PDF Summary:Sandworm, by Andy Greenberg

Andy Greenberg's Sandworm unravels the formidable cyber attacks orchestrated by the notorious hacker collective of the same name. With captivating detail, Greenberg illuminates Sandworm's transformation from a conventional spying group into a powerhouse of digital warfare, culminating in their catastrophic assault on Ukraine through the destructive NotPetya malware.

The book unveils Sandworm's systematic escalation of cyber offensives and Russia's broader strategy of integrating cyberwarfare into traditional military operations. Greenberg underscores the perils of these incursions, urging fortification of societal infrastructure and global cooperation to curb this emerging threat.

(continued)...

Greenberg recounts the rapid spread of the sophisticated worm NotPetya on June 27, 2017, which caused significant chaos and economic disruption. The author begins the story by explaining the beginnings of the conflict in Ukraine, illustrating how NotPetya infiltrated numerous systems such as banks, government offices, the agency responsible for cleaning up the radioactive remnants of Chernobyl, and the home computers of many citizens of Ukraine. The worm's global proliferation led to considerable upheaval across different industries, affecting numerous entities including Maersk, Merck, FedEx, and Mondelez, all of which are involved in pharmaceuticals, production of goods, and the distribution and transportation of items.

Greenberg details the widespread consequences of NotPetya's spread, such as the paralysis of port activities, disruptions in merchandise distribution, halts in drug production, grounded aircraft, delays in medical operations, and the eradication of digital information. He emphasizes that the attack led to significant expenses and deep anguish for those affected. The incident demonstrated the vulnerability of our interconnected world, where a single advanced piece of malware can interfere with global trade, undermine the stability of the monetary network, and affect the fundamentals of everyday life.

NotPetya's indiscriminate nature and global spread, despite initially targeting Ukraine, demonstrated the potential for cyberattacks to spiral out of control

Greenberg emphasizes how NotPetya's victims were chosen without discrimination and its swift proliferation, pointing out a crucial aspect of digital conflict: the risk of accidental and uncontrolled intensification. Despite being initially launched through a compromised Ukrainian tax software program called M.E.Doc, NotPetya quickly escaped its intended target zone, wreaking havoc on countless organizations and individuals worldwide.

Greenberg posits that the secondary harm might have been deliberate, with NotPetya not only causing destruction but also concealing Sandworm's earlier spying within the compromised networks, all the while fostering an atmosphere of turmoil and dread. The assault demonstrated that in the realm of cyber conflict, tools designed for specific purposes can inadvertently proliferate, impacting areas well outside their designated marks and leading to outcomes that surpass what their originators had anticipated.

The lukewarm international response to NotPetya highlighted the difficulty in both deterring such actions and accurately identifying whether a state or non-state entity directed the cyberattacks.

Greenberg emphasizes the lack of significant global concern and the muted response to the NotPetya cyberattack, highlighting the challenges in identifying and deterring cyber intrusions backed by national governments. For several months, despite compelling indications implicating Russia and its military intelligence division, the GRU, the United States along with other Western nations remained silent. No official condemnation was issued, and no immediate retaliatory action taken.

Greenberg emphasizes the apparent reluctance of the Trump administration to confront Russia, potentially due to ongoing controversies over Russian interference in the 2016 U.S. presidential election. The global response to NotPetya, according to his argument, underscored the lack of a unified and robust response to digital assaults carried out by state actors, potentially emboldening other nations to launch similar offensives, sending an unsettling message of permissiveness to Moscow.

Practical Tips

• You can enhance your personal cybersecurity by creating a robust backup strategy for your digital data. Considering the disruptions caused by cyberattacks, having multiple backups, including cloud storage and physical hard drives that are regularly updated, can mitigate the risk of losing important information in case of a malware attack similar to NotPetya.
• Strengthen your online passwords and update your devices to protect against cyber threats. Given the scale of the NotPetya attack, using a password manager to generate and store complex passwords, along with ensuring all your devices are up to date with the latest security patches, can reduce your vulnerability to similar cyberattacks.
• Educate yourself on the basics of cyber hygiene to prevent malware infections. Learning how to recognize phishing emails, avoiding clicking on suspicious links, and understanding the importance of not downloading attachments from unknown sources can act as a first line of defense against tactics used by groups like Sandworm.

The wider circumstances of the dispute include Russia's utilization of digital combat strategies in its conflict with Ukraine.

