Quick Take
- Narration: Mark Bramhall delivers Greenberg’s investigative prose with measured authority, letting the technical revelations land without sensationalizing them, the right voice for a book where the facts are alarming enough on their own.
- Themes: State-sponsored cyberwarfare, infrastructure vulnerability, attribution in the digital age
- Mood: Methodical and deeply unsettling
- Verdict: The most important cybersecurity book written in the last decade, and one that reads like a thriller precisely because it isn’t fiction.
I came to Sandworm late. I kept putting it off, partly because the subject, Russian state-sponsored cyberattacks, felt abstract, and partly because I’d been burned by breathless tech journalism before. Then a colleague mentioned that she’d started it on a Tuesday and cancelled her Thursday plans to finish it. That’s the kind of recommendation I actually trust. I loaded it on a Friday afternoon and was thirty minutes deep before I remembered I’d meant to start dinner.
Andy Greenberg is a journalist at Wired who has spent years covering the intersection of cybersecurity and geopolitics, and Sandworm is the culmination of that reporting. The subject is Sandworm Team, a hacking group operating under Russian military intelligence, responsible for some of the most destructive cyberattacks in history, including the 2015 and 2016 takedowns of the Ukrainian power grid, leaving hundreds of thousands of people without electricity in winter, and the 2017 NotPetya attack, which caused an estimated ten billion dollars in global damage and remains the most destructive cyberattack ever deployed.
The Attribution Problem at the Center of Everything
What gives Sandworm its structural backbone isn’t just the damage tallied or the targets listed, it’s the painstaking process of figuring out who did this. Greenberg traces the work of researchers at firms like FireEye and ESET who spent years threading together malware samples, infrastructure patterns, and operational signatures to build a case that pointed unmistakably toward the GRU, Russia’s military intelligence service. This forensic detective work is genuinely compelling, and Greenberg explains it with enough clarity that non-technical readers can follow the logic without feeling talked down to. The attribution problem in cybersecurity, you can observe the attack, but proving the attacker is a different matter entirely, is something most reporting papers over. Greenberg sits with its complexity.
Ukraine as the Testing Ground
The chapters on Ukraine are the most disturbing in the book, and that’s saying something given the competition. Greenberg traveled to Ukraine and interviewed grid operators, government officials, and engineers who lived through the attacks firsthand. The 2015 power outage was surgical and deliberate, attackers spent months inside the network before hitting the switch, and then called the grid company’s help line to flood it with fake calls while real operators tried to restore power. It reads like a military operation because it was one. Greenberg makes the case, persuasively, that Ukraine functioned as a live laboratory for Sandworm’s techniques, with each attack refining methods that could be deployed anywhere.
NotPetya and the Collateral Damage Problem
The NotPetya chapter is where the book broadens from a story about Ukraine to a story about every connected organization on earth. NotPetya was nominally aimed at Ukrainian targets, it spread initially via a Ukrainian accounting software update, but it propagated through global corporate networks with no regard for borders. Maersk, the Danish shipping giant, lost nearly its entire IT infrastructure in a matter of hours. Merck, FedEx, hospitals, ports: the casualty list reads like a demonstration that in cyberwar, there is no such thing as a purely military target. Greenberg’s reporting on Maersk’s recovery effort is extraordinary. The company had to reinstall 45,000 PCs and 4,000 servers in ten days, largely because one domain controller survived by accident in an office that had experienced a power outage during the attack. That detail, survival by fluke, stays with you.
What Mark Bramhall Brings to the Material
Bramhall’s performance is well-matched to Greenberg’s prose style. This is not a book that needs dramatic inflection or a thriller-narrator’s trick of punching up tension, the material provides all the tension required. Bramhall reads with the kind of steady, informed gravity that suits investigative journalism: he trusts the sentences. His pacing is deliberate during the analytical passages and quickens naturally during the incident reconstructions, which is exactly the right instinct. At just over twelve hours, Sandworm is the kind of listen that sustains that pace without fatigue.
The 4.7 rating across over two thousand reviews tells you what the cybersecurity community thinks of this book, and they’re right. Greenberg had unprecedented access and the skill to turn highly technical material into genuinely consequential narrative nonfiction. If you work in IT, in government, in critical infrastructure, or if you simply want to understand why the phrase “cyber threat” stopped being hypothetical years ago, this is where you start.
Who should listen: Anyone in IT security or enterprise risk management, policy professionals thinking about critical infrastructure, readers who found Cliff Stoll’s The Cuckoo’s Egg compelling and want its modern equivalent, and frankly anyone who uses electricity. Who should probably wait: Readers looking for a hacking how-to or a technical manual, this is journalism, not a practitioner’s guide.
Frequently Asked Questions
Do I need a cybersecurity background to follow Sandworm?
No. Greenberg writes for a general audience and explains technical concepts, malware behavior, network intrusion, supply chain attacks, in plain language. The book is more geopolitical thriller than technical manual. Security professionals will find the detail satisfying, but the core narrative is accessible without any background.
How does Sandworm relate to the Russia-Ukraine conflict?
The book predates the 2022 full-scale invasion but is essential context for it. Greenberg documents how Russia used Ukraine as a live testing environment for cyberweapons starting in 2015, treating Ukrainian infrastructure as a proving ground. The patterns he identifies remained active after the book’s publication.
Is the audiobook complete, or does it lose technical depth compared to the print edition?
The audiobook is the full text. There are no diagrams or charts in Sandworm that are essential to following the argument, Greenberg builds his case through narrative and interview rather than visual aids, so nothing important is lost in audio format. Mark Bramhall’s narration actually helps with the flow of dense technical passages.
How does this compare to other landmark cybersecurity books like The Cuckoo’s Egg or Countdown to Zero Day?
Kim Zetter’s Countdown to Zero Day covers Stuxnet and is the natural predecessor. Sandworm picks up roughly where that book leaves off, moving from sabotage of Iranian nuclear infrastructure to full-scale attacks on civilian power grids and global shipping. The Cuckoo’s Egg is an earlier benchmark from a different era of hacking. Sandworm is the most current and highest-stakes of the three.
