often bland world of cybersecurity as a human tale that warrants our deepest attention.” —Fast Company

“A taut inquiry. . . . Greenberg is an adroit investigator and gifted metaphorist. His lucid, dynamic exposé is a must-read for those worried about the vulnerabilities of the digital world.” 
—Publishers Weekly

“A credible, breathless account. . . . [Greenberg] effectively captures the disturbing nature of this new global threat.” —Kirkus

“Told with the fast-paced style of a thriller, this book is highly recommended for all fans of international intrigue and cyberwarfare. An exceptional account.” —Library Journal (starred review)

“Loaded with original reportage, Greenberg's urgent and clarifying book will inform and worry everyone concerned about national andcyber security. . . . Readers will revel in the details Greenberg provides.” —Booklist

Excerpt

Introduction

On June 27, 2017, something strange and terrible began to ripple out across the infrastructure of the world.

A group of hospitals in Pennsylvania began delaying surgeriesand turning away patients. A Cadbury factory in Tasmania stopped churning out chocolates. The pharmaceutical giant Merck ceased manufacturing vaccines for human papillomavirus.

Soon, seventeen terminals at ports across the globe, all owned by the world’s largest shipping firm, Maersk, found themselves paralyzed. Tens of thousands of eighteen-wheeler trucks carrying shippingcon tainers began to line up outside those ports’ gates. Massive ships arrived from journeys across oceans, each carrying hundreds of thousands of tons of cargo, only to find that no one could unload them. Like victims of a global outbreak of some brain-eating bacteria, major components in the intertwined, automated systems of the world seemed to have spontaneously forgotten how to function.

At the attack’s epicenter, in Ukraine, the effects of the technological doomsday were more concentrated. ATMs and credit card paymentsystems inexplicably dropped off-line. Mass transit in the country’s capital of Kyiv was crippled. Government agencies, airports, hospitals, the postal service, even scientists monitoring radioactivity levels atthe ruins of the Chernobyl nuclear power plant, all watched helplessly as practically every computer in their networks was infected and wiped by a mysterious piece of malicious code.

This is what cyberwar looks like: an invisible force capable of striking out from an unknown origin to sabotage, on a massive scale, the technologies that underpin civilization.

For decades, the Cassandras of internet security warned us this was coming. They cautioned that hackers would soon make the leap beyond mere crime or even state-sponsored espionage and begin to exploit vulnerabilities in the digitized, critical infrastructure of the modern world. In 2007, when Russian hackers bombarded Estonia with cyberattacks that tore practically every website in the country off-line, that blitz hinted at the potential scale of geopolitically motivated hacking. Two years later, when the NSA’s malicious software called Stuxnet silently accelerated Iran’s nuclear enrichment centrifuges until they destroyed themselves, the operation demonstrated another preview of what was in store: It showed that tools of cyberwar could reach out beyond the merely digital, into even the most closely guarded and sensitive components of the physical world.

But for anyone watching Russia’s war in Ukraine since it beganin early 2014, there were clearer, more direct harbingers. Starting in2015, waves of vicious cyberattacks had begun to strike Ukraine’s government, media, and transportation. They culminated in the first known blackouts ever caused by hackers, attacks that turned off powerfor hundreds of thousands of civilians. A small group of researchers would begin to sound the alarm—largely in vain—that Russia was turning Ukraine into a test lab for cyberwar innovations. They cautioned that those advancements might soon be deployed against the United States, NATO, and a larger world that remained blithely unprepared for this new dimension of war. And they pointed to a single force of Kremlin- backed hackers that seemed to be launching these unprecedented weapons of mass disruption: a group known as Sandworm.

Over the next two years, Sandworm would ramp up its aggression, distinguishing itself as the most dangerous collection of hackers in the world and redefining cyberwar. Finally, on that fateful day inlate June 2017, the group would unleash the world-shaking wormknown as NotPetya, now considered the most devastating and costly malware in history. In the process, Sandworm would demonstrate as never before that highly sophisticated, state-sponsored hackers with the motivations of a military sabotage unit can attack acrossany distance to undermine the foundations of human life, hitting interlocked, interdependent systems with unpredictable, disastrous consequences.

Today, the full scale of the threat Sandworm and its ilk present looms over the future. If cyberwar escalation continues unchecked, the victims of state-sponsored hacking could be on a trajectory foreven more virulent and destructive worms. The digital attacks first demonstrated in Ukraine hint at a dystopia on the horizon, one where hackers induce blackouts that last days, weeks, or even longer—intentionally inflicted deprivations of electricity that could mirror the American tragedy of Puerto Rico after Hurricane Maria, causing vast economic harm and even loss of life. Or one where hackers destroy physical equipment at industrial sites to cause lethal mayhem. Or, as in the case of NotPetya, where they simply wipe hundreds of thousands of computers at a strategic moment to render brain-dead the digital systems of an enemy’s economy or critical infrastructure.