Greenberg delves into the wider strategic context that shaped the cyber offensives of Sandworm, considering the digital skirmishes with Ukraine as a reflection of the longstanding animosity between the two countries and as a representative example of Russia's comprehensive strategy that integrates traditional military operations, political subversion, deception, and cyber maneuvers to achieve its objectives.

Russia persistently strives to preserve its sway over Ukraine and to dissuade it from fostering ties with Western entities.

Greenberg outlines the unyielding endeavors of the Russian capital to extend its sway, underscoring the continuous efforts to dissuade its neighboring nation from aligning with Western coalitions. He recounts the extensive history of struggle and control, detailing the Holodomor—a man-made famine induced by Soviet policies in the 1930s that led to the demise of numerous Ukrainians—the stifling of Ukraine's linguistic and cultural essence, and the disastrous nuclear event at Chernobyl, all factors that have shaped Ukraine's strained relationship with its more powerful neighbor.

The book depicts the 2004 Orange Revolution and the 2014 Maidan Revolution as pivotal moments that propelled Ukraine on its journey toward self-governance and fostered its pursuit of establishing ties with Western institutions like the European Union and NATO. The Kremlin's resistance to these attempts to break free from its influence and corrupt practices culminated in Russia's annexation of Crimea in 2014 and its support for insurgents in Ukraine's southeast, sparking an enduring conflict.

The persistent struggle commenced with Russia asserting control over the Crimean Peninsula and aiding insurgents in Ukraine's eastern regions.

Greenberg underscores the critical juncture when Russia's aggression intensified with its military actions in Crimea and backing of separatists in eastern Ukraine, marking a shift to overt military antagonism and the beginning of a new phase in the use of integrated warfare tactics, which now included digital operations. The intentions of the Russian capital were driven by economic and strategic considerations, including the desire to control Ukraine's energy resources and maintain year-round access to ports not hindered by ice, as well as to prevent Ukraine's NATO membership, which would reduce its influence in the region.

Russia has used a range of hybrid warfare tactics, including cyber operations, to destabilize and undermine Ukraine

Greenberg highlights the diverse tactics utilized by Russia in its multifaceted conflict within Ukraine. Andy Greenberg details the blending of traditional military strategies with clandestine incursions by unmarked combatants, the employment of disinformation to sow discord, and the escalation of cyber attacks aimed at critical infrastructure and state operations.

Greenberg suggests that this complex strategy reflects Russia's aim to undermine Ukraine's standing and exert influence through a range of tactics, while avoiding a full-scale military confrontation with Western troops. Greenberg underscores the effectiveness and covert nature of cyber tactics in mixed forms of conflict, highlighting their ability to cause significant disruption while preserving a level of uncertainty that makes it difficult to definitively attribute the actions to Russia, thus impeding a coordinated international response.

Russia's approach to cyber warfare has evolved from early distributed denial-of-service attacks to creating more sophisticated and destructive malware.

Greenberg charts the evolution of Russia's cyberwarfare strategies, tracing their development from basic distributed denial of service attacks to the deployment of sophisticated and harmful malware.

In the latter part of the 2000s and into the early 2010s, Russia began to more frequently employ cyber operations as a means to exert geopolitical influence, with a focus on neighboring nations like Estonia, Georgia, and Ukraine.

Greenberg emphasizes how Russia's expertise in cyber operations has been strategically employed to complement its geopolitical maneuvers, first evidenced by the cyberattacks on Estonia in 2007 and Georgia in 2008. During times of political instability, these attacks, primarily designed to overwhelm websites with an overload of traffic using DDoS strategies, demonstrated Russia's determination to disrupt critical activities and sow chaos in adjacent countries. Greenberg suggests that these early incursions, while rudimentary relative to Sandworm's later activities, foreshadowed a significant shift in how the Russian military harnessed the internet for intelligence gathering and creating disorder to achieve their strategic goals.

The Sandworm group's attacks, culminating in NotPetya, marked a new level of cyber aggression and showed Russia's willingness to cause widespread collateral damage

Greenberg depicts the actions of Sandworm, highlighting its advancement from earlier, less advanced cyber initiatives of Russia, particularly through its interference with the electrical grid and the propagation of the NotPetya malware. The assault showcased not only a high level of technical expertise but also, more alarmingly, a readiness to inflict extensive incidental harm and disruption, affecting parties beyond the main target, Ukraine.

