Title: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
Author: Andy Greenberg
Publisher: Anchor Books
This book is about the mischief that can be (and has been) wrought in cyberspace and how it can reach into meatspace. It focuses on the "danger" Russia poses to the world citing its alleged activities in Estonia, Georgia, Ukraine, the USA and South Korea. For evidence of that danger, it cites DDoS attacks in Estonia in 2007 and in Georgia 2008; attacks on the electricity grid in Ukraine in 2015 and election meddling from 2015 onwards; 2016 US election; and the Winter Olympics in South Korea in 2018. There were also the NotPetya and WannaCry incidents of 2017 which were more widely distributed even though in both cases, Ukraine was hardest hit.
I put danger in quotation marks because while the author talks about the real world costs of the cyberactivity, and notes that the US government was the first to use a cyberweapon (Stuxnet against Iran) and also notes that the US National Security Agency probably has more capacity to do cyberharm (the NSA was hacked in 2016 and some of its cybertools were stolen and made publicly available and used to make NotPetya more virulent), he seems to wave away these actions of the US as somehow not dangerous. He notes that US has not spoken more strongly about Russian actions because the US wants the freedom to do whatever it wants, which is cynical. I find his stance hypocritical, interpreting it as "it is less bad for my side to do whatever it wants." I cannot understand how he can talk approvingly, with barely concealed glee, about Stuxnet and then say it is unconscionable that the US grid can be attacked by Russia. I know that international relations are generally conducted on the basis of might is right or at least might cannot be trumped by right, but still my amateur opinion is that the West has too big a log in its own eye (especially with its penchant for bombing infrastructure) to now point a finger when others do similar things.
The author is a reporter for Wired Magazine and upon concluding his research and investigation for the book, he concludes that agents of the Russian Military Intelligence Outfit, specifically units 26165 and 74455 are the perpetrators of the attacks. Unit 26165 appears to be responsible for penetrating a system while 74455 decides what to do once access is gained. It is possible, but improbable that he began his investigation genuinely intent on using the evidence to discover the culprits. I think it is more probable that he already decided he knew the answer and he set out to look for evidence that would confirm it. In any case, his research is plausible especially his description of the methods used to determine the origins of the attacks. It appears that programming flavor differs by nationality. Thus, an experienced person, merely by looking at code, can reasonably guess its origin. Further, there are servers, called command and control servers that are used to coordinate the attacks. It appears ownership of those servers can be traced. Finally, the UK's GCHQ and the White House have indicted the 2 units. Even though they are not disinterested parties, their opinions, especially that of the GCHQ given its pedigree, carry weight.
I bought this book because I'd read an article about how a generator was destroyed with a few lines of code in 2007. Computer technology fascinates me. My (probably flawed) understanding of software is that all programming is essentially a series of instructions saying "on" then "off" in sequence. Thus, I find it hard to understand how those 2 simple instructions enable all the marvels of modern technology. Reading about how investigators obtain copies of malware code, pull it apart to determine its source and workings, I feel like an illiterate person looking at a reader, wondering what books are, and why they fascinate the reader.
This is a book I enjoyed reading. It was an easy read. I think books written by reporters are usually well written, with clear, terse styles. Even where the writing style is ornate, like James Michener's (who is my favorite writer), the descriptions are beautiful and functional. One thing about this guy's style though is how he uses weather to signify approval or disapproval. Whenever he is in the West, the weather is good - a sunny spring morning, or a beautiful summer afternoon. In Russia, it is always a gloomy, icy day. This just seemed like more bias on his part.
The book ends with security recommendations by Western experts. Seeing what Ukraine and Estonia have suffered, they believe there is a need for more redundancy in the US utilities infrastructure, especially for power. The sophistication of the US grid might make it harder to take down remotely, but if taken down, it will be easier to keep down. Unlike Ukraine's, which is easy to bring down and easy to bring back up. One of the experts deliberately lives a low tech lifestyle, on a farm, without a cell phone. The tractor he uses is one that he chose because it is old and all analogue. This safety feature of low tech actually helped Maersk during the NotPetya attacks. The company's entire global network was infected and disabled. The only clean backup they had was in Ghana and it was clean only because it was off at the time of the attack due to Ghana's epileptic power supply. I'm not sure this is a good security strategy.
The title of the book is the codename given to the hackers when their malware was first discovered. Within their code, there were many references to Dune, the novel. These references were among the pieces of evidence the investigating team used to track down the source of the hacks. The book states with certainty that unit 74455 of the GRU is Sandworm.
This is a book I enjoyed reading. It reminded me a bit of Catherine Benton's Putin's People, meaning while it might have been well researched, it's anti-Russia and pro-Western bias is evident. This lack of objectivity reduces its quality. However, it is worth reading and it is enjoyable.