Sandworm
A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
Long-form journalism on the GRU's hacking operations, the best non-technical book on what state-level cyber actually looks like.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Andy Greenberg
- Published
- 2019
- Publisher
- Doubleday
- Pages
- 368
- Language
- English
Table of contents
36 chaptersPart I: Emergence
- 1
The Zero Day
- 2
BlackEnergy
- 3
Arrakis02
- 4
Force Multiplier
- 5
StarLightMedia
- 6
Holodomor to Chernobyl
- 7
Maidan to Donbas
- 8
Blackout
- 9
The Delegation
Part II: Origins
- 10
Flashback: Aurora
- 11
Flashback: Moonlight Maze
- 12
Flashback: Estonia
- 13
Flashback: Georgia
- 14
Flashback: Stuxnet
Part III: Evolution
- 15
Warnings
- 16
Fancy Bear
- 17
Penquin & BlackEnergy
- 18
Industroyer / CrashOverride
Part IV: Apotheosis
- 19
Maersk
- 20
Shadow Brokers
- 21
EternalBlue
- 22
Mimikatz
- 23
NotPetya
- 24
Breakdown
- 25
Aftermath
- 26
Distance
Part V: Identity
- 27
OlympicDestroyer
- 28
Whodunit
- 29
False Flags
- 30
74455
- 31
The Tower
- 32
Russia
- 33
The Indictments
Part VI: Lessons
- 34
Bombshell
- 35
Restraint
- 36
Resilience
Prerequisites
None. Greenberg writes for the curious general reader, but practitioners will read it faster, not differently.
Read this if
Anyone who wants to understand the strategic context their day job sits inside, defenders, policy people, students choosing a path.
Skip this if
Readers wanting deep technical detail. The forensic granularity exists, but the book lives at the operational and political levels.
Key takeaways
- NotPetya was not a ransomware accident; it was a wartime weapon that overshot.
- Attribution is slow, contested, and political, but it is also possible and increasingly precise.
- The line between cybercrime and statecraft is thinner than the threat-intel literature suggests.
Notes
Treats Sandworm not as a series of hacks but as a campaign with tempo, logic, and recurring actors. The Maersk-recovers-from-a-Ghana-domain-controller chapter is the kind of detail journalism is uniquely good at. The book to give people who keep asking what cybersecurity 'actually is.'
What to read before
What to read before Sandworm →Beginner · 1989
The Cuckoo's Egg
Clifford Stoll's first-person account of investigating a 75-cent accounting discrepancy at LBNL that turned into a year-long pursuit of a KGB-paid intruder across early-internet networks.
Beginner · 2020
The Hacker and the State
Ben Buchanan's argument that state-on-state cyber operations are not deterrence-shaped (like nuclear) but signaling-shaped: countries use cyber to shape the environment, not to threaten escalation. Builds the case from declassified incidents.
Beginner · 2014
@War
Shane Harris on the entanglement of US military doctrine, the intelligence community, and private contractors after cyberspace was declared the fifth warfighting domain.
What to read next
What to read after Sandworm →Beginner · 1989
The Cuckoo's Egg
Clifford Stoll's first-person account of investigating a 75-cent accounting discrepancy at LBNL that turned into a year-long pursuit of a KGB-paid intruder across early-internet networks.
Beginner · 2020
The Hacker and the State
Ben Buchanan's argument that state-on-state cyber operations are not deterrence-shaped (like nuclear) but signaling-shaped: countries use cyber to shape the environment, not to threaten escalation. Builds the case from declassified incidents.
Beginner · 2014
@War
Shane Harris on the entanglement of US military doctrine, the intelligence community, and private contractors after cyberspace was declared the fifth warfighting domain.
Explore similar books
Alternatives to Sandworm →Beginner · 2020
The Hacker and the State
Ben Buchanan's argument that state-on-state cyber operations are not deterrence-shaped (like nuclear) but signaling-shaped: countries use cyber to shape the environment, not to threaten escalation. Builds the case from declassified incidents.
Beginner · 1989
The Cuckoo's Egg
Clifford Stoll's first-person account of investigating a 75-cent accounting discrepancy at LBNL that turned into a year-long pursuit of a KGB-paid intruder across early-internet networks.
Beginner · 2021
This Is How They Tell Me the World Ends
Nicole Perlroth's reporting on the global zero-day market: how exploits get bought, by whom, and how the gray-then-black market shapes which vulnerabilities get fixed and which get hoarded.