Introduction On June 27, 2017, something strange and terrible began to ripple out across the infrastructure of the world. A group of hospitals in Pennsylvania began delaying surgeriesand turning away patients. A Cadbury factory in Tasmania stopped churning out chocolates. The pharmaceutical giant Merck ceased manufacturing vaccines for human papillomavirus. Soon, seventeen terminals at ports across the globe, all owned by the world''s largest shipping firm, Maersk, found themselves paralyzed. Tens of thousands of eighteen-wheeler trucks carrying shippingcon tainers began to line up outside those ports'' gates. Massive ships arrived from journeys across oceans, each carrying hundreds of thousands of tons of cargo, only to find that no one could unload them. Like victims of a global outbreak of some brain-eating bacteria, major components in the intertwined, automated systems of the world seemed to have spontaneously forgotten how to function.

At the attack''s epicenter, in Ukraine, the effects of the technological doomsday were more concentrated. ATMs and credit card paymentsystems inexplicably dropped off-line. Mass transit in the country''s capital of Kyiv was crippled. Government agencies, airports, hospitals, the postal service, even scientists monitoring radioactivity levels atthe ruins of the Chernobyl nuclear power plant, all watched helplessly as practically every computer in their networks was infected and wiped by a mysterious piece of malicious code. This is what cyberwar looks like: an invisible force capable of striking out from an unknown origin to sabotage, on a massive scale, the technologies that underpin civilization. For decades, the Cassandras of internet security warned us this was coming. They cautioned that hackers would soon make the leap beyond mere crime or even state-sponsored espionage and begin to exploit vulnerabilities in the digitized, critical infrastructure of the modern world. In 2007, when Russian hackers bombarded Estonia with cyberattacks that tore practically every website in the country off-line, that blitz hinted at the potential scale of geopolitically motivated hacking.

Two years later, when the NSA''s malicious software called Stuxnet silently accelerated Iran''s nuclear enrichment centrifuges until they destroyed themselves, the operation demonstrated another preview of what was in store: It showed that tools of cyberwar could reach out beyond the merely digital, into even the most closely guarded and sensitive components of the physical world. But for anyone watching Russia''s war in Ukraine since it beganin early 2014, there were clearer, more direct harbingers. Starting in2015, waves of vicious cyberattacks had begun to strike Ukraine''s government, media, and transportation. They culminated in the first known blackouts ever caused by hackers, attacks that turned off powerfor hundreds of thousands of civilians. A small group of researchers would begin to sound the alarm--largely in vain--that Russia was turning Ukraine into a test lab for cyberwar innovations. They cautioned that those advancements might soon be deployed against the United States, NATO, and a larger world that remained blithely unprepared for this new dimension of war. And they pointed to a single force of Kremlin- backed hackers that seemed to be launching these unprecedented weapons of mass disruption: a group known as Sandworm. Over the next two years, Sandworm would ramp up its aggression, distinguishing itself as the most dangerous collection of hackers in the world and redefining cyberwar.

Finally, on that fateful day inlate June 2017, the group would unleash the world-shaking wormknown as NotPetya, now considered the most devastating and costly malware in history. In the process, Sandworm would demonstrate as never before that highly sophisticated, state-sponsored hackers with the motivations of a military sabotage unit can attack acrossany distance to undermine the foundations of human life, hitting interlocked, interdependent systems with unpredictable, disastrous consequences. Today, the full scale of the threat Sandworm and its ilk present looms over the future. If cyberwar escalation continues unchecked, the victims of state-sponsored hacking could be on a trajectory foreven more virulent and destructive worms. The digital attacks first demonstrated in Ukraine hint at a dystopia on the horizon, one where hackers induce blackouts that last days, weeks, or even longer--intentionally inflicted deprivations of electricity that could mirror the American tragedy of Puerto Rico after Hurricane Maria, causing vast economic harm and even loss of life. Or one where hackers destroy physical equipment at industrial sites to cause lethal mayhem. Or, as in the case of NotPetya, where they simply wipe hundreds of thousands of computers at a strategic moment to render brain-dead the digital systems of an enemy''s economy or critical infrastructure. This book tells the story of Sandworm, the clearest example yet of the rogue actors advancing that cyberwar dystopia.

