Book Review: "Sandworm"
"Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers" by Andy Greenberg is a brand new book on modern, Russian cyber war tactics and actors. Specifically the book focuses on a Russian advanced persistent threat (APT) that targets critical infrastructure in a destructive manner via computer network attacks. Sandworm is an incredible book because it shows the potential physical impact of cyber security in the 21st century. The book opens with the devastating attacks on the Ukraine power grid during the Russian invasion of Ukraine. The book shows how a cyber attack on critical infrastructure can cripple a country overnight. The book uses the attacks on Ukraine's power grid as canary in the coal mine and warns about the ruinous cyber-physical attacks that may come in the future. I paid ~$20 for the book and listened to it on Audible for ~12 hours, which I highly recommend as both engaging and informative. Ultimately, I give this book 8 out of 10 stars for capturing the real impact of cyber war and eloquently telling one of the more convoluted and intriguing cyber espionage stories of our time. I recommend this to anyone working in cyber security, especially those with an interest in industrial control systems or the impacts of cyber war. The book spends the majority of its time tracking the Sandworm group, also known as Voodoo bear, and identified as unit 74455 within the GRU. Bellow you can see many of the chapters of the book, to get an idea of the journey this book takes its readers through.
Prologue
Part I: Emergence
Chapter 1: The Zero Day
Chapter 2: BlackEnergy
Chapter 3: Arrakis02
Chapter 4: Force Multiplier
Chapter 5: StarLightMedia
Chapter 6: Holodomor to Chernobyl
Chapter 7: Maiden to Donbas
Chapter 8: Blackout
Chapter 9: The Delegation
Part II: Origins
Chapter 10: Flashback: Aurora
Chapter 11: Flashback: Moonlight Maze
Chapter 12: Flashback: Estonia
Chapter 13: Flashback: Georgia
Chapter 14: Flashback: Stuxnet
Part III: Evolution
Chapter 15: Warnings
Chapter 16: Fancy Bear
Chapter 17: FSociety
Chapter 18: Poligon
Chapter 19: Industroyer/Crash Override
Part IV: Apotheosis
Chapter 20: Maersk
Chapter 21: Shadow Brokers
Chapter 22: EternalBlue
Chapter 23: Mimikatz
Chapter 24: NotPetya
Chapter 25: National Disaster
Chapter 26: Breakdown
Chapter 27: The Cost
Chapter 28: Aftermath
Chapter 29: Distance
Part V: Identity
Chapter 30: GRU
Chapter 31: Defectors
Chapter 32: Informatisonnoye Protivoborstvo
Chapter 33: The Penalty
Chapter 34: Bad Rabbit, Olympic Destroyer
Chapter 35: False Flags
Chapter 36: 74455
Chapter 37: The Tower
Chapter 38: Russia
Chapter 39: The Elephant and the Insurgent
Part VI: Lessons
Chapter 40: Geneva
Chapter 41: Black Start
Chapter 42: Resilience
Epilogue
The book opens with the NotPetya worm hitting Ukraine, causing blackouts and mayhem across the world, resulting in one of the most expensive destructive malware attacks to date. The book talks about how one of Russia's modus operandi is using false information or red herrings to throw people off their trail. The book attributes many families of malware to them, such as BlackEnergy and NotPetya, two dangerous pieces of malware that targeted SCADA control systems. Andy also covers similar families of malware designed by other groups, such as Stuxnet, Checkdisk, and Wanacry, showing how often malware authors will steal good ideas from other families once they've been exposed publicly. One of my favorite aspects of the book is where various researches can settle on attributing different campaigns or families back to the Sandworm group by finding code reuse or mistakes within the malware that the reverse engineers can exploit to their advantage. And this is not simple commodity malware either, these are often advanced pieces of APT malware that contain false flags, as is a favorite Russian tactic, implicating other groups to throw reverse engineers off of the trail. Specifically, "Sandworm" talks about how NotPetya tries to masquerade