This book tells the story of Sandworm, the clearest example yet of the rogue actors advancing that cyberwar dystopia. It follows the years long work of the detectives tracking those hackers— as Sandworm’s fingerprints appeared on one digital disaster scene after another—to identify and locate them, and to call attention to the danger thegroup represented in the desperate hope that it could be stopped.

But Sandworm is not just the story of a single hacker group, or even of the wider threat of Russia’s reckless willingness to wage this new form of cyberwar around the world. It’s the story of a larger, global arms race that continues today. That race is one that the United States and the West have not only failed to stop but directly accelerated with our own headlong embrace of digital attack tools. And in doing so, we’ve invited a new, unchecked force of chaos into the world.


Prologue

The clocks read zero when the lights went out.

It was a Saturday night in December 2016, and Oleksii Yasinsky was sitting on the couch with his wife and teenage son in the living room of their Kyiv apartment. The forty-year-old Ukrainian cybersecurity researcher and his family were an hour into Oliver Stone’s film Snowden when their building abruptly lost power.

“The hackers don’t want us to fi nish the movie,” Yasinsky’s wife joked. She was referring to an event that had occurred a year earlier, a cyberattack that had cut electricity to nearly a quarter- million Ukrainians two days before Christmas in 2015.

Yasinsky, a chief forensic analyst at a Kyiv cybersecurity firm, didn’t laugh. He looked over at a portable clock on his desk: The time was 00:00. Precisely midnight. Yasinsky’s television was plugged into a surge protector with a battery backup, so only the flicker of images on-screen lit the room now. The power strip started beeping plaintively. Yasinsky got up and switched it off to save its charge, leaving the room suddenly silent.

He went to the kitchen, pulled out a handful of candles, and lit them. Then he stepped to the kitchen window. The thin, sandy blond engineer looked out on a view of the city as he’d never seen it before: The entire skyline around his apartment building was dark. Only the gray glow of distant lights reflected off the clouded sky, outlining blackened hulks of modern condos and Soviet high-rises. Noting the precise time and the date, almost exactly a year since the December 2015 grid attack, Yasinsky felt sure that this was no normal blackout. He thought of the cold outside— close to zero degrees Fahrenheit—the slowly sinking temperatures in thousands of homes, and the countdown until dead water pumps led to frozen pipes.

That’s when another paranoid thought began to work its way through Yasinsky’s mind: For the past fourteen months, he had found himself at the center of an enveloping crisis. A growing list of Ukrainian companies and government agencies had come to him to analyze a plague of cyberattacks that were hitting them in rapid, remorseless succession. A single group of hackers seemed to be behind all of it. Now he couldn’t suppress the sense that those same phantoms, whose fingerprints he had traced for more than a year, had reached back, out through the internet’s ether, into his home.


1

The Zero Day

Beyond the Beltway, where the D.C. intelligence-­industrial complex flattens out to an endless sea of parking lots and gray office buildings marked with logos and corporate names designed to be forgotten, there’s a building in Chantilly, Virginia, whose fourth floor houses a windowless internal room. The room’s walls are painted matte black, as if to carve out a negative space where no outside light penetrates.

In 2014, just over a year before the outbreak of Ukraine’s cyberwar, this was what the small, private intelligence firm iSight Partners called the black room. Inside worked the company’s two-­man team tasked with software vulnerability research, a job that required focus intense enough that its practitioners had insisted on the closest possible office layout to a sensory-­deprivation chamber.

It was this pair of highly skilled cave dwellers that John Hultquist first turned to one Wednesday morning that September with a rare request. When Hultquist had arrived at his desk earlier that day in a far-­better-­lit office, one with actual windows on the opposite side of the iSight building, he’d opened an email from one of his iSight colleagues in the company’s Ukraine satellite operation. Inside, he found a gift: The Kiev-­based staff believed they might have gotten their hands on a zero-­day vulnerability.

A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about. The name comes from the fact that the company has had “zero days” to respond and push out a patch to protect users. A powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own code on a target computer, can serve as a kind of global skeleton key—­a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet.

The file Hultquist had been passed from iSight’s Ukraine office was a PowerPoint attachment. It seemed to silently pull off exactly that sort of code execution, and in Microsoft Office, one of the world’s most ubiquitous pieces of software.

