Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

by Andy Greenberg

He was nonetheless frustrated to find that after the initial hype around iSight’s discovery, his Sandworm-watchers club didn’t have many other members.

Thirteen days after Trend Micro had released its findings on Sandworm’s connection to industrial control system attacks, the division of the Department of Homeland Security known as the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, released its own report.

ICS-CERT acts as a specialized infrastructure-focused government cybersecurity watchdog tasked with warning Americans about impending digital security threats. It had deep ties with U.S. utilities like power and water suppliers. And now, perhaps triggered by iSight and Trend Micro’s research, it was confirming Hultquist’s worst fears about Sandworm’s reach.

Sandworm, according to the ICS-CERT report, had built tools for hacking not only the GE Cimplicity human-machine interfaces Trend Micro had noted but also similar software sold by two o...

And the hackers had successfully penetrated multiple critical infrastructure targets, though none were named in the document. As far as ICS-CERT could tell, the operations had only reached the stage of reconnaissance, not actual sabotage.

Some of Sandworm’s intrusions had occurred at infrastructure targets that weren’t just Ukrainian or Polish. They were American.

“We’d detected a group on the other side of the world carrying out espionage. We’d pored over its artifacts. And we’d found it was a threat to the United States.”

When iSight looked for the servers connected with the malware again after all of the public reports, the computers had been pulled off-line.

The company would find one more BlackEnergy sample in early 2015 that seemed to have been created by the same authors, this time without any Dune references in its campaign codes. It would never find that sort of obvious, human fingerprint again; the group had learned from the mistake of revealing its sci-fi preferences.

Sandworm had gone back underground. It wouldn’t surface again for another year. When it did, it would no longer be focused on reconna...

two of StarLight’s servers had inexplicably gone off-line. The admin assured Yasinsky that it wasn’t an emergency. The machines had already been restored from backups.

But as Yasinsky quizzed his colleague further about the server outage, one fact immediately made him feel uneasy. The two machines had gone dark at almost the same minute. “One server going down, it happens,” Yasinsky thought. “But two servers at the same time? That’s suspicious.”

Resigned to a lost weekend, he left his apartment and began his commute to StarLight’s offices, descending the endless escalator that leads into Kyiv’s metro, one of the deepest in the world and designed during the Cold ...

Inside, he and the company’s IT administrators began examining the image they’d kept of one of the corrupted servers, a digital replica of all its data.

Yasinsky’s hunch that the outage was no accident was immediately confirmed. The server’s master boot record—the deep-seated, reptile-brain portion of a computer’s hard drive that tells the machine where to find its own operating system—had been precisely overwritten with zeros.

They were domain controllers, computers with powerful privileges that could be used to reach into hundreds of other m...

Before they had been wiped, the pair of corrupted servers had themselves planted malware on the laptops of thirteen StarLight employees.

The staffers had been preparing a morning TV news bulletin ahead of Kyiv’s local elections when they suddenly found that their computers had been turned into black-screened, useless bricks. The infection had triggered the same boot-record overwrite technique on each of their hard drives.

They’d actually been set to infect and destroy two hundred more of the company’s PCs. Someone had carefully planted a logic bomb at the heart of the media firm’s network, designed to cause it as much disruption as possible.

Yasinsky managed to pull a copy of the destructive program from the backups, and that night, back at home in the north of the city, he scrutinized its code.

He was struck by the layers of obfuscation; the malware had evaded all antivirus scans. It had even impersonated an antivirus scanner...

After his family had gone to sleep, Yasinsky printed the code and laid the papers across his kitchen table and floor, crossing out lines of camouflaging characters and highl...

Yasinsky had been working in information security for twenty years. After a stint in the army, he’d spent thirteen years as an IT security analyst for Kyivstar...

As a security researcher, Yasinsky had long prided himself on a dispassionate and scientific approach to the problems of information security, drilling into the practical details of digital defense rather than obsessing over the psychology of his adversary.

