Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
In a nod to irony, it was a non-malware virus that kept me from reading Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. By virtue of podcast Darknet Diaries, I put in a library request for the book in early 2020. When I received notice on an unremarkable Thursday morning that it was available for pick-up, I decided to wait until the next afternoon to grab it; I hadn’t yet finished Memory Police, so delaying the library-loan period by an extra day might be the difference between returning Sandworm late or not.
Fatefully, the San Francisco Public Library would not open that Friday morning. In fact, it would not open again for 8 months, another societal casualty of the Covid-19 global pandemic. By the time I got my hands on the copy of Sandworm sitting on the loan shelves, the world would be different. SolarWinds would be the hack du jour; I would have a four-month-old daughter. Sandworm would remain relevant, and a compelling read. [Between writing this review and editing it, the freshest of the Industrial Hacks was at water treatment plant. Hacking waits for no one.]
The structure of the book pleases me greatly. It’s like a heist movie, where the cold open shows you the big score and then narrative builds back to that moment via various team-assembling vignettes. Sandworm was the name given to the mysterious hacker or hackers or nation-state collective that seemed to be the source of a number of cyberattacks.
The tools used in those attacks—each individual piece of malware—was like it’s own colorful character:
NotPetya was also distinguished from its Petya namesake by another feature: It was honed for maximum virulence. The worm used both Mimikatz and EternalBlue in tandem. For the researchers pulling its code apart, exactly how the code was gaining its initial foothold on computer networks was, at first, a mystery. But once it had that first infection, they could see that Mimikatz acted as its primary tool of expansion. Sucking passwords out of computers’ memories, it instantly hopscotched from machine to machine, using common Windows management tools that give administrators free rein to access other computers on the network if they possess the right credentials--the inmates-running-the-prison case Yasinsky discovered at Oschadbank.
But the NSA’s EternalBlue code leaked by the Shadow Brokers—along with another tool called EternalRomance for older versions of Windows—provided an extra, explosive catalyst.
The book brings you through the origins of most of the major bits: We see EternalBlue, we see NotPetya, and of course Mimikatz. If you were sticking with the film conventions, it isn’t that hard to map out who would be the demolitions expert, who the contortionist, who the con artist. And instead of a casino or bank vault, the squad infiltrates the power grid. Which is actually pretty terrifying.
There is another heist story that comes to mind, and is even obliquely referenced in the above quote. Another hacker collective, “The Shadow Brokers,” are cited:
...even the name “the Shadow Brokers”—apparently a reference to a character from the video game Mass Effect—seemed more like the work of bored teenagers than the likes of a state-sponsored group such as Sandworm[…] or even Fancy Bear.
Mass Effect 2 follows the structure that makes a heist story great: build a team; run an impossible mission. That same structure I enjoy so much in this book; you get the backstory of all the different malware hacking tools, and then they get stuffed together into “the big job,” probably run by the group called Sandworm. For me, the name “Sandworm” makes me think of Beetlejuice before anything else, but Sandworm was so-named because the hacker group left traces—digital fingerprints—that referenced the Frank Herbert monolith Dune.
Now, I may not have read Dune, but to look askance at Mass Effect—“apparently a reference from a video game”—while acting like a sandworm reference is high culture is a little short-sighted, no? It’s just a little glib, is all, to act like Sandworm is definitely this cool thing but apparently Shadow Brokers is “from some nerd game, I dunno, I guess that means the teens are at it again.”
Nested within that quote is another hacker team name, Fancy Bear, which has come up again recently because of the SolarWinds hack.
Based on past years of detective work, CrowdStrike tied Fancy Bear to the Russian military intelligence agency known as th GRU. Cozy Bear, it would later be revealed, worked within Russia’s SVR foreign intelligence agency. (The two “bear” names derived from CrowdStrike’s system of labeling hacker teams with different animals based on their country of origin—bears for Russia, pandas for China, tigers for India, and so on.)
These are cool little facts that add depth to general interest readers. Cybersecurity people would know this naming convention, but I definitely didn’t. It’s a nice peek behind the curtain, and something I appreciate being explained; a lot of books that focus only on their core demographic might elide this part to make sure they don’t bore or insult their intended audience.
I think Sandworm, the book, is going to get more and more relevant to everyday life. Sandworm, the group, might too. Get a strong foundation in a really appealing format now, before it becomes a requirement to understand what is going on in the world. The best day to learn about InfoSec is today; the second best is tomorrow.