Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue source.
The attacks occurred in June and September, cybersecurity company ESET says in a report today, and continue Sandworm's (a.k.a. APT44) string of destructive operations in Ukraine.
As the name indicates, a data wiper's purpose is to destroy a target's digital information by corrupting or deleting files, disk partitions, and master boot records in a way that does not allow recovery. The impact on the target can be devastating, creating disruptions that are difficult to recover from.
Unlike ransomware, where the data is typically stolen and then encrypted, wiper malware is used purely in sabotage operations.
After the Russian invasion, Ukraine has been the target of numerous data wiper campaigns, most of them attributed to Russian state-sponsored actors, including PathWiper, HermeticWiper, CaddyWiper, Whispergate, and IsaacWiper.
Destructive attacks continue
ESET's new report covers advanced persistent threat (APT) activity between April and September 2025 and presents several cases of wipers deployed in Ukraine, some of them targeting the country’s grain production.
This is a new development, as attackers are showing that attackers are now focusing on Ukraine’s vital economic sector, as grain exports are the main source of income, especially during the war.
“In June and September, Sandworm deployed multiple data-wiping malware variants against Ukrainian entities active in the governmental, energy, logistics, and grain sectors,” explains ESET.
“Although all four have previously been documented as targets of wiper attacks at some point since 2022, the grain sector stands out as a not-so-frequent target.”
... continue reading