Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

Sandworm - Cover

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers
By Andy Greenberg
Published by Doubleday, Nov. 5, 2019
ISBN: 978-0385544405

From Wired senior writer Andy Greenberg comes the true story of the most devastating cyberattack in history and the desperate hunt to identify and track the elite Russian agents behind it.


In 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world’s largest businesses—from drug manufacturers to software developers to shipping companies. At the attack’s epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage—the largest, most destructive cyberattack the world had ever seen.


The hackers behind these attacks are quickly gaining a reputation as the most dangerous team of cyberwarriors in history: a group known as Sandworm. Working in the service of Russia’s military intelligence agency, they represent a persistent, highly skilled force, one whose talents are matched by their willingness to launch broad, unrestrained attacks on the most critical infrastructure of their adversaries. They target government and private sector, military and civilians alike.


A chilling, globe-spanning detective story, Sandworm considers the danger this force poses to our national security and stability. As the Kremlin’s role in foreign government manipulation comes into greater focus, Sandworm exposes the realities not just of Russia’s global digital offensive, but of an era where warfare ceases to be waged on the battlefield. It reveals how the lines between digital and physical conflict, between wartime and peacetime, have begun to blur—with world-shaking implications.

Read More & Buy the Book »
(Please support your local book seller.)
Look Inside

About the Author

Andy Greenberg - Photo by Joe PuglieseANDY GREENBERG is a senior writer for WIRED magazine, where he covers security, privacy, information freedom, and hacker culture. He is the author of This Machine Kills Secrets, and in 2017 his WIRED cover story on Ukraine’s cyberwar won a Deadline Club Award from the New York Society of Professional Journalists. He lives in Brooklyn, New York, with his wife, documentary filmmaker Malika Zouhali-Worrall.


Related Articles

The Story of Sandworm, the Kremlin’s Most Dangerous Hackers: For three years, WIRED has tracked the elite and shadowy Russian vanguard of cyberwar.
WIRED, November 5, 2019
By Andy Greenberg

Over the last half decade, the world has witnessed a disturbing escalation in disruptive cyberattacks. In 2015 and 2016, hackers snuffed out the lights for hundreds of thousands of civilians in the first power outages ever triggered by digital sabotage. Then came the most expensive cyberattack in history, NotPetya, which inflicted more than $10 billion in global damage in 2017. Finally, the 2018 Olympics became the target of the most deceptive cyberattack ever seen, masked in layers of false flags.


In fact, those unprecedented events aren’t merely the recent history of cyberwarfare’s arms race. They’re all linked back to a single, highly dangerous group of hackers: Sandworm.


Since late 2016, I’ve been tracing the fingerprints of these Russian operatives from the US to Ukraine to Copenhagen to Korea to Moscow. The result is the book Sandworm, available Tuesday from Doubleday. But parts of that reporting have also been captured in a series of WIRED magazine features, which have charted the arc of Sandworm’s rise and catalogued some of its most brazen attacks. Here, together, are those three stories [SEE BELOW], from the first shots fired in Sandworm’s cyberwar against Ukraine, to the ballooning international toll of NotPetya, to the mysterious attack on the Pyeongchang Olympics, whose fingerprints ultimately led back to a tower looming over the Moscow canal.

Read the Full Article »


WIRED Magazine Features
(Series of Three)

(1 of 3) How an Entire Nation Became Russia’s Test Lab for Cyberwar: Blackouts in Ukraine were just a trial run. Russian hackers are learning to sabotage infrastructure—and the US could be next.
WIRED, June 28, 2018
By Andy Greenberg

How an Entire Nation Became Russia's Test Lab for Cyberwar - Wired.comThe clocks read zero when the lights went out.


It was a Saturday night last December, and Oleksii Yasinsky was sitting on the couch with his wife and teenage son in the living room of their Kiev apartment. The 40-year-old Ukrainian cybersecurity researcher and his family were an hour into Oliver Stone’s film Snowden when their building abruptly lost power.


“The hackers don’t want us to finish the movie,” Yasinsky’s wife joked. She was referring to an event that had occurred a year earlier, a cyberattack that had cut electricity to nearly a quarter-million Ukrainians two days before Christmas in 2015. Yasinsky, a chief forensic analyst at a Kiev digital security firm, didn’t laugh. He looked over at a portable clock on his desk: The time was 00:00. Precisely midnight.

Read the Full Article »


(2 of 3) The Untold Story of NotPetya, the Code that Crashed the World: Crippled ports. Paralyzed corporations. Frozen government agencies. Inside the most devastating cyberattack in history.
WIRED, August 22, 2018
By Andy Greenberg

The Untold Story of NotPetya, the Most Devastating Cyberattack in History - WIRED.comIt was a perfect sunny summer afternoon in Copenhagen when the world’s largest shipping conglomerate began to lose its mind.


The headquarters of A.P. Møller-Maersk sits beside the breezy, cobblestoned esplanade of Copenhagen’s harbor. A ship’s mast carrying the Danish flag is planted by the building’s northeastern corner, and six stories of blue-tinted windows look out over the water, facing a dock where the Danish royal family parks its yacht. In the building’s basement, employees can browse a corporate gift shop, stocked with Maersk-branded bags and ties, and even a rare Lego model of the company’s gargantuan Triple-E container ship, a vessel roughly as large as the Empire State Building laid on its side, capable of carrying another Empire State Building–sized load of cargo stacked on top of it.


