Sandworm wiper attacks escalated this year, with researchers confirming new destructive campaigns that now extend into Ukraine’s grain industry. The operations, attributed to the Russian state-aligned Sandworm group, also hit government, energy, and logistics targets, raising fresh alarms for critical infrastructure defenders.
Sandworm wiper attacks target grain sector
Security firm ESET reported that the attackers deployed multiple new wiper strains across several operations in 2025. In April, the group struck a Ukrainian university using two distinct wipers, dubbed Sting and Zerlot, to irreversibly destroy data on Windows systems. The activity resurfaced in June and September against a wider set of targets, including organizations essential to public services and national resilience. Notably, researchers said the grain sector appeared among the victims, which is unusual and strategically significant.
Targeting grain producers and exporters risks disrupting a major source of Ukraine’s revenue. As a result, the intent appears both economic and psychological, aiming to degrade capacity and confidence. The shift also expands Sandworm’s long-running use of wipers, a class of malware designed to cripple operations rather than extort payments. This tactic mirrors past destructive campaigns, including the globally impactful NotPetya incident, which started in Ukraine and then spread across borders (CISA background).
Russian cyber wipers How the new wipers work
ESET’s analysis describes coordinated execution across fleets of machines. For the April university attack, the researchers observed a scheduled task named “DavaniGulyashaSdeshka,” a phrase drawn from Russian slang, used to deploy one of the wipers. Therefore, the operators likely intended speed and breadth, prioritizing fast lateral action and irreversible damage over stealth. Additionally, the campaigns used multiple variants, suggesting iterative testing and rapid evolution. Companies adopt Sandworm wiper attacks to improve efficiency.
Wipers typically overwrite critical file structures, corrupt partitions, or destroy master boot records. Consequently, ordinary recovery becomes impossible without robust, offline backups. In many cases, systems must be rebuilt from scratch. Because these payloads often arrive alongside credential theft and remote management abuse, defenders face a compressed timeline. Moreover, the first visible sign of compromise may be the wipe event itself.
Ukraine data-wiping attacks Critical infrastructure at risk
The latest wave underscores a persistent threat to energy, logistics, and public administration. Industrial environments face additional hazards because operational technology often interlocks with IT networks. Therefore, a wiper unleashed on corporate systems can cascade into plants, terminals, or depots. The economic spillover can be severe, especially when attacks coincide with peak demand or export windows. Furthermore, recovery in heavy industry is slower due to specialized hardware and compliance obligations.
Ukraine’s defenders have encountered destructive malware repeatedly since 2022. Microsoft and others have documented dozens of such operations, noting the blend of espionage, disruption, and information warfare involved (Microsoft overview). In turn, European and US agencies have published guidance to harden networks and prepare for rapid isolation. Because supply chains cross borders, organizations outside the immediate conflict zone also need to assess indirect risk. Experts track Sandworm wiper attacks trends closely.
What organizations should do now
Defenders can reduce exposure with layered measures. First, segment networks to contain lateral movement, and enforce least-privilege access. Next, maintain immutable, offline backups and test restoration paths regularly. Additionally, deploy endpoint detection and response across servers and workstations to spot early-stage activity, such as unusual scheduled tasks or remote tool use. As a result, responders can quarantine compromised hosts faster.
Organizations should also monitor for destructive indicators and validate secure boot, signed binaries, and firmware integrity. Moreover, tabletop exercises that include wiper scenarios help teams practice rapid isolation and rebuilds. Public advisories from CISA and partners include practical checklists for preparation and response, which remain relevant as wiper families evolve (CISA advisory on destructive malware). For broader threat context, ESET’s research library provides technical analyses that inform detection engineering and hunting strategies (ESET WeLiveSecurity).
Why the grain sector matters
Attacks on grain businesses threaten more than balance sheets. Because grain export revenues support national budgets, disruption has strategic effects. Insurance premiums can rise, and transport schedules may slip. Therefore, even limited outages can alter pricing and shipping priorities. Moreover, downtime at mills, silos, or rail hubs compounds as perishable inventories and seasonal yields collide with operational delays. For adversaries, that leverage is attractive. Sandworm wiper attacks transforms operations.
Security teams within agriculture and food logistics should baseline critical processes and build rapid-switch procedures. For example, fallback to manual workflows, pre-staged hardware images, and spare PCS or HMIs can speed recovery. Additionally, agreements with third-party integrators should include guaranteed incident support and validated firmware sources. In particular, vetting remote access for vendors reduces surprise pathways into industrial networks.
Wider context for cyber defense
Defensive capabilities increasingly rely on high-fidelity telemetry and rapid analytics. Consequently, many security teams are modernizing data pipelines and experimenting with machine learning to detect destructive behavior earlier. Research groups and vendors alike continue to scale these workloads, and advances in AI infrastructure can help. For instance, NVIDIA recently highlighted performance improvements for training large mixture-of-experts models in PyTorch, which could accelerate experimentation on large security datasets (NVIDIA technical blog). While not a direct counter to wipers, faster model iteration supports faster detection research.
At the same time, basic hygiene remains the highest-return investment. Patch management, multifactor authentication, and monitored remote access still block many initial intrusions. Therefore, pairing fundamentals with improved analytics offers the best odds against fast-moving, destructive operations. Industry leaders leverage Sandworm wiper attacks.
Outlook
Researchers expect continued pressure on Ukraine’s critical sectors, with opportunistic spillover risk abroad. Because wiper campaigns aim to destroy rather than monetize, victims need resilient recovery plans as much as preventive controls. Moreover, international information sharing will be vital as operators iterate on techniques and payloads. As a result, timely detection, tested backups, and practiced incident response remain the decisive factors in limiting the damage from the next destructive wave.