As he read the email, Klaxons sounded in Hultquist’s mind. If the discovery was what the Ukrainians believed it might be, it meant some unknown hackers possessed—­and had used—­a dangerous capa­bility that would allow them to hijack any of millions of computers. Microsoft needed to be warned of its flaw immediately. But in a more self-­interested sense, discovering a zero day represented a milestone for a small firm like iSight hoping to win glory and woo customers in the budding security subindustry of “threat intelligence.” The company turned up only two or three of those secret flaws a year. Each one was a kind of abstract, highly dangerous curiosity and a significant research coup. “For a small company, finding a nugget like this was very, very gratifying,” Hultquist says. “It was a huge deal for us.”

Hultquist, a loud and bearish army veteran from eastern Tennessee with a thick black beard and a perpetual smile, made a point of periodically shouting from his desk into a room next door known as the bull pen. One side of that space was lined with malware experts, and the other with threat analysts focused on understanding the geopolitical motives behind digital attacks. As soon as Hultquist read the email from iSight’s Ukrainian staff, he burst out of his office and into the bull pen, briefing the room and assigning tasks to triage what would become, unbeknownst then to any of them, one of the biggest finds in the small company’s history.

But it was down the hall, in the black room, that the hacker monks within would start to grapple with the significance of iSight’s discovery: a small, hidden marvel of malicious engineering.



Working on computers whose glowing monitors were the room’s only light source, the reverse engineers began by running the Ukrainians’ malware-­infected PowerPoint attachment again and again inside a series of virtual machines—­ephemeral simulations of a computer housed within a real, physical one, each one of them as sealed off from the rest of the computer as the black room was from the rest of the iSight offices.

In those sealed containers, the code could be studied like a scorpion under an aquarium’s glass. They’d allow it to infect its virtual victims repeatedly, as the reverse engineers spun up simulations of different digital machines, running varied versions of Windows and Microsoft Office, to study the dimensions and flexibility of the attack. When they’d determined that the code could extract itself from the PowerPoint file and gain full control of even the latest, fully patched versions of the software, they had their confirmation: It was indeed a zero day, as rare and powerful as the Ukrainians and Hultquist had suspected. By late in the evening—­a passage of time that went almost entirely unmarked within their work space—­they’d produced a detailed report to share with Microsoft and their customers and coded their own version of it, a proof-­of-­concept rewrite that demonstrated its attack, like a pathogen in a test tube.

PowerPoint possesses “amazing powers,” as one of the black room’s two reverse engineers, Jon Erickson, explained to me. Over years of evolution, it’s become a Rube Goldberg machine packed with largely unnecessary features, so intricate that it practically serves as its own programming language. And whoever had exploited this zero day had deeply studied one feature that allowed anyone to place an information “object” inside a presentation, like a chart or video pulled from elsewhere in the PowerPoint file’s own bundle of data, or even from a remote computer over the internet.

In this case, the hackers had used the feature to carefully plant two chunks of data within the presentation. The first it loaded into a temporary folder on the target computer. The second took advantage of PowerPoint’s animation feature: PowerPoint’s animations don’t merely allow speakers to bore audiences with moving text and cartoons but actually execute commands on the computer on which the presentation is running. In this case, when the presentation loaded that animation file, it would run an automated script that right-­clicked on the first file the presentation had planted on the machine and click “install” on the resulting drop-­down menu, giving that code a foothold on the computer without tipping off its user. The result was something like a harmless-­looking package left on your doorstep that, after you bring it inside, sprouts an arm, cuts itself open, and releases tiny robots into your foyer. All of this would happen immediately and invisibly, the instant the victim double-­clicked the attachment to open it.

Erickson, the reverse engineer who first handled the zero day in iSight’s black room, remembers his work disassembling and defusing the attack as a somewhat rare, fascinating, but utterly impersonal event. In his career, he’d dealt with only a handful of real zero days found in the wild. But he’d analyzed thousands upon thousands of other malware samples and had learned to think of them as specimens for study without considering the author behind them—­the human who had rigged together their devious machinery. “It was just some unknown guy and some unknown thing I hadn’t seen before,” he said.

But zero days do have authors. And when Erickson had first begun to pull apart this one in his blacked-­out workshop that morning, he hadn’t simply been studying some naturally occurring, inanimate puzzle. He was admiring the first hints of a remote, malevolent intelligence.

Author

© © Joe Pugliese
Andy Greenberg is an award-winning senior writer for Wired, covering security, privacy, information freedom, and hacker culture. He's the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His previous book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, as well as excerpts from it published in Wired, won awards including a Gerald Loeb Award for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. Before coming to Wired, Greenberg worked as a senior reporter for Forbes magazine. He lives in Brooklyn with his wife, filmmaker Malika Zouhali-Worrall. View titles by Andy Greenberg