He underscores that NotPetya was a carefully designed cyberweapon with the intent to inflict extensive damage, rather than an ordinary attack seeking a ransom. Greenberg suggests that the widespread dissemination might have been a calculated tactic to mask its Russian roots and make tracking efforts more challenging, or it could have been a nonchalant attitude toward potential consequences. The incident with NotPetya, despite its initial purpose, underscored the significant progress in Russia's capabilities in cyber conflict and emphasized their willingness to use this might unrestrainedly, potentially precipitating a global crisis or heightening the risk of military engagement.

The absence of a robust global reaction to Russia's cyber incursions in Ukraine

Greenberg underscores the haphazard and insufficient responses from Western countries to the cyber incursions by Russia in Ukraine, highlighting the danger of a weak deterrent and the possibility that such inaction may embolden Russia and other potential foes to launch more cyber attacks.

Western nations have been hesitant to impose significant consequences on Russia for its cyber intrusions in Ukraine, despite the substantial damage inflicted by the NotPetya attack.

Greenberg expresses his frustration with the tepid response from Western countries to Russia's cyberattacks on Ukraine, even though the NotPetya incident had significant repercussions. He emphasizes that while Western nations imposed sanctions on Russia for its military actions in Crimea and Donbas, they demonstrated significant reluctance to implement similar sanctions in response to its cyber operations.

Greenberg posits that the tepid reaction might stem from the difficulty in definitively pinpointing the individuals responsible for cyberattacks, coupled with a reluctance to escalate tensions with Russia. However, he argues that the lack of a strong and clear response sends a dangerous message, indicating to Russia and countries that support cyber attackers that they can continue their damaging online activities with little consequence.

The perception that they could operate with impunity may have encouraged Russia to continue and escalate its use of digital combat in achieving its strategic national goals.

Greenberg speculates that the tepid reaction of Western countries to Russia's digital intrusions in Ukraine might have emboldened the Kremlin to escalate and broaden its cyberwarfare strategies, which play a crucial role in its broader geopolitical strategies, as outlined in the Gerasimov Doctrine. Andy Greenberg suggests that in the absence of a coordinated international response, there is a risk that cyberattacks might be increasingly seen as an acceptable element of state strategy, establishing a dangerous precedent that could prompt other nations with significant cyber capabilities to follow suit.

Practical Tips

• You can enhance your digital literacy to better understand the implications of cyber warfare. Start by taking free online courses on cybersecurity basics to recognize how cyber attacks are conducted and their potential impact on global politics. For example, websites like Coursera or edX offer courses that can help you grasp the fundamentals of cybersecurity, which will allow you to better understand the significance of cyber operations in international conflicts.
• Develop a habit of following and analyzing global cyber incidents to discern patterns and tactics. Use a news aggregator app to follow stories related to cyber warfare, and try to connect the dots between different events to see how they might influence geopolitical stability. This will give you a clearer picture of how cyber operations are used as a tool in international relations.
• Encourage discussions within your social circle about the importance of cybersecurity on a national level. Organize informal group chats or virtual meetups where you and your friends share articles and thoughts on recent cyber incidents and their broader implications. This can raise awareness and potentially influence public opinion on how nations should respond to cyber threats, thereby contributing to a more informed citizenry that understands the stakes of digital combat.

The global repercussions of state-sponsored cyber incursions and recommendations for reducing related hazards.

The work by Andy Greenberg underscores the necessity for developing more robust strategies to deter, identify, and recover from increasingly complex and harmful state-sponsored cyber incursions, underlining the broader consequences of Sandworm's operations.

Cyberattacks orchestrated by national governments can lead to increasingly severe damage across linked systems and infrastructure.

Greenberg emphasizes the growing potential for state-sponsored cyberattacks to cause cascading, uncontrolled damage across the interconnected systems and critical infrastructure upon which modern societies depend. NotPetya, he argues, underscored the fragility of our interconnected digital systems and showed how quickly an assault on cyberspace can lead to extensive turmoil.

Greenberg underscores the vulnerability of complex societies, like those found in the United States, which rely heavily on critical infrastructures such as energy grids, transportation networks, healthcare systems, and financial institutions. He warns that sophisticated cyberattacks could jeopardize these infrastructures, with consequences reaching far beyond the initial harm inflicted by an isolated incident.

Events such as NotPetya have highlighted the extensive impact that targeted cyberattacks can have due to the heavy dependence of contemporary societies on digital infrastructures.

