Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

by Andy Greenberg

For decades, the Cassandras of internet security warned us this was coming. They cautioned that hackers would soon make the leap beyond mere crime or even state-sponsored espionage and begin to exploit vulnerabilities in the digitized, critical infrastructure of the modern world. In 2007, when Russian hackers bombarded Estonia with cyberattacks that tore practically every website in the country off-line, that blitz hinted at the potential scale of geopolitically motivated hacking.

It showed that tools of cyberwar could reach out beyond the merely digital, into even the most closely guarded and sensitive components of the physical world.

Starting in 2015, waves of vicious cyberattacks had begun to strike Ukraine’s government, media, and transportation. They culminated in the first known blackouts ever caused by hackers, attacks that turned off power for hundreds of thousands of civilians.

a group known as Sandworm.

Finally, on that fateful day in late June 2017, the group would unleash the world-shaking worm known as NotPetya, now considered the most devastating and costly malware in history.

The digital attacks first demonstrated in Ukraine hint at a dystopia on the horizon, one where hackers induce blackouts that last days, weeks, or even longer—intentionally inflicted deprivations of electricity that could mirror the American tragedy of Puerto Rico after Hurricane Maria, causing vast economic harm and even loss of life.

This book tells the story of Sandworm, the clearest example yet of the rogue actors advancing that cyberwar dystopia. It follows the years-long work of the detectives tracking those hackers—as Sandworm’s fingerprints appeared on one digital disaster scene after another—to identify and locate them, and to call attention to the danger the group represented in the desperate hope that it could be stopped.

The clocks read zero when the lights went out. It was a Saturday night in December 2016, and Oleksii Yasinsky was sitting on the couch with his wife and teenage son in the living room of their Kyiv apartment. The forty-year-old Ukrainian cybersecurity researcher and his family were an hour into Oliver Stone’s film Snowden when their building abruptly lost power.

Yasinsky, a chief forensic analyst at a Kyiv cybersecurity firm, didn’t laugh. He looked over at a portable clock on his desk: The time was 00:00. Precisely midnight.

A zero day, in hacker jargon, is a secret security flaw in software, one that the company who created and maintains the software’s code doesn’t know about.

powerful zero day, particularly one that allows a hacker to break out of the confines of the software application where the bug is found and begin to execute their own code on a target computer, can serve as a kind of global skeleton key—a free pass to gain entrance to any machine that runs that vulnerable software, anywhere in the world where the victim is connected to the internet.

Microsoft needed to be warned of its flaw immediately. But in a more self-interested sense, discovering a zero day represented a milestone for a small firm like iSight hoping to win glory and woo customers in the budding security subindustry of “threat intelligence.”

As soon as Hultquist read the email about the malware sample pulled from Ukraine, he burst out of his office and into the bull pen, briefing the room and assigning tasks to triage what would become, unbeknownst then to any of them, one of the biggest finds in the small company’s history.

had exploited this zero day had deeply studied one feature that allowed anyone to place an information “object” inside a presentation, like a chart or video pulled from elsewhere in the PowerPoint file’s own bundle of data, or even from a remote computer over the internet.

The second took advantage of PowerPoint’s animation feature: PowerPoint’s animations don’t merely allow speakers to bore audiences with moving text and cartoons but actually execute commands on the computer on which the presentation is running.

it would run an automated script that right-clicked on the first file the presentation had planted on the machine and click “install” on the resulting drop-down menu, giving that code a foothold on the computer without tipping off its user.

Once iSight’s initial frenzy surrounding its zero-day discovery had subsided, the questions remained: Who had written the attack code? Whom were they targeting with it, and why?

The actual presentation itself seemed to be a list of names written in Cyrillic characters over a blue-and-yellow Ukrainian flag, with a watermark of the Ukrainian coat of arms, a pale blue trident over a yellow shield. Those names, Robinson found after using Google Translate, were a list of supposed “terrorists”—those who sided with Russia in the Ukrainian conflict that had begun earlier that year when Russian troops invaded the east of the country and its Crimean peninsula, igniting separatist movements there and sparking an ongoing war.

That the hackers had chosen an anti-Russian message to carry their zero-day infection was Robinson’s first clue that the email was likely a Russian operation with Ukrainian targets, playing on the country’s patriotism and fears of internal Kremlin sympathizers.

When the PowerPoint zero day executed, the file it dropped on a victim’s system turned out to be a variant of a piece of notorious malware, soon to become far more notorious still. It was called BlackEnergy.

The tool had originally been created by a Russian hacker named Dmytro Oleksiuk, also known by his handle, Cr4sh. Around 2007, Oleksiuk had sold BlackEnergy on Russian-language hacker forums, priced at around $40, with his handle emblazoned like a graffiti tag in a corner of its control panel.

The tool was designed for one express purpose: so-called distributed denial-of-service, or DDoS, attacks designed to flood websites with fraudulent requests for information from hundreds or thousands of computers simultaneously, knocking them off-line.

Infect a victim machine with BlackEnergy, and it became a member of a so-called botnet, a collection o...

