The Russian state-backed hacker group Sandworm has escalated its campaign of digital sabotage against Ukraine by deploying multiple data-wiping malware families against the country’s education, government, and the crucial grain sector, its main source of revenue. These destructive operations, which took place in June and September, continue Sandworm’s string of targeted attacks, also known as APT44, as detailed in a recent report by cybersecurity firm ESET. Unlike ransomware, which typically encrypts stolen data for ransom, a data wiper’s sole purpose is destruction, corrupting or deleting digital information like files and master boot records without the possibility of recovery, resulting in devastating and difficult-to-rebuild disruptions for the target. Since the invasion, Ukraine has faced numerous such campaigns, mostly attributed to Russian state-sponsored actors, including previously documented malware like PathWiper, HermeticWiper, and CaddyWiper.
ESET’s new analysis, covering APT activity from April to September 2025, highlights the deployment of various wipers in Ukraine, most notably the attacks targeting the nation’s grain production. This focus on a vital economic sector is a significant new development, indicating the attackers are attempting to weaken Ukraine’s ability to finance its war efforts, given that grain exports are a primary source of income. ESET reported that in June and September, Sandworm specifically utilized multiple malware variants against governmental, energy, logistics, and grain entities. While the other sectors have been hit since 2022, the concentration on the grain sector stands out as a clear effort to destabilize the country’s main economic pillar.
The APT44 group also deployed additional wipers named ‘ZeroLot’ and ‘Sting’ in April 2025, which were used to target a Ukrainian university. Interestingly, ‘Sting’ was executed via a Windows scheduled task named after the traditional Hungarian dish goulash. Researchers also observed that initial access for some of these incidents was first gained by another threat actor, UAC-0099, a group operating since at least 2023 and focused primarily on Ukrainian organizations, which then transferred that access to APT44 for the final deployment of the destructive wipers.
While Sandworm has recently dedicated more resources to espionage operations, the use of data wiper attacks against Ukrainian entities remains a persistent and continuous activity for the group. Furthermore, ESET also identified activity consistent with the tactics of Iranian-aligned hackers, though not attributed to a specific group. In a separate incident in June 2025, these clusters deployed Go-based tools derived from publicly available open-source wipers, targeting Israel’s energy and engineering sectors, underscoring the broader use of this destructive malware type by state-sponsored actors.
Fortunately, much of the guidance for defending against ransomware is also effective for mitigating data wiper attacks. The most critical step is maintaining offline backups of all critical data, ensuring they are physically or logically segregated and unreachable by hackers who gain network access. In addition, organizations should implement robust endpoint detection and intrusion prevention systems and diligently maintain all software updates, as these defenses can effectively prevent a wide range of attacks, including data wiping incidents.
Reference:
