Cybersecurity Book Club: “Sandworm” by Andy Greenberg
Overview
This quarter’s Cybersecurity Book Club choice was Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, written by the journalist Andy Greenberg. Sandworm, as its name may imply to those who are not new to the world of cybercrime, provides a thorough account of the Russian government-backed hacking unit (nicknamed Sandworm) and its operations. The book details Greenberg’s investigations into the Russian government’s footprint (or shall we say, digital fingerprint) left behind during the world’s largest cyber breaches. Leveraging numerous interviews with industry specialists and in-depth technical research, Sandworm provides insight into how many of these attacks all link back to the same group of intelligence agents in Russia.
This book describes in intricate detail how the Russian military intelligence (GRU) has evolved in its hacking modus operandi, from infiltrating government databases in former Soviet Bloc countries to launching misinformation campaigns during US elections. While Sandworm focuses primarily on the GRU’s discreet Moscow-based group of hackers, Greenberg also introduces the implications of cyber terrorism and how we all continue to fall short in addressing this form of modern warfare.
Some of the World’s Major Breaches
A majority of the book summarizes some of the world’s most high-profile network breaches and how they were perpetrated. Here is a list of some of the more noteworthy incidents:
2017 NotPetya
In Jun 2017, the NotPetya cyberattack crippled the systems of Ukraine’s Chernobyl Nuclear Power Plant and National Bank, as well as global business conglomerates. The NotPetya attack is considered as the most destructive cyberattack to date, with damages estimated at USD 10 billion.
Technical Function
The attack was initiated by a variant of the Petya malware, which infected the Ukrainian tax software program M.E.Doc. The released payload infected thousands of devices with M.E.Doc installed, encrypting the master file tables and every individual file on each computer.
Responsible parties
Russian government
2018 Olympic Destroyer
During the Opening Ceremony of the Pyeongchang Winter Olympics in Feb 2018, the event’s tech team detected a malicious attack that shut off Wi-Fi networks, gate control systems, and digital ticketing. IT staffers worked through the night to restore the system’s functionality.
Technical Function
The malicious file winlogon.exe infected the Olympic Games’ technology operations center, shutting off all the domain controllers and crippling the system. The Olympics tech team ended up cutting off the Internet and manually rebuilding every service.
Responsible parties
Russian government
2015-16 DNC Hack
In May 2016, it was discovered that the US Democratic National Committee (DNC) had been the subject of a hacking job for months. Later, a sample of the stolen documents from the DNC servers was published.
Technical Function
The attacks originated through spear phishing on several DNC email addresses. In March, the phishing attacks began redirecting towards Gmail accounts and stealing emails.
Responsible parties
Cozy Bear and Fancy Bear (Russian cyber espionage groups)
2016 Industroyer/Crash Override
In Dec 2016, approximately one fifth of the power was cut in the Ukrainian capital of Kyiv. The attack targeted the city’s electrical grids and marked the second cyber attack on Ukraine’s power grid in 2 years.
Technical Function
The Industroyer malware targeted computers connected to electrical equipment. Once installed on a computer, the malware located machines and sent configuration data back to the operators. For the attack component, the malware leveraged a main backdoor to connect to remote Command & Control servers that the attackers could control.
Responsible Parties
Allegedly Russia
2015 Ukrainian Blackouts
In Dec 2015, a cyberattack launched against Ukrainian energy companies and shut down the power grid, representing the first known cyber incident to interrupt a nation’s electricity supply. The attack temporarily cut the electricity supply for thousands of people.
Technical Function
The hackers accessed the targeted systems using spear-phishing emails containing BlackEnergy malware. Once the devices were infected, the program took control of the supervisory control and data acquisition (SCADA) system and effectively shut down the energy substations and infrastructure. The attackers also issued a denial of service (DoS) attack on customer service centers so that consumers could not receive updates during the blackout.
Responsible parties
Allegedly Russia’s Sandworm
Stuxnet/Operation Olympic Games
Beginning in 2005, US intelligence agencies developed a piece of malware intended to destroy critical equipment in a nuclear enrichment facility in Natanz, Iran. This marks the first known case of state-sponsored hacking that destroyed physical infrastructure.
Technical Function
The attacks used a malicious worm that relies on universal serial bus (USB) flash drives to enter a network. The worm scanned the network for Siemens Step7 software that controls programmable logic controllers (PLCs), which are used to automate industrial machinery. Avoiding detection through the use of a rootkit, the Stuxnet malware began giving commands to the machinery.
Responsible parties
US Government
Why This Book Matters
Many reviews of Sandworm describe it as “chilling” or “haunting.” Forbes contributor Richard Stiennon wrote: “Andy Greenberg’s Sandworm has achieved what I thought was no longer possible: it scares me.” And while the book’s content can indeed be unnerving for the reader, Greenberg does an excellent job of being alarming without being too alarmist. In other words, no part of this book is overly dramatized.
“It’s not about turning out the lights. It’s about letting people know you can turn out the lights.”
-John Hultquist, Sandworm
There is one line of the book that stands out above all the others. During one of Greenberg’s interviews with John Hultquist, former US government official and Director of Analysis at FireEye Mandiant, they spoke once more about the blackouts in Ukraine. Hultquist said, “It’s not about turning out the lights. It’s about letting people know you can turn out the lights.” That is to say, there is a major psychological component of cyberwar. Greenberg points out that the act of using a computer to turn off a city’s electricity supply or hack a presidential election shakes the very foundation of stable governance, and can reduce a country’s will to fight back.
Given all of this evidence, why have other countries have largely avoided condemning the Russian government’s actions? The logical answer is to avoid becoming the next target. But Greenberg also discusses another side to this dilemma, arguing that countries wish to preserve this form of warfare to use on their own adversaries as needed.
This book is about much more than Russian hacking groups. Readers should come away from Sandworm with the sense of having just read an example of the devastating effects of cyber warfare, but avoid understanding the Russian government (or any single group for that matter) as the direct cause and effect of the cybersecurity issue. As a community, we must avoid overfocusing on geopolitical adversaries and remember that the cyber domain will never be 100% bulletproof.