The Russian state-backed hacking group Sandworm has escalated its destructive cyber-campaign against Ukraine, targeting the nation’s vital grain-export infrastructure with multiple data-wiping malware variants. These attacks mark a troubling shift in focus, from government and energy sectors to the broader economic framework underpinning wartime resilience.
Destructive Wiper Campaign Hits Agriculture and Logistics in Ukraine
According to a recent report by cybersecurity firm ESET, Sandworm deployed several wipers during June and September 2025, striking entities in Ukraine’s grain industry after earlier targeting education and government systems. The grain sector has not traditionally been a primary target for destructive cyber-operations, but because it remains one of Ukraine’s chief sources of revenue, the shift appears to reflect a strategic move to undermine the country’s economy.
Wiper malware specifically designed to overwrite files, destroy disk partitions and sabotage recovery mechanisms was used. Unlike ransomware, which seeks to extort victims, these wipers serve purely destructive purposes. The ESET researchers noted that the attacks:
- Targeted the grain, logistics and government sectors during mid-2025
- Employed wiper families such as “ZeroLot” and “Sting” in April and later waves
- Gained initial access via a proxy threat actor tracked as UAC-0099, then handed off to Sandworm for execution
The intrusion chain typically involved the initial breach by UAC-0099, followed by lateral movement and wiper deployment by Sandworm, exploiting network tools and scheduled-task automation.
Why This Shift to Agriculture Raises Alarms
Ukraine’s grain exports have long been a central pillar of the country’s economic and wartime logistics strategy. The targeting of this sector suggests malicious intent beyond mere disruption of IT systems: it is a direct assault on national revenue, export capacity and global food-supply stability. One ESET analyst concluded, “Considering that grain export remains one of Ukraine’s main sources of revenue, such targeting likely reflects an attempt to weaken the country’s war economy.”
Given the interconnected nature of agriculture, logistics, shipping and supply-chains, a successful cyber-attack in this domain could ripple across global food markets. The use of wipers rather than ransomware underscores the message: this isn’t about profit, it’s about strategic damage.
Indicators of Compromise and Technical Tradecraft
Some of the wipers attributed to Sandworm in these campaigns contained hallmarks of previously documented destructive operations:
- Deletion or corruption of master boot records (MBRs) and volume shadow copies to prevent recovery
- Deployment via scheduled tasks using legitimate administration channels, exploiting Active Directory group-policy objects (GPOs)
- Use of newly compiled wiper binaries tailored for each victim to avoid generic detection
- Minimal attempts at encryption or ransom, focusing wholly on data destruction
In one instance, the malware variant “Sting” was executed through a scheduled task named after the Hungarian dish “goulash” — a small but telling example of how the attackers obfuscate their tools under unfamiliar names.
What Defenders in Agricultural and Supply-Chain Sectors Must Know
Organisations in agriculture, supply-chain, logistics and export sectors should not assume they are immune to cyber-warfare tactics because they are civilian. The following counter-measures are essential:
- Maintain offline backups with air-gap separation to defend against wiper-style attacks
- Monitor event logs and scheduled tasks for anomalous creation or execution of unknown tasks
- Ensure strict enforcement of least-privilege access and segment commodity-management and export-systems from general IT networks
- Perform regular tabletop exercises and incident-response planning that include destructive malware scenarios
Bigger Picture: Cyber-Warfare Meets Economic Weaponisation
This shift in target selection illustrates a broader trend: cyber-operations are increasingly aimed at degrading economic systems, not just tactical or infrastructure components. For Ukraine, whose financial resilience is closely tied to grain exports, such attacks add a covert dimension to the battlefield. Globally, businesses tied into supply-chains and logistics must recognise that cyber-threats may now extend beyond IT disruptions into sectors once considered inconsequential to nation-state actors.
