Imagine waking up to find your company's entire digital existence wiped clean – gone in an instant. That's the chilling reality facing organizations targeted by data wipers, and recently, Ukraine's critical grain sector has become a prime target. The Russian state-backed hacking group Sandworm is suspected of wielding these digital wrecking balls, aiming to cripple a vital source of revenue for the war-torn nation.
But here's where it gets controversial... While the evidence points strongly toward Sandworm, definitively attributing cyberattacks is notoriously difficult. Could there be other actors involved, perhaps even masquerading as Sandworm to sow further discord?
Cybersecurity firm ESET has revealed a disturbing pattern: multiple data-wiping malware families deployed against Ukraine's education, government, and, crucially, its grain sector during June and September of this year. These attacks represent a continuation of Sandworm's (also known as APT44) history of destructive operations in the region, a campaign that started well before the current conflict.
So, what exactly is a data wiper? Think of it as a digital eraser on steroids. Unlike ransomware, which holds your data hostage for a ransom, a data wiper's sole purpose is annihilation. It corrupts or deletes files, partitions, and master boot records, leaving your digital landscape barren and often unrecoverable. The impact can be devastating, leading to prolonged disruptions and significant financial losses. Imagine a farmer's entire harvest record, planting schedules, and financial data simply vanishing overnight. That's the potential fallout.
Since the Russian invasion, Ukraine has endured a relentless barrage of data wiper attacks. Names like PathWiper, HermeticWiper, CaddyWiper, WhisperGate, and IsaacWiper have become grim reminders of the ongoing cyber warfare. These attacks, largely attributed to Russian state-sponsored actors, highlight the strategic importance of data destruction in modern conflict.
ESET's latest report, covering April to September 2025, details specific instances of wipers targeting Ukraine, with a new and alarming focus on the grain production industry. This is a significant escalation because Ukraine's grain exports are a cornerstone of its economy, particularly during wartime. Targeting this sector is a direct attempt to weaken the country's financial resilience.
"In June and September, Sandworm deployed multiple data-wiping malware variants against Ukrainian entities active in the governmental, energy, logistics, and grain sectors," ESET explains. And this is the part most people miss... While previous attacks have targeted government and energy infrastructure, the explicit focus on the grain sector signifies a shift in strategy.
APT44 also deployed 'ZeroLot' and 'Sting' wipers in April 2025, targeting a Ukrainian university. Interestingly, the 'Sting' wiper was executed through a Windows scheduled task cleverly named after "goulash," a traditional Hungarian dish. This seemingly innocuous detail reveals the attackers' attention to detail and their attempts to blend into the background.
The initial access for some of these attacks was facilitated by another threat actor, UAC-0099, who then passed the baton to APT44 for the wiper deployment. UAC-0099, active since at least 2023, appears to specialize in targeting Ukrainian organizations, acting as a digital reconnaissance unit for Sandworm.
It's worth noting that while Sandworm has recently increased its focus on espionage, data wiper attacks against Ukrainian entities remain a core activity. This suggests a multi-pronged approach: gather intelligence while simultaneously disrupting critical infrastructure.
ESET also uncovered activity aligned with Iranian tactics, techniques, and procedures (TTPs), although they couldn't definitively attribute it to a specific Iranian group. In June 2025, these actors deployed Go-based tools derived from publicly available open-source wipers, targeting Israel's energy and engineering sectors. This highlights the global nature of cyber threats and the interconnectedness of international actors.
The good news? Many of the security measures used to defend against ransomware are also effective against data wipers. Regularly backing up critical data on offline media, implementing robust endpoint detection and intrusion prevention systems, and keeping all software updated are crucial steps. These proactive measures can significantly reduce the risk of falling victim to a data-wiping attack.
What are your thoughts on this? Is the focus on Ukraine's grain sector a war crime, or simply a strategic move in a larger conflict? And with so many actors involved, how can we ever truly be certain who's behind these devastating attacks? Share your opinions in the comments below!
