Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

by Andy Greenberg

This is what cyberwar looks like: an invisible force capable of striking out from an unknown origin to sabotage, on a massive scale, the technologies that underpin civilization.

This book tells the story of Sandworm, the clearest example yet of the rogue actors advancing that cyberwar dystopia.

private intelligence firm iSight Partners called the black room.

A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about. The name comes from the fact that the company has had “zero days” to respond and push out a patch to protect users. A powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own

code on a target computer, can serve as a kind of global skeleton key—a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet.

VirusTotal. Owned by Google’s parent company, Alphabet, VirusTotal allows any security researcher who’s testing a piece of malware to upload it and check it against dozens of commercial antivirus products—a quick and rough method to see if other security firms have detected the code elsewhere and what they might know about it. As a result,

VirusTotal has assembled a massive collection of in-the-wild code samples amassed over more than a decade that researchers can pay to access. Robinson began to run a series of scans of those malware records, searching for similar snippets of code in what he’d unpacked from his BlackEnergy sample to match earlier code samples in iSight’s or VirusTotal’s catalog.

So he knew his way around so-called industrial control systems, or ICS—also known in some cases as supervisory control and data acquisition, or SCADA, systems. That software doesn’t just push bits around, but instead sends commands to and takes in feedback from industrial equipment, a point where the digital and physical worlds meet.

ICS software is used for everything from the ventilators that circulate air in Peabody’s mines to the massive washing basins that scrub its coal, to the generators that burn coal in power plants to the circuit breakers at the substations that feed electrical power to consumers. ICS applications run factories, water plants, oil and gas refineries, and transportation systems—in other words, all of the gargantuan, highly complex machinery that forms the backbone of modern civilization and that most of us take for granted.

common piece of ICS software sold by General Electric is Cimplicity, which includes a kind of application known as a human-machine interface, essentially the control panel for those digital-to-physical command systems. Th...

to be opened in Cimplicity. Typically, a .cim file loads up an entire custom control panel in Cimplicity’s software, like an infinitely reconfigu...

The companies that run such equipment, particularly the electric utilities that serve as the most fundamental layer on which the rest of the industrialized world is built, constantly offer the public assurances that they have a strict “air gap” between their normal IT network and their industrial control network. But in a disturbing fraction of cases, those industrial control systems still maintain thin connections to the rest of their systems—or even the public internet—allowing engineers to access them remotely, for instance, or update their software.

The link between Sandworm and a Cimplicity file that phoned home to a server in Sweden was enough for Wilhoit to come to a startling conclusion: Sandworm

wasn’t merely focused on espionage. Intelligence-gathering operations don’t break into industrial control systems. Sandworm seemed to be going further, trying to reach into victims’ systems that could potential...

“They’re possibly trying to bridge the gap between digital and kinetic.” The hackers’ goals seemed to extend beyond spying to industrial sabotage.

writing up their findings and posting them on Trend Micro’s blog.

Like many others in the cybersecurity industry, and particularly those with a military background, he’d been expecting cyberwar’s arrival: a new era that would finally apply hackers’ digital abilities to the older, more familiar worlds of war and terrorism. For Hultquist, it would be a return to form.

was vis amplificans vim, a phrase his superiors had told him roughly translated to “force multiplier.”

Russia, it seemed to Hultquist, was trying out

basic methods of pairing traditional physical attacks with digital weapons of mass disruption.

Yasinsky’s hunch that the outage was no accident was immediately confirmed. The server’s master boot record—the deep-seated, reptile-brain portion of a computer’s hard drive that tells the machine where to find its own operating system—had been precisely overwritten with zeros. And the two victim servers that had suffered that lobotomy weren’t randomly chosen. They were domain controllers, computers with

powerful privileges that could be used to reach into hundreds of other machines on the corporate network.

back at home in the north of the city, he scrutinized its code. He was struck by the layers of obfuscation; the malware had evaded all antivirus scans. It had even impersonated an antivirus scanner itself, Microsoft’s Windows Defender. After his family had gone to sleep, Yasinsky printed the code and laid the papers across his kitchen table and floor, crossing out lines of camouflaging characters and highlighting commands to see the malware’s true form.

Yasinsky had understood intuitively from childhood that the digital was no less real than the physical—that life and death could depend as easily on one as on the other.

“I realized the world is not what we see,” he says. “It wasn’t about getting extra lives; it was about changing the world I’d found myself in.”

In cybersecurity, attackers have the advantage: There are always more points of ingress than defenders can protect, and a skilled hacker needs only one.

Finally, they identified the piece of malware that had given the hackers their initial foothold, penetrating one of the staff’s PCs via an infected attachment: It was again a form of BlackEnergy, the same malware that iSight had tied to Sandworm a year earlier. But now it had been reworked to evade detection by antivirus software and included new modules that allowed the hacker to spread to other machines on

the same network and execute the KillDisk data wiper.

Over the last thousand years, incursions into Ukraine have taken the form of Mongol hordes from the east and Lithuanian heathens and Polish imperialists from the west. The nation’s name itself, “Ukraina,” comes from a Slavic word for “borderland.”* Ukraine’s existence has been defined by its position, caught between powerful neighbors. But the country’s most perpetual nemesis has been the one with whom it shares not only the longest border but also the most history and culture—its larger,

more aggressive, estranged brother from the same mother.

