In a significant escalation of cyber warfare, the Sandworm group—identified as a Russian state-backed hacking collective—has conducted cyber-attacks leveraging data-wiping malware targeting Ukraine’s grain sector, among other critical industries. This incident reflects the continuation of digital assaults designed to destabilize Ukrainian economic stability, particularly by disrupting one of its chief revenue streams, grain exports.
According to cybersecurity intelligence, these attacks were carried out in June and September 2025, marking the group’s persistent operational focus on Ukrainian targets since the geopolitical tensions escalated post-Russian invasion. Sandworm, also known as Advanced Persistent Threat 44 (APT44), has employed a range of malicious software aimed purely at data destruction. Unlike ransomware, which typically involves data encryption until a ransom is paid, data wipers eliminate the possibility of recovery altogether by corrupting or deleting critical files, disk partitions, and master boot records.
Historically, Ukraine has been at the forefront of digital skirmishes, frequently attacked with various data wiper malware types attributed to Russian state-sponsored cyber actors. Previous notable strains of malware include PathWiper, HermeticWiper, CaddyWiper, Whispergate, and IsaacWiper. These tools have been instrumental in a series of debilitating cyber campaigns against Ukrainian infrastructure.
In recent developments, advanced cybersecurity reports reveal focused attacks on sectors critical to Ukraine’s economic resilience, notably the grain industry—considered Ukraine’s economic lifeline during wartime. Reports from leading cybersecurity firms have confirmed the deployment of multiple data-wiping variants aimed at undermining the country’s governmental, energy, logistics, and agricultural sectors. The targeting of the grain sector, a relatively new focus, appears to be a strategic move to weaken Ukraine’s economic defenses further.
As part of their modus operandi during the April 2025 offensive, Sandworm employed ‘ZeroLot’ and ‘Sting’ wipers against Ukrainian academia, executing their attacks through Windows scheduled tasks. The ingenuity of using traditional descriptors, such as the Hungarian dish goulash, to mask these operations highlights the cunning methodologies employed.
The initial conduits for these breaches often involved a threat actor known as UAC-0099, noted for its role in facilitating initial access and subsequently enabling APT44 to execute their wiper deployments. This modus operandi underscores the collaborative efforts within cyber threat landscapes that prioritize sophisticated initial penetration tactics followed by destructive payload delivery.
While such attacks serve to highlight a sustained cyber threat from Russian-aligned groups, they underscore a broader strategic shift towards sabotage rather than espionage within the Sandworm’s operational framework. Complementing these operations is an emerging threat from actors aligned with Iranian hacking tactics, which, while not directly attributed as yet, suggest similar techniques in targeting sectors key to regional adversaries, including Israel’s critical infrastructure.
To fortify defenses against such invasive cyber-attacks, security recommendations emphasize practices central to ransomware defenses. These include maintaining offline backups of critical data to protect it from unauthorized access and destruction, deploying robust endpoint detection and response systems, and ensuring timely updates across all software platforms to mitigate vulnerabilities.
The persistent threat of data wipers and their impactful disruption to national infrastructures call for proactive cybersecurity strategies. Such efforts are paramount in safeguarding not only state-run sectors but also extending security measures to private enterprises that form the economic backbone of targeted states. These measures include leveraging cutting-edge security protocols and fostering collaborative security information sharing to anticipate and thwart future threats in this ever-evolving domain of cyber warfare.
