Ukraine’s agricultural economy has become the latest battlefield in Russia’s ongoing cyberwarfare campaign. According to cybersecurity firm ESET, the Russian state-backed hacker group Sandworm—also known as APT44—has unleashed a new wave of data-wiping malware attacks against Ukraine’s education, government, energy, logistics, and grain sectors throughout 2025.
ESET’s report reveals that multiple destructive malware families were deployed in June and September, marking a strategic escalation from espionage to economic sabotage. Unlike ransomware, which seeks financial gain through encryption and extortion, data wipers are designed purely to erase or corrupt digital information, leaving no chance of recovery. This level of destruction can cripple organizations by wiping out operational data, disrupting critical systems, and halting supply chains.
Ukraine’s grain sector, a cornerstone of the nation’s economy, is now squarely in Sandworm’s crosshairs. The report notes that this marks a troubling shift, as grain production and export are key sources of wartime revenue for Ukraine. “Targeting this industry represents an attempt to weaken the country’s war economy,” ESET researchers said. By paralyzing agricultural operations and logistics systems, attackers could directly impact Ukraine’s export capacity and global food supply chains.
Sandworm’s recent campaigns used several previously documented malware strains alongside two new wipers, “ZeroLot” and “Sting.” In April 2025, these variants were deployed against a Ukrainian university. The Sting malware was disguised under a Windows scheduled task humorously named after “goulash,” a traditional Hungarian dish—an example of the hackers’ dark irony.
ESET’s findings also point to UAC-0099, another threat actor believed to have facilitated initial system access before handing control over to Sandworm for the actual deployment of wipers. Active since at least 2023, UAC-0099 focuses on infiltrating Ukrainian infrastructure networks and providing footholds for more sophisticated cyber units like APT44.
Interestingly, while Sandworm has shown increased interest in espionage operations in recent months, its destructive wiper attacks remain consistent, indicating a dual approach: gathering intelligence while simultaneously crippling critical sectors.
The report also highlights a parallel cluster of Iran-aligned cyber activity, where hackers used Go-based open-source wipers targeting Israel’s energy and engineering industries in June 2025. Though unrelated to Sandworm, this suggests a broader trend of nation-state actors turning to destructive cyber tactics as a tool of geopolitical pressure.
Cybersecurity experts emphasize that many defenses effective against ransomware—such as offline data backups, strong endpoint protection, and regular software updates—are equally vital for mitigating wiper attacks. Robust network segmentation and threat monitoring systems can help organizations detect intrusions before irreversible damage occurs.
In conclusion, the renewed wave of Sandworm attacks signals a dangerous evolution in hybrid warfare, where digital destruction is used to weaken economies as effectively as traditional weapons. As Ukraine continues to resist both physical and cyber assaults, protecting critical sectors like agriculture has become not just an economic imperative—but a matter of national resilience.
