Sandworm by Andy Greenberg is more than a chronicle of a set of devastating cyberattacks. It's a study in attribution, geopolitics, resilience, and strategic blindness. And despite being set roughly eight years ago, its lessons feel even more relevant today.
I recently read it for the first time, and now that I have, I feel like a bad professional for not reading it sooner! It's not just a great adventure of significant cyber events, but also full of strategic take aways you can apply today.
One of the book's most important takeaways: attribution takes time, discipline, and humility.
Initial conclusions are often wrong—or at least incomplete. The case studies walk through global efforts to attribute major attacks, and they are filled with false starts, dead ends, misdirection, and political hesitation. What seems obvious in hindsight was anything but clear in the moment.
For security leaders, this is a sobering reminder. Public pressure, media narratives, and internal executive urgency can all push toward premature conclusions. But serious attribution requires technical depth, cross-border cooperation, intelligence integration, and patience.
Sandworm does an exceptional job illustrating the intersection of cyber operations and national strategy.
These weren't random attacks. They were instruments of geopolitical influence—probing, destabilizing, signaling, and sometimes testing thresholds of response. The book provides rare insight into national security decision-making: when to respond, how to respond, and when not to.
Given today's global tensions, this lens is critical. Cyber is not just an IT problem. It is statecraft.
If you're a CISO or board member who isn't factoring geopolitics into your threat modeling, you're behind.
When these events unfolded, nation-state operations dominated cyber headlines. Today, ransomware captures most of the oxygen.
But that doesn't mean state-sponsored exploitation has stopped.
A strategic takeaway from the book: nation-state access and information operations likely continue—quietly—masked in the noise of ransomware and criminal activity. In fact, the blurred lines between state actors and cybercriminal groups raise uncomfortable questions.
Why do some criminal groups operate for years with little consequence from their local governments?
The book doesn't preach—but it invites the reader to connect those dots.
One of the most powerful case studies centers around the compromise of the Ukrainian accounting software company M.E.Doc.
The infection of their software product cascaded outward, impacting a staggering number of global organizations. It was a supply chain infection before "supply chain risk" became a board-level buzzword.
The uncomfortable truth? Leadership at the compromised company never imagined they would be a target.
That mindset—"why would anyone target us?"—is one of the most dangerous phrases in cybersecurity.
Strategic leaders must think in ecosystems, not silos. Your organization might not be the intended target. You might be the conduit.
The attacks described in Sandworm demonstrate how digital disruptions cascade across sectors—energy, logistics, healthcare, shipping.
Complex, interconnected systems fail in nonlinear ways.
This is where cybersecurity leadership intersects with enterprise risk management. The conversation can't just be about patching and detection. It must include:
Interdependency mapping
Third-party and fourth-party exposure
Operational continuity under degraded conditions
Manual fallback capabilities
One subtle but fascinating observation in the book involves resilience.
Workers in the late stages of their careers—those who had lived through pre-digital processes—were often able to rapidly construct and execute manual workarounds when systems went down. They knew how to operate without automation.
Younger employees, raised in fully digital environments, often struggled more initially.
This isn't a critique of talent. It's a reminder.
True resilience includes the ability to operate in degraded modes. In an era of cloud dependence and AI automation, that lesson matters more than ever.
Another important takeaway: cybersecurity didn't emerge in a vacuum.
The book offers insight into the individuals, researchers, policymakers, and responders who shaped the field through crisis. Understanding what happened, why it happened, and how the response evolved makes us better practitioners.
If you don't understand the history of major cyber operations, you’re missing context for today's strategic decisions.
For today's information security leaders, board members, and national security leaders, the book is both a warning and a guide.
The threats may evolve. The headlines may shift from nation-states to ransomware. But the strategic realities described in Sandworm are still very much with us.
And if anything, the stakes are higher now.
This article appeared originally on LinkedIn here.