Greenberg argues that events like NotPetya have exposed how societies that depend on digital systems are susceptible to unexpected consequences as cyberattacks intensify and exceed expected limits. The author highlights the vulnerability created by the intricate network of modern systems, including transportation and logistics, financial structures, and critical services, which can be exploited by opponents to cause disruptions with impacts that ripple far beyond their initial targets.

Advanced cyber intrusions have the potential to disrupt essential services such as power grids, transportation networks, and healthcare systems.

Greenberg underscores the vulnerability of essential systems to sophisticated cyberattacks that have the potential to cause significant disruptions and catastrophic damage. He explores the dangers of infiltrating power networks, which could lead to extensive interruptions and the risk of sustained power losses over large regions. He further underscores the vulnerability of essential services including transit systems, petroleum conduits, and purification systems for water, emphasizing that any interference with or damage to these systems could severely impact economic stability, public health, and might result in fatalities.

International initiatives are underway to create agreements and standards that restrict cyberattacks targeting civilians.

The author delves into the complex realm of global diplomacy, aiming to establish common norms and frameworks for conduct in the digital domain, emphasizing the reduction of cyber assaults that jeopardize critical public utilities and infrastructure.

Suggestions have been made to create a cyber equivalent of the Geneva Convention, which would prohibit cyberattacks targeting critical infrastructure like hospitals and power grids.

Greenberg proposes the creation of an international pact similar to a digital Geneva Convention that would define clear global norms and legal frameworks to protect civilian infrastructure from cyber attacks. He proposes that an agreement could be established to forbid attacks on critical infrastructure, such as medical facilities, electricity networks, and mass transit systems, comparing it to existing international laws that protect non-combatants and civilians.

Attempts to convince nations like the United States to agree to substantial restrictions on their capabilities in conducting digital combat have encountered challenges.

Greenberg acknowledges the significant challenges associated with establishing meaningful international agreements on cyberwarfare. The United States is hesitant to give up its perceived edge in cyber capabilities, particularly when facing countries like Russia, which utilize these instruments with overt boldness.

In response to the escalating prevalence of cyber threats, it is critical to strengthen and integrate redundant systems within vital services and infrastructure.

Greenberg emphasizes the importance of fortifying essential services by enhancing their resilience and creating robust contingency plans, while also pursuing diplomatic efforts to diminish cyber aggression, to mitigate the impact of future digital intrusions.

Improving response capabilities to security incidents is crucial, just as it is to keep non-digital records and distribute system components.

Greenberg suggests strengthening the resilience of critical services and infrastructure by maintaining analog backups for important systems, decentralizing tasks to reduce reliance on susceptible central points, and improving emergency response plans to minimize disruptions and expedite recovery following a digital attack.

The relentless pursuit of technological advancement and efficiency is always balanced with the imperative to enhance security protocols.

Greenberg recognizes the delicate balance needed between strong security measures and the persistent pursuit of progress and efficiency, especially within essential service industries. He emphasizes that while modern systems improve productivity and interconnectivity, they also inadvertently create new vulnerabilities that sophisticated cyber attackers can exploit. He concludes that the challenge is to find ways to establish a better balance, with the essential goal of developing infrastructure that is not only sturdier but also incorporates fail-safes, ensuring resilience when confronted with escalating cyberattacks launched by state actors.

Other Perspectives

• While international initiatives to restrict cyberattacks are important, they may be difficult to enforce due to the anonymous nature of the internet and the challenge of attributing attacks to specific nations.
• The suggestion of a cyber Geneva Convention is idealistic, as the unique and evolving nature of cyber warfare may make it difficult to establish and maintain clear and universally accepted norms.
• The effectiveness of redundant systems and non-digital records could be limited by the rapid pace of technological change and the increasing sophistication of cyber threats.
• Improving response capabilities to security incidents is important, but it may not be sufficient to keep pace with the increasing complexity and frequency of cyberattacks.
• The balance between technological advancement and security is not just a matter of protocol enhancement but also involves broader considerations such as privacy rights, economic costs, and the potential stifling of innovation.
• Convincing nations to agree to substantial restrictions on their cyber capabilities may not only face challenges due to strategic hesitance but also because of differing national interests and the potential for non-compliance by rogue states.
• The focus on cyberattacks by national governments may overshadow the significant threat posed by non-state actors, including terrorists, criminal organizations, and hacktivists.
• The emphasis on the vulnerability of digital infrastructures might underplay the resilience that has been built into many systems and the ongoing efforts to secure them against cyber threats.