I read a book! And it wasn’t a comic book or a repair manual!

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

ISBN 978-0-525-56463-8  348 pages

Andy Greenberg provides a compelling narrative of the advancement of cyberwar tools as they crossed from pure espionage to sabotage and ancillary tools of disruption used in wider attacks and “hybrid warfare.”  The information security disciplines, including malware analysis, incident response, threat hunting, and risk analysis are vividly illustrated in some of the highest stake scenarios information security faces.  Although I was aware of most of the events described in the book when they happened, for example, the revelation of Stuxnet, the Ukraine power outages, Sony breach, and the Mearsk NotPetya catastrophe, Greenberg’s book informed my recollections with additional context, background, and consequences.  

Throughout the first 200 or so pages of the book, the description of the threat actors and clarification of their motives are only the conjecture of observers.  Not until the description of the GRU and their culture of secrecy are the questions about the threat answered.  The answers are limited, as the GRU defectors are few, and, as the Skripal assassination illustrates, never out of reach.  The best that information security defenders can do is infer their motivations from the political objectives of Russia and from patterns emerging from their activities once attribution is made.   This situation is a suboptimal stance for a defender, who will remain uncertain of the strength and objective of the attacker.  If the defender can’t determine if the temporary turning off of the Kyiv power grid was an attack or just a demonstration, the level of success of the response could either be “good job, well done” or “holy smokes, we dodged a bullet.”

The story of Sandworm should lay to rest some persistent fallacies I’ve heard about the inability of cyber attacks to cause significant impact to real world systems, including injury and death to individuals.  Dismissing cyber attacks by nations as merely espionage and misinformation attacks underestimates the power of the attacks to sabotage critical infrastructure.  As a survivor of last year’s Texas power grid failure, the impact of the ability to turn of the grid should not be underestimated.