In a significant escalation of cyber warfare tactics, Russia's Sandworm hacking group (APT44) has systematically targeted Ukraine's agricultural backbone using destructive data-wiping malware. According to ESET's latest threat report, attacks in June and September 2025 focused on grain sector entities alongside government, energy, and logistics organizations – a deliberate strike against Ukraine's economic lifeline during wartime.

Why Grain Matters in Digital Combat

Grain exports constitute Ukraine's primary revenue source amid the ongoing conflict, making agricultural infrastructure a strategic target. Sandworm deployed several wiper variants designed to:
- Permanently corrupt files and disk partitions
- Destroy master boot records
- Eliminate recovery possibilities

Unlike ransomware, these tools offer no financial incentive – their sole purpose is operational sabotage. ESET notes this represents a tactical evolution:

"The grain sector stands out as a not-so-frequent target. Considering grain export remains one of Ukraine’s main sources of revenue, such targeting likely reflects an attempt to weaken the country’s war economy."

Technical Execution and Collaboration

Sandworm's campaign leveraged known malware families alongside newer variants:
- ZeroLot & Sting wipers deployed against a Ukrainian university via Windows scheduled tasks (including one named after Hungarian "goulash")
- Initial access frequently provided by UAC-0099 – a separate threat group specializing in breaching Ukrainian organizations
- Consistent targeting patterns across government and critical infrastructure

The attacks demonstrate Sandworm's dual focus: While recently increasing espionage activity, they maintain destructive operations as a core capability.

Broader Implications for Cyber Defense

This shift toward economic infrastructure targeting signals a dangerous precedent in state-sponsored cyber warfare. Defensive measures mirror ransomware protection fundamentals but require heightened vigilance:

1. Air-gapped backups: Maintain offline copies of critical data
2. Endpoint Detection & Response (EDR): Actively hunt for wiper signatures
3. Patch management: Eliminate vulnerabilities enabling initial access
4. Network segmentation: Contain potential blast radius

Concurrently, ESET observed Iranian-aligned groups using open-source-based Go wipers against Israel's energy sector – evidence of proliferating destructive capabilities among nation-state actors.

The New Frontline

When data wipers strike agricultural logistics systems, the damage extends beyond corrupted servers – it starves national coffers and disrupts global food supply chains. For security teams, this underscores that critical infrastructure defense is no longer just about protecting data integrity, but sustaining societal resilience. As cyber warfare increasingly targets economic survival, the grain silo has become as strategically vital as the server room.

Source: ESET Threat Report, November 2025