Sandworm: a timeline of hacking

The book

In Andy Greenburg’s latest book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, he talks about the exploits of the eponymous Russian hacker group and their significance. The book is split into six parts – Emergence, Origin, Evolution, Apotheosis, Identity, Lessons – with the main Sandworm narrative in the three parts: Emergence, Evolution, Apotheosis. We can deduce from this that Greenburg spends as much time on the context of Sandworm as on the group itself, and indeed in his own words:

Sandworm is not just the story of a single hacker group, or even of the wider threat of Russia’s reckless willingness to wage this new form of cyberwar around the world. It’s the story of a larger, global arms race that continues today.

The theme of Greenburg’s story is the evolution of hacking:

cyber-crime (by individuals) →
cyber-espionage (state-sponsored) →
cyber-war (paired with physical attacks) →
cyber-war (directly attacking physical infrastructure)

and how America’s silence in the face of extended Russian cyber-experimentation on Ukarine allowed this evolution to proceed un-checked.

The timeline

We saw above that book’s narrative on Sandworm contains an Origin chapter in the middle and so is not linear. This non-linearity is also the case within each chapter. For narrative purposes, Greenburg jumps backward and forwards in time repeatedly, often revisiting the same event multiple times from different perspectives. While this makes for a more engaging read because we’re following an individual’s story, it makes it difficult to picture the timeline and envision cause and effect. So, to help myself, and you, the reader of this post, I put together a timeline based on events in the book.

Cybersecurity researchers are often hesitant to attribute attacks to countries or groups; I had no such hesitation and attributed liberally based on the most likely suspect.

Sandworm timeline
A raw version is here

The conclusion

So what can we do in a world where infrastructure hacking is a new standard arsenal for global cyberwar? Greenburg talked to cybersecurity guru Dan Geer, CISO for In-Q-Tel, a nonprofit that functions as a venture capital investor for U.S. spy agencies, to find out. Geer advocates for resiliency instead of prevention:

It may be time to no longer invest further in lengthening the time between failures but instead on shortening meantime to repair.

He believes that the way to achieve resiliency is by having a “ready, running, and known-to-work alternative if the current option were to blow up.” Geer goes on to elaborate that he doesn’t mean any alternative, but specifically an analog alternative.