Russia’s Sandworm hackers deploying wipers against Ukraine’s grain industry

Ukraine’s grain industry has become the latest target of the notorious Russian state-backed hacking unit Sandworm, amid Moscow's ongoing efforts to undermine the country’s wartime economy.

According to new research from the Slovak cybersecurity firm ESET, the Kremlin-linked group deployed multiple data-wiping malware strains against Ukrainian organizations in the grain, energy, logistics, and government sectors between June and September. While wiper attacks have frequently hit Ukrainian infrastructure since Russia’s invasion, the agricultural industry — a key source of the country’s export revenue — has rarely been targeted directly.

Sandworm, which Western intelligence agencies link to Russia’s military intelligence service (GRU), is behind some of the most damaging cyberattacks in Ukraine’s history — including the 2015 power grid blackout, the 2017 NotPetya malware outbreak, and last year’s hack of major telecom provider Kyivstar.

ESET said the recent operations included two wipers, Zerolot and Sting, deployed in April against a Ukrainian university, followed by additional waves against grain and energy firms. Wiper malware is designed to permanently erase data and disrupt operations.

The company also linked the attacks to another hacker group, known as UAC-0099, which allegedly carried out initial intrusions before passing access to Sandworm. UAC-0099 has been active since at least 2022, targeting Ukrainian government and defense institutions in espionage campaigns, according to Ukraine’s computer emergency response team (CERT-UA).

“These destructive attacks by Sandworm are a reminder that wipers remain a frequent tool of Russia-aligned threat actors in Ukraine,” ESET said.

Although some reports suggested a shift toward espionage activities by such groups in late 2024, researchers said Sandworm has continued to conduct wiper attacks against Ukrainian entities on a regular basis since early 2025.

Ukraine’s cyber authorities have repeatedly warned that Russian threat actors, including Sandworm, often coordinate such operations with missile and drone strikes to amplify their impact.

Beyond Ukraine, ESET noted that Russian hacking groups including RomCom and Gamaredon continue targeting European Union member states, often focusing on entities linked to Ukraine’s defense or logistics networks.

“Even non-Ukrainian targets often present some apparent links with Ukraine and its overall war effort,” the researchers wrote, “strongly suggesting that the conflict continues to mobilize most of Russia’s intelligence attention and resources.”