That gift shop also houses a technology help center, a single desk manned by IT troubleshooters next to the shop’s cashier. And on the afternoon of June 27, 2017, confused Maersk staffers began to gather at that help desk in twos and threes, almost all of them carrying laptops. On the machines’ screens were messages in red and black lettering. Some read “repairing file system on C:” with a stark warning not to turn off the computer. Others, more surreally, read “oops, your important files are encrypted” and demanded a payment of $300 worth of bitcoin to decrypt them.

Read the Full Article »


(3 of 3) The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History: How digital detectives unraveled the mystery of Olympic Destroyer—and why the next big attack will be even harder to crack.
WIRED, August 17, 2019
By Andy Greenberg

The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History - WIRED.comJust before 8 pm on February 9, 2018, high in the northeastern mountains of South Korea, Sang-jin Oh was sitting on a plastic chair a few dozen rows up from the floor of Pyeongchang’s vast, pentagonal Olympic Stadium. He wore a gray and red official Olympics jacket that kept him warm despite the near-freezing weather, and his seat, behind the press section, had a clear view of the raised, circular stage a few hundred feet in front of him. The 2018 Winter Olympics opening ceremony was about to start.


As the lights darkened around the roofless structure, anticipation buzzed through the 35,000-person crowd, the glow of their phone screens floating like fireflies around the stadium. Few felt that anticipation more intensely than Oh. For more than three years, the 47-year-old civil servant had been director of technology for the Pyeongchang Olympics organizing committee. He’d overseen the setup of an IT infrastructure for the games comprising more than 10,000 PCs, more than 20,000 mobile devices, 6,300 Wi-Fi routers, and 300 servers in two Seoul data centers.


That immense collection of machines seemed to be functioning perfectly—almost. Half an hour earlier, he’d gotten word about a nagging technical issue. The source of that problem was a contractor, an IT firm from which the Olympics were renting another hundred servers. The contractor’s glitches had been a long-term headache. Oh’s response had been annoyance: Even now, with the entire world watching, the company was still working out its bugs?


The data centers in Seoul, however, weren’t reporting any such problems, and Oh’s team believed the issues with the contractor were manageable. He didn’t yet know that they were already preventing some attendees from printing tickets that would let them enter the stadium. So he’d settled into his seat, ready to watch a highlight of his career unfold.


Ten seconds before 8 pm, numbers began to form, one by one, in projected light around the stage, as a choir of children’s voices counted down in Korean to the start of the event:


“Sip! … Gu! … Pal! … Chil!”


In the middle of the countdown, Oh’s Samsung Galaxy Note8 phone abruptly lit up. He looked down to see a message from a subordinate on KakaoTalk, a popular Korean messaging app. The message shared perhaps the worst possible news Oh could have received at that exact moment: Something was shutting down every domain controller in the Seoul data centers, the servers that formed the backbone of the Olympics’ IT infrastructure.

Read the Full Article »



Join Future Tense and New America’s Cybersecurity Initiative for a conversation with Andy Greenberg, Peter Warren Singer and moderator Lily Hay Newman. They discuss the book Sandworm, the Kremlin’s global offensive and the blurring of lines between physical and digital conflict. This Future Tense Event took place Nov. 6, 2019 at New America in Washington, D.C.

Andy Greenberg describes some of the genesis and provides some of salient sections of his book. It’s an interesting discussion, starting at about 9 minutes into the YouTube video.


  • Andy Greenberg, Senior writer, WIRED Author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers
  • Peter Warren Singer, Strategist and senior fellow, New America Co-author of LikeWar: The Weaponization of Social Media
  • Moderator: Lily Hay Newman, Senior writer, WIRED

(For the latest on Future Tense, read the Future Tense channel on Slate. Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society. )


Book Reviews

My review of Sandworm: an essential guide to the new, reckless world of “cyberwarfare”
BoingBoing, November 1, 2019
By Cory Doctorow

Sandworm Book Review - BoingBoingFor years, I’ve followed Andy Greenberg’s excellent reporting on “Sandworm,” a set of infrastructure-targeted cyberattacks against Ukraine widely presumed to be of Russian origin, some of which escaped their targeted zone and damaged systems around the world.


Greenberg has turned that work into a book-length cyber-whodunit, Sandworm, that comes out today. I reviewed it for the LA Times, where I described it as: “a tour through a realm that is both invisible and critical to the daily lives of every person alive in the 21st century.”

Read the Full Article »


‘Sandworm’ book review: To understand cyberwar, you must understand Ukraine
CyberScoop, November 8, 2019
By Greg Otto

'Sandworm' book review - CyberScoop - Getty ImagesThe book shows that attacks like BlackEnergy, NotPetya and Olympic Destroyer do not happen in a vacuum. Greenberg weaves them and others into a narrative that illuminates the personalities responsible for studying or thwarting Sandworm’s attacks. The net result is a story that’s miles away from technical jargon, exploring cyberwar’s ultimate consequence — the danger to people’s lives.

Read the Full Article »



What is a “Sandworm” and where does the name come from? The word comes from Frank Herbert’s science-fiction novel Dune. Within the malicious code that is the subject of the book, targets were identified using references from Dune. The name “Sandworm” was ascribed to the hackers because of their apparent obsession with characters from Dune. It’s an allegory to the thousand foot long sandworms that roam underground on the planet Dune, that rise to the surface and consume everything in their path.