“Sandworm” Is The True Story About Russian Cyberwarfare

Last month I read the book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, by Andy Greenberg, senior writer for Wired magazine.  If you want to understand how cyber-war has changed the face of military operations in the 21st century, this book explains everything.  This book has put the threat of cyber attacks against critical infrastructure in the spotlight, and did a great job connecting all of the many parts of what has turned out to be a new and brutally effective arrow in the quiver of not just Russia, but most nation-states and their militaries.

I have written quite a bit about cyber-war and cyber-espionage before (see articles listed below), and I have made the contention that cyber-warfare is an ongoing , present, and active threat.  It is real, and it is happening now, every day, somewhere in the world.  My interest in cyber attacks against critical infrastructure probably began in 2016 when I saw Ted Koppel at the 2016 (ISC)2 International Congress in Orlando.  I was so impressed by his talk that I bought and read his excellent book Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath

.What Ted Koppel discussed as a theoretical possibility, was exposed by Andy Greenberg as an active, ongoing threat.  The Ukraine has suffered through two attacks against it critical infrastructure in 2015 and 2016, including its power grid.  The technical dive on how this was accomplished was excellent.  If you are working in IT or cybersecurity in the power generation business, this is a must-read.

One of the more chilling exploits involved the malware distribution method for the NotPetya ransomware attack.  In The Ukraine, almost everyone uses the same accounting software, a program called Me.Doc (think QuickBooks).  The GRU cyber-team took control of the Me.Doc update server, and sent out its malware to every computer that connected for a Me.Doc update.  Once everything was in place it was a trivial matter for the attack to take place.  Even though NotPetya was targeting the Ukraine again, it spread outside to other countries and companies who used Me.Doc, and affected companies such as Maersk, the global shipping and logisitics company, pharma giant Merck, FedEx European subsidiary TNT-Express, French construction company Saint-Gobain, and food manufacturer Mondelez.  All of these companies had Me.Doc installed somewhere on their networks.

Right now there are no rules of war, no Geneva accords that govern military cyber-operations.  And even though the United States government has finally called out Russian over the cyber operations in the Ukraine, Georgia, the Baltic countries of Estonia and Lithuanian, Sweden, Poland, Fiance, and Germany, and on US soil, the United States is not leading the way to reign in this new and powerful weapon.  This is because the US is engaged in the same activity, and believes that US Cyber Forces are the best in the world, and ready to defend us if necessary.

Additionally, the US government doe not want to be constrained by a new set of rules of cyber-warfare.  The recent revelations about CIA ownership of the European cryptography company Crypto AG shines a light on the dark world of US cyber-surveillance and cyber-war operations.

Sandworm gets a “must-read” from me for anyone who works in cybersecurity, or information technology.  I can recommend it as a fun read for even non technical readers who are concerned about cybersecurity and critical infrastructure.  If you can read this book without going to Menard’s or Home Depot to buy a backup generator, then you have more self-restraint than I do.  even though this is a work of non-fiction on a very technical subject, it reads like a spy caper, except without the gun-play.

More information:

My previous writing on the subject can be found below:

  • What Happens If The Lights Go Out?
    I attended the (ISC)2 Security Congress in September, and one of the featured speakers was well known television journalist Ted Koppel.  He gave a presentation about his new book Lights Out:  A Cyberattack, A Nation Unprepared, Surviving the Aftermath.  You are probably wondering, as I was, what …
  • Dragonfly Wants To Punch Our Lights Out? Round One
    Somebody wants to punch our lights out – literally turn off the electric power grid. Who would want to do this?  Who has the capability?  Is it the Russians, who have already demonstrated this attack two years ago in the Ukraine?  Or the North Koreans, who have both motive and the cyber arm…
  • Dragonfly Wants To Punch Our Lights Out? Round Two
    Somebody wants to punch our lights out – literally turn off the electric power grid. Who would want to do this?  Russia?  North Korea?  Cybersecurity firm Symantec has attributed this attack to a group they have identified as the Dragonfly Group, who may have been responsible for the attack…
  • Dragonfly Wants To Punch Our Lights Out? Round Three
    Is the U.S. energy sector under attack? The ambitious and sophisticated exploits like this one are usually the work of a nation-state.  Who wants to turn off the lights?  Last Wednesday we took a look at the US-CERT alert warning about the ongoing cyber-attack against the U.S. electric grid, and o…
  • Dragonfly Wants To Punch Our Lights Out? Round Four
    Over the last four posts, we have focused on the US-CERT alert, but cybersecurity firm Symantec has actually been working this case since 2011.  Their report on Dragonfly can be found on their website.  While they are cautous when providing attribution, reading between the lines indicates that Dra…
  • Are ICS and SCADA Systems the Next IOT Disaster?
    There is a lot of talk in the cybersecurity world about Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems that run the US power grid, water utilities, gas piplines, oil refineries, and countless factories.  We discussed how all this might play out in the…


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.