as commodity ransomware, when in reality this was "destructive" malware, designed to take down computer systems during the invasion. "Sand Worm" also covers how the Olympic Destroyer malware (which targeted Bejing Olympic Games) was masqueraded as being North Korean when in fact it was the GRU. The book goes so far as to attribute exactly which groups within the GRU are responsible for the Black Energy malware as well as the power grid attacks. Through these efforts they end up attributing the GRU Unit 74455 to Voodoo Bear or the Sandworm Group. It's a fascinating book, I highly recommend it to those interested in real world cyber war examples. Below you can listen to Andy Greenberg discus many of the topics of the book on a cyber security podcast, The Cyberwire:
Prologue
Part I: Emergence
Chapter 1: The Zero Day
Chapter 2: BlackEnergy
Chapter 3: Arrakis02
Chapter 4: Force Multiplier
Chapter 5: StarLightMedia
Chapter 6: Holodomor to Chernobyl
Chapter 7: Maiden to Donbas
Chapter 8: Blackout
Chapter 9: The Delegation
Part II: Origins
Chapter 10: Flashback: Aurora
Chapter 11: Flashback: Moonlight Maze
Chapter 12: Flashback: Estonia
Chapter 13: Flashback: Georgia
Chapter 14: Flashback: Stuxnet
Part III: Evolution
Chapter 15: Warnings
Chapter 16: Fancy Bear
Chapter 17: FSociety
Chapter 18: Poligon
Chapter 19: Industroyer/Crash Override
Part IV: Apotheosis
Chapter 20: Maersk
Chapter 21: Shadow Brokers
Chapter 22: EternalBlue
Chapter 23: Mimikatz
Chapter 24: NotPetya
Chapter 25: National Disaster
Chapter 26: Breakdown
Chapter 27: The Cost
Chapter 28: Aftermath
Chapter 29: Distance
Part V: Identity
Chapter 30: GRU
Chapter 31: Defectors
Chapter 32: Informatisonnoye Protivoborstvo
Chapter 33: The Penalty
Chapter 34: Bad Rabbit, Olympic Destroyer
Chapter 35: False Flags
Chapter 36: 74455
Chapter 37: The Tower
Chapter 38: Russia
Chapter 39: The Elephant and the Insurgent
Part VI: Lessons
Chapter 40: Geneva
Chapter 41: Black Start
Chapter 42: Resilience
Epilogue
The book opens with the NotPetya worm hitting Ukraine, causing blackouts and mayhem across the world, resulting in one of the most expensive destructive malware attacks to date. The book talks about how one of Russia's modus operandi is using false information or red herrings to throw people off their trail. The book attributes many families of malware to them, such as BlackEnergy and NotPetya, two dangerous pieces of malware that targeted SCADA control systems. Andy also covers similar families of malware designed by other groups, such as Stuxnet, Checkdisk, and Wanacry, showing how often malware authors will steal good ideas from other families once they've been exposed publicly. One of my favorite aspects of the book is where various researches can settle on attributing different campaigns or families back to the Sandworm group by finding code reuse or mistakes within the malware that the reverse engineers can exploit to their advantage. And this is not simple commodity malware either, these are often advanced pieces of APT malware that contain false flags, as is a favorite Russian tactic, implicating other groups to throw reverse engineers off of the trail. Specifically, "Sandworm" talks about how NotPetya tries to masquerade as commodity ransomware, when in reality this was "destructive" malware, designed to take down computer systems during the invasion. "Sand Worm" also covers how the Olympic Destroyer malware (which targeted Bejing Olympic Games) was masqueraded as being North Korean when in fact it was the GRU. The book goes so far as to attribute exactly which groups within the GRU are responsible for the Black Energy malware as well as the power grid attacks. Through these efforts they end up attributing the GRU Unit 74455 to Voodoo Bear or the Sandworm Group. It's a fascinating book, I highly recommend it to those interested in real world cyber war examples. Below you can listen to Andy Greenberg discus many of the topics of the book on a cyber security podcast, The Cyberwire: