The Sandworm Campaign: A Case Study in Contemporary Cyber Conflict and Its Place in the Emerging Cybersecurity Canon

Amidst the chaos of finals week, I felt the liberating presence of another summer approaching, and I developed a keen desire to try something different. 

For context, I had spent my past summer quite slothfully, following what I’d believed to be another endlessly long year of high school. Therefore, once I finally completed my first year of high school, my frequent behavior included reading endless bundles of historical fiction novels, but as the weeks into June and July rapidly flew by, I had a looming sense growing in my gut. I found it to be exceedingly boring. 

That’s why, entering this summer, I was determined to devise a new plan for the following three months. After much consideration, I decided to pursue my childhood desire for reading—frequently pushed aside by extensive homework—for a new opportunity: starting a blog. 

With future majors and decisions on the horizon, I had the desire to take some time to delve into the variety of my interests and gain insight on what these worlds are past the surface level. 

I wanted to start my first few weeks of research through books, as the only books I had read in the past year required English reading. So, after a few weeks of searching for books revolving around my passions in cyber-conflicts, I came across my first literary victim, Sandworm by Andy Greenberg, WIRED Senior Tech Writer. 

I’d drawn myself to Greenberg’s sophomore novel due to an activity I participated in my cybersecurity class. We had a fictional mock trial concerning EternalBlue, an infamous computer exploit developed by the NSA, and the controversy concerning its creation.  

My teacher had placed us accordingly into groups: the National Security Agency—otherwise known as the NSA—the Shadow Brokers hacking group, and state-sponsored Sandworm and Lazarus hacking groups. 

Fortunately for me, I had the sheer luck to be placed in the NSA group, meaning that I would have to defend my creation of not only hiding a zero-day vulnerability—a security vulnerability unknown to the developers of a system—from Microsoft but also creating a tool targeting the vulnerability that would later be utilized by Sandworm and Lazarus to exploit various pieces of digital infrastructure with cyberweapons such as NotPetya and WannaCry, leading to some of the most expensive cyberattacks in history, and affecting over 150 countries through with ransomware and wiper malware. 

That being said, despite my assigned role being the easiest to blame amongst the group and jury, I found it to be an amusing activity, especially as I found the scenario to be fascinating, introducing me to the upcoming reality in which numerous countries and their technological, cyber-advancements provoke tension and cooperation to a greater extent than ever before. 

Therefore, I’d entered the summer feeling confident in my choice to continue searching for more revolving international cybercrime in none other than Sandworm. 

Initial Thoughts of Sandworm

My initial impressions of the novel were similar to what I had expected. Greenberg does a marvelous job reeling in his audience through frequent descriptive environments— attributable to his successful career in journalism and writing—and opens the plot in the iSight Partners firm in Washington, D.C., introducing a set of characters.

 As a novice student in the field of cybersecurity, I was apprehensive of Greenberg’s ability to educate even the least knowledgeable of audiences with a wide array of technical terms, but I was pleasantly surprised to see that my concerns were proven untrue. Furthermore, Greenberg's skill was especially vital in introducing one of the key components emphasized in the following chapters, BlackEnergy.

The third chapter delves into John Robinsons' examination of a malware-infected PowerPoint presentation featuring a Ukrainian flag and a list of Russian terrorists. Through his investigation in the code, he finds BlackEnergy— a known malware variant—in a PowerPoint presentation, which soon leads to Greenberg’s initial call to action, where Robinsons’s coworkers and cyber-researchers set off to investigate the exploitation stylings of a newly discovered hacking group. 

Robinsons discovers that the group's additional malware variants all included campaign codes, such as BasharofTheSardaukars, SalusaSecundus2, and Arrakis02, all relating to the 1984 production of Dune. 

Consequently, the group was given an appropriate name, Sandworm, named after the creature that inhabits the fictional world’s planet of Arrakis.

As the chapters progressed, I found myself intrigued by Greenberg’s capability of meticulously crafting the multiple perspectives of researchers, such as Kyle Wilhoit and Oleskii Yainsky, whose expertise contributes to the ideas to the discovery of nation-state cyber warfare. 