Russia and Ukraine trace the origins of their two civilizations to a common ancestor, the flourishing medieval state of Kyivan Rus. That kingdom, growing around Kyiv from the tenth century AD, became an eastern outpost of European culture after its king Volodymyr somewhat arbitrarily decided to convert his people from paganism to Orthodox Christianity. Ukrainians like to point out that his son Yaroslav the Wise bu...

The Soviet regime manufactured a famine in Ukraine that would kill 3.9 million people, a tragedy of unimaginable scope that’s known today as the Holodomor, a combination of the

Ukrainian words for “hunger” and “extermination.” The starvation began through simple exploitation: Ukraine’s fertile black soil offered a tempting breadbasket for Russia. During its own civil war from 1917 to 1922, Russia seized as much grain as it could at gunpoint to alleviate its own wartime food shortages.

under the rule of Joseph Stalin, had imposed agricultural collectivization, moving peasants off the land they had owned for generations and onto communally held farms. At the same time, the most prosperous peasants, known as kulaks, were branded as class traitors and subjected to exile, imprisonment, and massacre.

After centuries of bloody fighting for its independence, Ukraine’s liberation had originally arrived in 1991, almost by accident. With the U.S.S.R.’s collapse, a stunned Ukrainian parliament voted to become a sovereign nation, with only the far eastern region of Donetsk, the most ethnically Russian slice of the country, opposing the decision. But for the decades that followed, Moscow maintained a powerful influence over Ukraine, and the two countries transitioned in tandem from communism to kleptocracy. Ukraine’s prime minister and then president for its first fourteen years of independence, Leonid Kuchma, became known for siphoning a stream of boondoggle deals and cheap loans to cronies.

For a population inured to corruption and fed lies by state-run news for as long as they could remember, even so-called Kuchmagate failed to oust the president. Instead, he lasted until his chosen successor,

Viktor Yanukovich, an oligarch with close ties to the Russian president, Vladimir Putin, ran for president in 2004. His opponent was Viktor Yushchenko, a Ukrainian nationalist, financier, and reformer who promised to finally bring the country out from under Russia’s thumb.

Yanukovich’s estate north of Kyiv, called Mezhyhirya, became a mobster’s Xanadu, complete with a menagerie of exotic birds, a bowling alley, a rifle range, a boxing ring, and $46.5 million worth of chandeliers.

The final straw, however, wasn’t Yanukovich’s corruption but his Russian alliances. Under Yushchenko, Ukraine had started on a long road to membership in

NATO, a prospect that no doubt infuriated and terrified Putin. Ukrainians’ European hopes had still lingered under Yanukovich in the form of an association agreement with the European Union, trade negotiations that represented the first baby step toward the West. But a week before si...

On one street near the Maidan, devices known as IMSI catchers impersonated cell phone towers to spam out text messages to protesters, telling them to go home. But as the square’s physical conflict ramped up, few people registered those first signs of digital meddling.

made a final notorious charge up the slope of the Maidan toward the Hotel Ukraine, snipers fired on them from above, led by a unit of brutal pro-Russian militarized police known as the Berkut—Ukrainian for “eagle.” Many Ukrainians believe the Berkut were joined by actual Russian soldiers brought in by Yanukovich. The death toll was 103 protesters, a group now immortalized as the “Heavenly Hundred”—the same martyrs whose lives were being memorialized on the Maidan on my first night in Kyiv.

border into the Russian-speaking eastern Ukrainian region of Donbas, helping to arm a separatist movement that quickly took control of the cities of Donetsk and Luhansk with Russian tanks and artillery.

Since then, Russia has successfully made Crimea its full-fledged possession as Ukraine’s eastern front has settled into a grinding, undeclared war. Two million Ukrainians have become internal refugees, and 10,000 Ukrainians have been killed. In July 2014, the callousness of the Kremlin-backed forces shocked the world when a Russian anti-aircraft unit, under the guise of pro-Russian Ukrainian forces, fired a Buk missile that downed a Malaysian passenger jet over Ukrainian territory, killing all 298 people on board.

“The idea was to destroy the system, to prevent it showing the results, and then to blame Ukraine’s so-called junta,” says Victor Zhora, a security contractor for the commission at the time. “The goal was to discredit the election process.”

(The CyberBerkut hackers would be revealed years later to be linked with the Russian hacker group Fancy Bear that meddled in U.S. elections, too.)

computers and paralyzing victim organizations. By the time I visited Kyiv in early 2017, practically every strata of Ukrainian society was being hit in successive waves of coordinated hacker sabotage: media, energy, transportation, finance, government, and military. “You can’t really find a space in Ukraine where there hasn’t been an attack,” Kenneth Geers, a NATO ambassador who focuses on cybersecurity, told me at the time. “Turn over every rock, and you’ll find a computer network operation.”

“Russia will never accept Ukraine being a sovereign and independent country,” he told me. “Twenty-five years since the Soviet collapse, Russia is still sick with this imperialistic syndrome.”

Putin’s fixation on Ukraine no doubt includes economic jealousy of its position as a lucrative pipeline route to Europe and its access to warm-water ports. But foreign policy analysts argued that Putin

wasn’t necessarily seeking to somehow reintegrate his Little Russia into the Kremlin’s empire. Instead, he hoped to create a “frozen conflict”: By taking enough Ukrainian territory to lock it into a permanent war, Russia sought to prevent the country from being welcomed into the European Union or NATO...