Oleksii Yasinsky had understood intuitively from childhood that the digital was no less real than the physical—that life and death could depend as easily on one as on the other.

He remembers no politics ever being discussed at home, with the exception of a few whispers from his parents in the kitchen about a visit his great-grandparents had received from the secret police, a conversation quickly cut short for fear of eavesdropping neighbors.

He spent hours painstakingly reading manuals he found photocopied at the local radio market, writing code in BASIC and later assembly, filling the screen with pixel art depictions of wire-frame spaceships.

The moment he believes turned his obsession with computers from a hobby to a career, however, was an act not of programming but of reverse engineering.

Simply by changing a few bytes in the code of a primitive shooter video game, he discovered he could endow his character w...

“I had turned the world upside down. I’d gone into the other side of the screen,” Yasinsky remembers.

It followed intuitively, for him, that if this power could change the digital world, it could control the physical universe, too. “I realized the world is not what we see,” he says. “It wasn’t about getting extra lives; it was about changing the world I’d found myself in.”

In the late 1980s, however, came Gorbachev’s policy of glasnost, or “openness,” and with it a fl...

For Yasinsky and his young teenage friends, the influx of global media took the form of Jean-Claude Van Dam...

After two years studying computer science at the Kyiv Polytechnic Institute, Yasinsky was drafted into the army. He describes the next year and a half as a long lesson in discipline, organization, self-confidence, and intensely rigorous drudgery.

“A soldier’s best friend is a shovel, and it’s good to be a soldier,” he remembers his superiors drumming into him. Aside from that bit of character building, he says that he learned nothing except how to properly make a bed.

that appealed to his sense of the hidden structure of the world and the levers that moved it: cybersecurity.

But when he graduated, he landed a job at Kyivstar, then Ukraine’s largest telecom provider. That job, he says, gave him his real education.

He also says that the job was his first experience learning to sift through massive data sets to fight intelligent, malicious adversaries. “It was like the Matrix,” he says. “You look at all these numbers and you can see real human behavior.”

he was tasked with tracking the hackers who sought to exploit Kyivstar’s systems. In the late 2000s, those hackers were transitioning from opportunistic criminal schemes to highly organized fraud operations.

Yasinsky found himself engaged in the same sort of reverse engineering that had captivated him as a teenager. But instead of taking apart the code of a mere video game, he was dissecting elaborate criminal intrusions, deconstructing malware to see the intentions of the devious parasites within Kyivstar’s network.

In cybersecurity, attackers have the advantage: There are always more points of ingress than defenders can protect, and a skilled hacker needs only one.

Then, not long before the outbreak of Ukraine’s war with Russia, Yasinsky took a position as chief information security officer at StarLightMedia.

For days, Yasinsky worked to determine the basic facts of the mysterious attack on StarLightMedia, reverse engineering the obfuscated code he’d pulled from the company’s backups, the digital IED that had nearly devastated its network.

known as KillDisk, a data-destroying tool that had been circulating among hackers for about a decade.*

Along with two colleagues, Yasinsky obsessively dug into the company’s network logs, combing them again and again, working through nights and weekends to parse the data with ever finer filters, hoping to extract clues.

The team began to find the telltale signs of the hackers’ presence—some compromised corporate YouTube accounts, an administrator’s network log-in that had remained active even when he was out sick.

Slowly, with a sinking dread, they found evidence showing that the intruders had been inside their network for weeks before...

Finally, they identified the piece of malware that had given the hackers their initial foothold, penetrating one of the staff’s PCs via an infected attachment: It was again a form of BlackEnergy, the same malware that iSight had tied to Sandworm a year earlier.

But now it had been reworked to evade detection by antivirus software and included new modules that allowed the hacker to spread to other machines on the same network and execute the KillDisk data wiper.

As he dug into the forensics of how his company had been sabotaged, Yasinsky began to hear from colleagues at other firms and in the government that they too had bee...