Moreover, Greenberg begins to construct a central idea throughout the critical events and findings listed in the novel: the introduction of a new cyber-era, one in which hackers are capable of breaking into industrial control systems and in which the acts of these hackers are not only forms of espionage but also ways to impact civilian infrastructure and life. 

Additionally, it's critical to note that the the seventh through fourteenth chapters are utilized as guides to not only highlight the long-established geopolitical tensions between Russia and Ukraine—covering events such as the Holodomor and the Orange Revolution—but to illustrate stories concerning the development of additional industrial-control system malware, such as Stuxnet and the Aurora Project.

As a reader, I felt that the primary objective of these chapters was to understand one principle that Greenberg had made clear: Russia’s desperation to limit its neighbors' association with NATO and desire to limit them to a state of constant war, evidently seen in the current Russo-Ukrainian conflict. 

After much of the novel’s contents covered events delving further into additional Eastern European cyberattacks, such as the 2007 Estonian DDoS attacks, I was pleasantly surprised to have been at the section I was long awaiting, chapters covering the critical events covering NSA’s EternalBlue and Benjamin Deply’s MimiKatz. 

These developments led to the creation of exploits such as WannaCry and NotPetya, which are noted to have caused tens of billions of U.S. dollars in damage, affecting multinational companies and corporations such as Maersk, TNT Express, and Mondalez. Additionally, Greenberg emphasizes NotPetya as a periodic climax point, where he explains how EternalBlue’s developments in exploiting Server Message Block and MimiKatz’s developments in exploiting Microsoft’s vulnerable WDigest feature collectively led to a creation making up a “powerful, incendiary chemical reaction” (Greenberg 178), which would end in even greater, unpredicted, and unforeseen harm on not just governments, but civilians. 

One of the more intriguing aspects of the book, from my perspective, included the novel’s thorough depictions of each malware’s purpose and effect, whether political or economic, which frequently showcased the immense interconnection of economic, logistical, and political entities across the globe. From the Georgian blackouts to the fallout of logistical companies such as Maersk, leading to disruptions in cargo operations in seventeen ports worldwide following the NotPetya cyberattacks, my curiosity in the web of intricate relations in international development had grown even greater. 

The novel’s final chapters return to Sandworm’s developments with a new objective: to confirm their identity and association with GRU, the Russian intelligence agency. By this point in Sandworm, Greenberg has addressed much of the group’s contributions in worldwide exploitation and offense, but by chapter thirty, he seeks to reflect the lack of clarity in their identity as an entity. 

The possibilities seem endless. Are they assigned as Unit 74455 or 26165, do they work at 22 Kirova Street, and are they separate from Fancy Bear—the reputable Russian group responsible for hacking the 2016 U.S. elections? 

While some of the novel’s answers remain ambiguous, readers are provided with a greater sense of clarity and possibility in comparison to the start of the novel, revisiting iSight partners’ morning discovery with the PowerPoint. 

Although, in the concluding pages of the novel, Greenberg instills one final, impactful narrative about the coming era of cyberwar through an interview with John Hulqvist, in which he states, “The reason why you carry out terrorism is to rarely kill those particular victims [...] it’s about scaring people so they lose the will to fight” (Greenberg 283). This concept can be directly related to Russia’s actions towards Ukraine throughout the past decade. Sandworm did not conduct two Ukrainian blackouts to initiate a mass murder but to demonstrate their capability to control fundamental industrial power grids in the country and, therefore, demonstrate their supremacy. 

End of Post One, Start of a Journey

My experience in reading my first of many cyber-relating novels was a cherished experience. I had started Sandworm in a timid state, unsure if my premature relationship with cybersecurity and international relations would carry me through incomprehensible technical terms and never-ending, non-fiction chapters that I was unfamiliar with. Despite my initial concerns, I’m grateful that my hours of research on related books had led me to this particular one, as Greenberg has now unknowingly convinced me to further pursue this passion of mine, setting in motion an adventure of my own in blogging to come. 

Bibliography

Greenberg, Andy. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's

     Most Dangerous Hackers. Doubleday, 2019.