hum4nG0D

hum4nG0D

Security Researcher, Hacker, OSCP, Blogger

Book: Sandworm

Sandworm

In Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, Andy Greenberg peels back the layers of one of the most terrifying and consequential cyber campaigns in history. With journalistic precision and gripping storytelling, Greenberg introduces readers to the murky world of cyberwarfare where lines blur between espionage, sabotage, and outright acts of war. This is not just a tech book; it’s a geopolitical thriller with real-world consequences.

Summary

Sandworm follows the story of a mysterious hacking group, dubbed “Sandworm” by analysts. It’s a meticulously reported investigation into how a shadowy group of state-backed hackers launched a silent war that reshaped the digital and geopolitical landscape. Greenberg doesn’t just outline what happened; he connects the dots to reveal a sobering global pattern of cyber aggression, one that began in Eastern Europe but soon engulfed the world.

The book focuses on “Sandworm,” the nickname given by cybersecurity researchers to a hacking group believed to be part of Russia’s GRU military intelligence agency, specifically Unit 74455, which was later formally indicted by the U.S. Department of Justice. This group is linked to some of the most brazen and destructive cyberattacks ever recorded.

Ukraine serves as the first major battleground in this hidden war. In 2015 and 2016, Sandworm conducted cyberattacks on Ukraine’s power grid, successfully turning off the lights for hundreds of thousands of citizens during the cold winter. These weren’t just experiments; they were proof-of-concept attacks on critical infrastructure that the world had never seen executed so cleanly before.

These attacks weren’t simply about disruption, they were about intimidation and destabilization, using Ukraine as a testing lab for techniques that could later be deployed globally.

NotPetya: The Most Devastating Malware in History

In June 2017, Sandworm unleashed NotPetya, a weaponized malware disguised as ransomware. Unlike traditional ransomware, NotPetya was designed for maximum destruction, not profit. It used EternalBlue (a leaked NSA exploit) to propagate rapidly across networks, targeting Ukrainian organizations through a popular accounting software called MeDoc.

But the malware didn’t stop at Ukraine’s borders. Within hours, it had spread globally, crippling:

  • Maersk (shipping giant)
  • Merck (pharmaceuticals)
  • FedEx’s TNT Express
  • The Chernobyl radiation monitoring system
  • Numerous banks, hospitals, and airports

The estimated financial cost? Over $10 billion in damages.

NotPetya revealed a terrifying new reality: cyberweapons can’t always be contained. The digital equivalent of a nuclear accident had occurred and the world was woefully unprepared.

The book further explores how Sandworm evolved beyond Ukraine and NotPetya. Greenberg details their campaigns targeting:

  • NATO and Western military networks
  • French presidential election campaigns
  • U.S. energy companies
  • The 2018 Winter Olympics in Pyeongchang, where Sandworm attempted to sabotage the games’ infrastructure in retaliation for Russia’s doping ban

Each of these operations points to a disturbing strategic doctrine: cyberwarfare is not just about surveillance or data theft, it’s about causing real-world chaos and systemic failure.

One of the most compelling threads in Sandworm is the global effort to attribute and expose the group. Greenberg follows researchers at cybersecurity firms like Dragos, ESET, FireEye, and CrowdStrike, as well as U.S. and allied intelligence officials, who painstakingly pieced together evidence to link Sandworm’s activities to the GRU.

Their efforts culminated in a 2018 U.S. Department of Justice indictment of seven Russian military officers, naming names and detailing the attacks. Yet, despite the clarity of attribution, accountability remains elusive. The hackers remain in Russia, shielded by the state and the threat continues to evolve.

Sandworm makes the case that we are already in the midst of a global cyberwar, one where the targets are civilian infrastructure, economies, and democratic institutions. And unlike traditional war, this one is fought in secrecy, in milliseconds, and often without a single shot fired.

Greenberg argues that Sandworm’s attacks signal a paradigm shift: cyberweapons are now part of national arsenals, and their deployment is no longer hypothetical. If left unchecked, the consequences could be far more devastating than most people realize.

Key Themes

1. The Blurring Line Between War and Code

Greenberg emphasizes how modern conflict has evolved. Military campaigns now begin not with tanks, but with keystrokes. Unlike traditional warfare, cyberattacks are invisible, deniable, and often untraceable. Yet their effects crippled infrastructure, financial chaos, and political disruption, are tangible.

2. Global Collateral Damage

One of the most striking aspects of the book is how NotPetya, an attack initially aimed at Ukraine, spiraled out of control, affecting companies and governments worldwide. Major corporations like Maersk and FedEx suffered massive losses. The book forces readers to grapple with how interlinked and fragile the digital world has become.

3. The Ethics and Limits of Cyber Retaliation

Greenberg raises uncomfortable questions about deterrence, responsibility, and justice in the cyber realm. Should governments respond to cyberattacks with military force? Can a cyberattack ever be considered an act of war? These are issues international law is still grappling with and Sandworm dives straight into the uncertainty.

While the technical details are carefully explained, Greenberg never forgets the human side of the story. He interviews the cybersecurity analysts, researchers, and intelligence agents who worked tirelessly to identify and contain the threat. Figures like Dragos founder Robert M. Lee and the researchers at ESET and FireEye come alive on the page as digital detectives trying to make sense of an unprecedented threat.

Andy Greenberg doesn’t just report on the facts, he contextualizes them within the broader landscape of cyber conflict. Sandworm is investigative journalism at its best: timely, compelling, and deeply disturbing. Whether you’re a cybersecurity professional or a curious reader trying to understand the hidden battles shaping our world, Sandworm is a must-read.

You may also enjoy

Code Project: CVE Hunter with Cursor AI

A hands-on side project combining AI, CVE databases, and real-time threat intel to simplify vulnerability analysis for cybersecurity professionals.