Sandworm details the group behind the worst cyberattacks in history
In this week’s Vergecast interview series, Verge editor-in-chief Nilay Patel talks with Wired senior editor Andy Greenberg, author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers.
As the title describes, Greenberg’s book is all about a group of hackers inside the Russian government called Sandworm, who were responsible for damaging cyber warfare attacks in various countries over the past few years and forever escalated what we think of as “cyberwar.”
Andy and Nilay discuss the origins of Sandworm, the intricacies and ramifications of their attacks, and what mysteries and situations are still left unsolved. Listen here or in your preferred podcast player to hear the entire conversation.
Below is a lightly edited excerpt from the conversation.
Nilay Patel: Who is Sandworm? What do we know about them? Where do they work? What are they like? Do we have a sense of how this operation actually operates?
Andy Greenberg: That was, in some ways, the biggest challenge of reporting this book. And I spent essentially the third act of the book — the last third of the reporting of the book — trying to answer this question of “Who is Sandworm? Who are these people? Where are they located? What motivates them?”
And I guess, just to partially spoil the ending here, they are a unit of the GRU [the General Staff of the Armed Forces of the Russian Federation]. They are part of Russia’s military intelligence agency, which is responsible for — this is not a coincidence — they are responsible for election meddling. They’re responsible for the attempted assassination of Sergei Skripal with chemical weapons in the United Kingdom. They’re responsible for the downing of MH17, the commercial passenger jet over Ukraine where 300 innocent people died.
The GRU are this incredibly reckless, callous military intelligence agency. But they act almost like cutthroat mercenaries around the world doing Russia’s bidding in ways that are, I think, very scary.
So I threw essentially a combination of excellent work from a bunch of security researchers who I was speaking to, combined with some confirmation from US intelligence agencies and then, ultimately, some other clues from the investigation from Robert Mueller into election meddling. All of these things combined created a trail that led to one group within the GRU, [where] I eventually had some names and faces and even an address of this group. And all of that was actually only finally fully confirmed after the book came out, just in recent months when the State Department — as well as the UK and Australian and other governments together — finally said, “Yes, Sandworm is in fact this unit of the GRU.”
So this theory that I had developed and posited near the end of the book was finally basically confirmed by governments just in recent months.
One thing that strikes me that is, I think the GRU is being foreboding. Obviously, they’re very, very good at this. They’re very buttoned-up. And then they have an incredible social media presence that pops up throughout the book that distracts from what they’re doing. They set up Guccifer 2.0 when they were doing the DNC hacks that fed to WikiLeaks. That account insisted it was just a guy. They set up the Shadow Brokers.
I read it as just “Here are some goofballs.” They wanted to seem a lot dumber and a lot smaller than they were, and they were very effective at it. First of all, talk about those that strategy. And then the question I have is are we better at seeing that strategy for what it is?
Well, you make a really interesting point. I mean, the GRU uses these false flags throughout their recent history. But I should say, we don’t know that they were responsible for Shadow Brokers. In fact, nobody knows who the Shadow Brokers truly are. And they are, in some ways, the biggest mystery in this whole story. This one group that hacked the NSA, apparently, and leaked a bunch of their zero-day hacking techniques. Or maybe they were even NSA insiders. We still don’t know the answer to that question.
But the other incidents you mentioned, the GRU are responsible for this Guccifer 2.0 fake hacktivist that leaked a bunch of the Clinton documents. They were responsible for other false flags. They, at one point, to call themselves “The Cyber Caliphate,” pretended to be ISIS. They’ve pretended to be patriotic pro-Russian Ukrainians at some points. They’re always wearing different masks, and they’re very deceptive.
And then in a later chapter of the book, one of the biggest attacks they did was this attack on the 2018 Olympics, where they not only wore a false mask, but they actually had layers of false flags, where, as cybersecurity researchers dug into this malware that was used to destroy the entire back end of the 2018 Winter Olympics just as the opening ceremony began. I mean, this was a catastrophic event. The malware had all of these fake clues that made it look like it was Chinese or North Korean or maybe Russian, but nobody could tell. It was this kind of confusion almost designed to just make researchers throw up their hands and give up on attributing the malware to any particular actor. And it was only through some amazing detective work by some of the analysts that I spoke to, that they were able to cut through those false flags and identify that Sandworm was behind this, essentially.
But, yeah. It is one very real characteristic of the GRU, that they seem to almost take pleasure in showing off their deception capabilities, too. And they’re evolving those capabilities. They are getting more deceptive over time as they get more destructive and aggressive.
I love to play the game of “imagine the meeting,” and you imagine that the one meeting, which is the actual hackers finding the vulnerabilities, figuring out how to jump from a Windows 8 computer to some sort of physical hardware controller that actually runs a terminal. That’s a very hard problem in and of itself. And then there’s the other meeting where they’re like, “What we’re going to do is claim to be a guy called Guccifer 2.0.” Those are not connected, right?
But throughout the book, the way they execute these campaigns, they’re deeply connected. And that seems like not only just a new kind of warfare and a new kind craft, but it’s something that just consistently seems to work in surprising ways. Like the tech press is going to be like, “Guccifer says this,” and there’s never that next step of “Also, we think it’s the Russian government.”
I would love to be a fly on the wall of the meeting where they decide what their Twitter name is going to be today. And I’m very curious how they evolve those attacks in such a way that it just seems to be more and more effective over time.
I would also love to be in those meetings. It’s my one kind of regret in this book that I never actually got interviews. I mean, it’s almost impossible to find defectors from the GRU or something who will tell those stories and then not get murdered. I mean, it’s just kind of impossible.
And in some cases, to your earlier point, they almost seem kind of bumbling with these things. They do them in a very improvisational way, and Guccifer 2.0 seemed almost like it was just this thing they invented on the spot to try to cover up some of the accidental slip-ups. Like, they had left Russian language formatting errors in the documents that they had leaked from the DNC. So they invented this guy who appeared the next day and started talking about being a Romanian. And then my friend at Motherboard, Lorenzo Franceschi-Bicchierai, he started this conversation online with Gutenberg 2.0 and basically proved that the guy could not actually properly speak Romanian and seemed to broadly be a Russian speaker. It was almost comical.
You know, at the same time, they’re using very sophisticated hacking techniques. They’re doing destructive attacks on a massive scale. But they also just seem like they’re kind of making it up as they go along. They do things that don’t actually seem very strategically smart. They kind of seem like they’re just trying to impress their boss for the day. Sometimes it just seems like the GRU wakes up and asks themselves, “What can we blow up today?” rather than thinking, “How can we accomplish greater strategic objectives of the Russian Federation?” So they are fascinating in that way and a very strange and colorful group.
In this week’s Vergecast interview series, Verge editor-in-chief Nilay Patel talks with Wired senior editor Andy Greenberg, author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. As the title describes, Greenberg’s book is all about a group of hackers inside the Russian…
