Readings 2020: Andy Greenberg (2019). Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

In 2020 I committed to writing short thoughts on my readings.

Today, it’s “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers” (2019) by Andy Greenberg, a writer for Wired and one of the most respected journalists covering information security.

Update 28. August 2020: the full academic review can be found here.


Sandworm aims to tell the story of “Russia’s reckless willingness to wage this new form of cyberwar” and of a global arms race that “the United States and the West have […] directly accelerated with our own headlong embrace of digital attack tools.” (p. xiii). It tells this story in six parts (emergence, origins, evolution, apotheosis, identity, and lessons) and forty-two chapters. Its title, Sandworm, derives from the name chosen by one of the main actors in the book given to the threat actor of interest. It derives from an early campaign that used references to the classic science fiction novel the Dune (by Frank Herbert). Greenberg nods to it by introducing the six parts with epigraphs from the novel.

In just under 350 pages, Sandworm takes us on a ride throughout the recent history of cyber insecurity. We learn of Ukraine’s history, the history of cyber conflict, and the evolving adaptation towards bridging the cyber-physical boundary. We rewitness the costliest cyber incident in history, NotPetya, through the eyes of Ukraine, of a large shipping company, and of the American healthcare sector, and retrace the identity of the attackers by following the (sometimes competing) analysis of cybersecurity analysts from across the world. Greenberg is at his best when he merges the personal life stories with information security inside-baseball, paying close attention to technical details that only were able to emerge from days or weeks worth of analysis. Also, the detailed stories from the point of view of the victims of cyber conflict, often told with access to sources from victim organisations, make the real-life impact of cyber conflict come to life for the reader. Finally, Greenberg managed to have some of his sources to speak to him frankly about issues of national security policy in an honesty rarely seen on the record. This in itself makes the book a worthwhile read.

There are, however, points where I would offer academic critique (though it may be unfair to judge the book by standards it does not claim to adhere to), including its treatment of history, use of research methods, and the use of problematic analogies and narratives.

One issue concerns the engagement with history. The book retells a history of the last millennium in Ukraine and represents it “as the point where the bloodiest edges of two continents meet” (p.35). Apart from the claim about the bloodiest edges, it remains unclear why we need to engage in a millennium of history to understand Sandworm. The same criticism could be levied against the chapters on Moonlight Maze and Estonia, particularly as the book does not further discuss them later.

However, a more surprising omission were the Gas disputes between Ukraine and Russia in recent history. For a book dealing with the interference of Russia in Ukrainian energy systems, that omission is curious, in particular as one would have thought the turning off of the gas supply for a few days (e.g. in 2006), the 2015 Ukrainian defaulting of a Russian loan, again connected to a gas deal, as well as the 2015 changed IMF policy to allow new loans to Ukraine, may explain the energy grid shut-downs better than a detailed discussion of the Soviet policy on the Holodomor (on 2015 IMF loan see BAH report, pp. 17-18).

Another issue has to do with research methods, and it is in this issue where the author diverges from academic practice: In chapter 38, the author tells us of a trip he took to St. Petersburg, where he would “ask any Russian hacker with whom I could start a conversation about a topic that was perhaps the event’s worst possible icebreaker: their country’s intelligence services” (p.271). We read this just pages after having detailed the GRU’s lethal measures taken against leakers and the author reflecting on them with the insight that “If I was going to learn more about the same institution today, it wouldn’t be by reading tell-all books. It would be by piecing together hints and glimpses of the truth, to find my own path in the dark” (p.234). The practice of showing up and point-blank asking about intelligence services would not have passed a research ethics board, and, in my opinion, for good reason.

A final issue is that the book, at times, uses problematic analogies and narratives. Some examples: the book does not challenge the “Ukraine as a testbed” narrative, despite showing the massive consequences for Ukrainian society. I would have expected at least a critical comment from an author so attuned to local conditions: there is a difference in saying Russia is “testing out red lines” (Rid on p.137) and “Russia is turning the country into a test lab” (International observers on p.137). The former may be strategically true, whilst the latter is belittling Ukraine as a country and adopts a quasi-imperial mindset. I would not be as sure that the people in Ukraine experienced the cyber-attacks as “tests” (another issue is whether it is framed that way to international interlocutors). An example of a bad analogy is the interpretation of the shadowbrokers statement about WWIII, representing the leaked NSA material as the digital equivalent of a North Korean nuclear missile able to strike the United States (p. 163); a final example would be characterizing VirusTotal as the “trash heap of the security industry”.

I would recommend the book for someone who is looking for some of the histories of information security – the insider story on the analysis of Sandworm is interesting and a fun read. For a broader geo-political analysis of what is going on, this is not your book.

PS: I aim to write an academic book review with Max Smeets on this. I will insert the link at the top of the page if it is published.


Now read this

On Export Controls of Surveillance Technologies

On 13. May 2015 Switzerland issued a regulation on the export of internet and mobile phone surveillance products. Export control regulations can be split into application (i.e. who has to apply for a license) and scope of control (i.e.... Continue →