Russian state-backed hacker group Sandworm has deployed a number of data-wiping malware households in assaults concentrating on Ukraine’s training, authorities, and the grain sector, the nation’s most important income supply.
The assaults occurred in June and September, cybersecurity firm ESET says in a report at the moment, and proceed Sandworm’s (a.ok.a. APT44) string of damaging operations in Ukraine.
Because the title signifies, a knowledge wiper’s objective is to destroy a goal’s digital data by corrupting or deleting recordsdata, disk partitions, and grasp boot data in a method that doesn’t permit restoration. The impression on the goal will be devastating, creating disruptions which are tough to get better from.
Not like ransomware, the place the information is often stolen after which encrypted, wiper malware is used purely in sabotage operations.
After the Russian invasion, Ukraine has been the goal of quite a few information wiper campaigns, most of them attributed to Russian state-sponsored actors, together with PathWiper, HermeticWiper, CaddyWiper, Whispergate, and IsaacWiper.
Harmful assaults proceed
ESET’s new report covers superior persistent risk (APT) exercise between April and September 2025 and presents a number of instances of wipers deployed in Ukraine, a few of them concentrating on the nation’s grain manufacturing.
This can be a new improvement, as attackers are exhibiting that attackers at the moment are specializing in Ukraine’s very important financial sector, as grain exports are the primary supply of revenue, particularly through the battle.
“In June and September, Sandworm deployed a number of data-wiping malware variants towards Ukrainian entities energetic within the governmental, power, logistics, and grain sectors,” explains ESET.
“Though all 4 have beforehand been documented as targets of wiper assaults sooner or later since 2022, the grain sector stands out as a not-so-frequent goal.”
“Contemplating that grain export stays certainly one of Ukraine’s most important sources of income, such concentrating on doubtless displays an try to weaken the nation’s battle economic system.”
APT44 additionally deployed ‘ZeroLot’ and ‘Sting’ wipers in April 2025, concentrating on a college in Ukraine. Sting was executed by a Home windows scheduled process named after the standard Hungarian dish goulash.
It’s famous that preliminary entry for a few of these incidents was achieved by UAC-0099, who then transferred the entry to APT44 for wiper deployment.
UAC-0099 is a risk actor that has been working since not less than 2023 and seems to pay attention its assaults on Ukrainian organizations.
The researchers be aware that whereas Sandworm has just lately proven a larger concentrate on espionage operations, information wiper assaults towards Ukrainian entities stay a steady exercise for the risk group.
ESET additionally recognized Iran-aligned exercise that couldn’t be attributed to a particular risk group, however it’s in line with techniques, methods, and procedures (TTPs) related to Iranian hackers.
In June 2025, these exercise clusters deployed Go-based instruments primarily based on publicly accessible open-source wipers, concentrating on Israel’s power and engineering sectors.
A lot of the steerage for stopping ransomware additionally helps defend towards information wipers. A key step is holding essential information backups on offline media, out of attain of hackers.
Implementing robust endpoint detection and intrusion prevention techniques and sustaining all software program up to date may stop a variety of assaults, together with information wiping incidents.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