By late 2007, the security firm Arbor Networks counted more than thirty botnets built with BlackEnergy, mostly aiming their attacks at Russian websites.

But on the spectrum of cyberattack sophistication, distributed denial-of-service attacks were largely crude and blunt. After all, they could cause costly downtime but not the serious data breaches inflicted by more penetrating hacking techniques.

In the years that followed, however, BlackEnergy had evolved. Security firms began to detect a new version of the software, now equipped with...

The ruse seemed politically targeted. From his first look at the Ukrainian BlackEnergy sample, he began to suspect he was looking at a variant of the code with a new goal: not mere crime, but espionage.

it tried to connect out over the internet to an IP address somewhere in Europe. That IP address belonged to a so-called command-and-control server that functioned as the program’s remote puppet master. And when Robinson reached out himself via his web browser to that faraway machine, he was amazed to see that it had been left entirely unsecured. Anyone could browse its files at will.

The zero-day-delivered version of BlackEnergy had a far broader array of data-collection abilities than the usual sample of the malware found in cybercrime investigations. The program could take screenshots, extract files and encryption keys from victim machines, and record keystrokes, all hallmarks of targeted, thorough cyberspying rather than some profit-focused bank-fraud racket.

But even more important than the contents of that how-to file was the language it was written in: Russian.

But by identifying the unsecured command-and-control server, Robinson had broken through iSight’s BlackEnergy mystery with a rare identifying detail.

As Robinson would painstakingly learn over the next days of solid, brain-numbing work, it had been thoroughly scrambled with three alternating layers of compression and encryption.

the key to each layer of that scrambling could only be found after decoding the layer on top of it.

And even after guessing the compression algorithm the hackers had used by scanning the random-looking noise for recognizable patterns, Robinson spent days longer working to identify the encryption scheme they’d used, a unique modification of an existing system.

As he fell deeper and deeper into that puzzle, he’d look up from his desk and find that hours had seemingly jumped forward. Even at home, he’d find himself standing fixated in the sho...

When Robinson finally cracked those layers of obfuscation after a week of trial and error, he was rewarded with a view of the BlackEnergy...

This was, after all, the program in its compiled form, translated into machine-readable binary rather than any hum...

To understand the binary, Robinson would have to watch it execute step-by-step on his computer, unraveling it in real time with a common reverse-engineering tool called IDA Pro that translated the ...

By the second week, however, that microscopic step-by-step analysis of the binary finally began to pay off.

And for the BlackEnergy sample dropped by their Ukrainian PowerPoint, that campaign code was one that he immediately recognized, not from his career as a malware analyst, but from his private life as a science fiction nerd: “arrakis02.”

In fact, for Robinson, or virtually any other sci-fi-literate geek, the word “Arrakis” is more than recognizable: It’s as familiar as Tatooine or Middle-earth, the setting of a central pillar of the cultural canon. Arrakis is the desert planet where the novel Dune, the 1965 epic by Frank Herbert, takes place.

The story of Dune is set in a world where Earth has long ago been ravaged by a global nuclear war against art...

After the Atreides are overthrown, the book’s adolescent hero Paul Atreides takes refuge in the planet’s vast desert, where thousand-foot-long sandworms roam underground, occasionally rising to the surface to consume everything in their path.

As he grows up, Atreides learns the ways of Arrakis’s natives, known as the Fremen, including the ability to harness and ride the sandworms. Eventually, he leads a spartan guerrilla uprising, and riding on the backs of sandworms into a devastating battle, he and the native Fremen take the capital city back from the Harkonnens, their insurgency ultimately seizing control of the entire global empire that had backed the Harkonnens’ coup.

When he found that arrakis02 campaign code, Robinson could sense he’d stumbled onto something more than a singular clue about the hackers who had chosen that name. He felt for the first time that he was seeing into their minds and imaginations. In fact, he began to wonder if it might serve as a kind of fingerprint. Perhaps he could match it to other crime scenes.

Owned by Google’s parent company, Alphabet, VirusTotal allows any security researcher who’s testing a piece of malware to upload it and check it against dozens of commercial antivirus products—a quick and rough method to see if other security firms have detected the code elsewhere and what they might know about it.

As a result, VirusTotal has assembled a massive collection of in-the-wild code samples amassed over more than a decade that researchers can pay to access. Robinson began to run a series of scans of those malware records, searching for similar snippets of code in what he’d unpacked from his BlackEnergy sample to match earlier code samples in iSight’s or VirusTotal’s catalog.

When Robinson dug up its campaign code, he found what he was looking for: houseatreides94, another unmistakable Dune reference. This time the BlackEnergy sample had been hidden in a Word document, a discussion of oil and gas prices apparently designed as a lure for a Polish energy company.

For the next few weeks, Robinson continued to scour his archive of malicious programs. He eventually wrote his own tools that could scan for the malware matches, automate the process of unlocking the files’ layers of obfuscating encryption, and then pull out the campaign code.

His collection of samples slowly began to grow: BasharoftheSardaukars, SalusaSecundus2, epsiloneridani0, as if the hackers were trying to impress him with their incr...