Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers
Review

The Grid Remembers What the Policy Forgot

Greenberg's *Sandworm* arrived in 2019 as a warning. Seven years later it reads as a prologue. The book's central thesis — that Russia's GRU had developed and deployed cyberweapons capable of crossing the threshold from espionage to physical destruction, and that the world was not remotely prepared — has been validated so thoroughly that the book now suffers the peculiar fate of prophets: it seems obvious. The 2015 and 2016 Ukrainian grid attacks, the NotPetya worm's $10 billion rampage through global shipping and pharmaceuticals, the Olympic Destroyer false-flag operation — Greenberg assembled these into a narrative arc that pointed unmistakably toward escalation. He was right. When Russia's full-scale invasion of Ukraine began in February 2022, the opening hours included cyberattacks on Viasat's satellite network and renewed assaults on Ukrainian infrastructure, moves that fit so neatly into Greenberg's framework that his book became required reading in defense circles overnight. The specific pattern he identified — cyber operations as a rehearsal space for kinetic war, tested on Ukraine before being exported — played out almost exactly as described. What he could not have anticipated was how well Ukraine would absorb the blows. The resilience chapter at the book's end gestures toward this idea but cannot fill it in; by 2024, Ukrainian cyber defense, hardened by nearly a decade of being the world's most targeted nation and bolstered by Western tech partnerships, had become a case study in adaptive resistance that complicated Greenberg's darkest projections.

The book's blind spots are the blind spots of 2019. Greenberg frames cyberwarfare overwhelmingly through the lens of state-versus-state confrontation, with Russia as the primary antagonist and the United States as the sluggish but well-meaning defender struggling to formulate doctrine. The ransomware epidemic that would cripple Colonial Pipeline, JBS, and hundreds of hospitals in 2020-2021 — an ecosystem in which criminal actors and state actors became functionally indistinguishable — barely registers here. The role of China, which by 2025 had been identified as having pre-positioned access to American critical infrastructure through the Volt Typhoon campaign on a scale that dwarfs anything Sandworm achieved, receives almost no attention. Greenberg was writing about the most dangerous hackers he could see, and they were indeed dangerous, but the competitive landscape of state-sponsored cyber operations has shifted considerably. The GRU remains a menace, but the book's implicit hierarchy of threats now looks incomplete. There is also a curious absence around the private sector's role as both target and combatant: the rise of major cybersecurity firms as quasi-governmental actors, the deployment of Starlink as wartime infrastructure, the way Microsoft and Google would become active participants in Ukraine's defense — none of this was foreseeable in 2019, but its absence reveals how much the book is anchored in a world where governments were still assumed to be the primary agents of both attack and defense.

Certain passages land with altered force. Greenberg's account of the U.S. government's muted response to the 2015 Ukrainian blackout attack — the bureaucratic hedging, the reluctance to publicly attribute, the fear of establishing norms that might constrain American offensive capabilities — reads now less as a cautionary tale and more as an indictment. The exit interviews with Obama-era cybersecurity officials, who candidly admit they declined to draw red lines around attacks on civilian infrastructure because they wanted to preserve their own freedom of action, are almost unbearable in light of what followed. That calculation — strategic ambiguity over civilian protection — looks like a down payment on the chaos of the next decade. Similarly, the chapter on the Digital Geneva Convention, Brad Smith's earnest 2017 proposal for international norms governing cyberspace, reads with a kind of melancholy. No such convention materialized. The norms conversation has been overtaken by events. What we got instead was an accelerating arms race in which every major power, and quite a few minor ones, developed or purchased offensive cyber capabilities with little regard for the civilian collateral Greenberg so meticulously documented.

Within the broader shelf of cyberwarfare literature, *Sandworm* occupies a specific and durable position. It inherits from Kim Zetter's *Countdown to Zero Day* the art of turning malware analysis into narrative, and from Fred Kaplan's *Dark Territory* a sense of institutional history, but it surpasses both in the urgency of its geopolitical framing. It gave subsequent works — Nicole Perlroth's *This Is How They Tell Me the World Ends*, Greenberg's own follow-up reporting — a foundation to build on. The NotPetya chapters remain the definitive popular account of that event. More importantly, the book established a template: the idea that a single hacking group's trajectory could serve as a lens for understanding the decay of international order. That template has been widely adopted. It also, perhaps inadvertently, demonstrated the limits of attribution-as-deterrence. Greenberg documents the painstaking work of identifying Sandworm's operators, naming them, indicting them. None of it stopped anything. The names went on FBI wanted posters. The operations continued.

The question the book now raises, which it could not have raised in 2019: if a decade of documenting, attributing, sanctioning, and indicting state-sponsored cyberattacks has failed to produce meaningful deterrence, and if the nations best positioned to establish norms have instead chosen to preserve their own offensive capabilities, is the concept of cyberwarfare as a governable domain already dead — and are we simply living in the ungoverned space, calling it peace?