It follows the years long work of the detectives tracking those hackers-- as Sandworm''s fingerprints appeared on one digital disaster scene after another--to identify and locate them, and to call attention to the danger thegroup represented in the desperate hope that it could be stopped. But Sandworm is not just the story of a single hacker group, or even of the wider threat of Russia''s reckless willingness to wage this new form of cyberwar around the world. It''s the story of a larger, global arms race that continues today. That race is one that the United States and the West have not only failed to stop but directly accelerated with our own headlong embrace of digital attack tools. And in doing so, we''ve invited a new, unchecked force of chaos into the world. Prologue The clocks read zero when the lights went out. It was a Saturday night in December 2016, and Oleksii Yasinsky was sitting on the couch with his wife and teenage son in the living room of their Kyiv apartment. The forty-year-old Ukrainian cybersecurity researcher and his family were an hour into Oliver Stone''s film Snowden when their building abruptly lost power.

"The hackers don''t want us to fi nish the movie," Yasinsky''s wife joked. She was referring to an event that had occurred a year earlier, a cyberattack that had cut electricity to nearly a quarter- million Ukrainians two days before Christmas in 2015. Yasinsky, a chief forensic analyst at a Kyiv cybersecurity firm, didn''t laugh. He looked over at a portable clock on his desk: The time was 00:00. Precisely midnight. Yasinsky''s television was plugged into a surge protector with a battery backup, so only the flicker of images on-screen lit the room now. The power strip started beeping plaintively. Yasinsky got up and switched it off to save its charge, leaving the room suddenly silent.

He went to the kitchen, pulled out a handful of candles, and lit them. Then he stepped to the kitchen window. The thin, sandy blond engineer looked out on a view of the city as he''d never seen it before: The entire skyline around his apartment building was dark. Only the gray glow of distant lights reflected off the clouded sky, outlining blackened hulks of modern condos and Soviet high-rises. Noting the precise time and the date, almost exactly a year since the December 2015 grid attack, Yasinsky felt sure that this was no normal blackout. He thought of the cold outside-- close to zero degrees Fahrenheit--the slowly sinking temperatures in thousands of homes, and the countdown until dead water pumps led to frozen pipes. That''s when another paranoid thought began to work its way through Yasinsky''s mind: For the past fourteen months, he had found himself at the center of an enveloping crisis. A growing list of Ukrainian companies and government agencies had come to him to analyze a plague of cyberattacks that were hitting them in rapid, remorseless succession.

A single group of hackers seemed to be behind all of it. Now he couldn''t suppress the sense that those same phantoms, whose fingerprints he had traced for more than a year, had reached back, out through the internet''s ether, into his home. 1 The Zero Day Beyond the Beltway, where the D.C. intelligence-­industrial complex flattens out to an endless sea of parking lots and gray office buildings marked with logos and corporate names designed to be forgotten, there''s a building in Chantilly, Virginia, whose fourth floor houses a windowless internal room. The room''s walls are painted matte black, as if to carve out a negative space where no outside light penetrates. In 2014, just over a year before the outbreak of Ukraine''s cyberwar, this was what the small, private intelligence firm iSight Partners called the black room. Inside worked the company''s two-­man team tasked with software vulnerability research, a job that required focus intense enough that its practitioners had insisted on the closest possible office layout to a sensory-­deprivation chamber.

It was this pair of highly skilled cave dwellers that John Hultquist first turned to one Wednesday morning that September with a rare request. When Hultquist had arrived at his desk earlier that day in a far-­better-­lit office, one with actual windows on the opposite side of the iSight building, he''d opened an email from one of his iSight colleagues in the company''s Ukraine satellite operation. Inside, he found a gift: The Kiev-­based staff believed they might have gotten their hands on a zero-­day vulnerability. A zero day, in hacker jargon, is a secret security flaw in software,.