Photo by SCARECROW artworks on Unsplash
For years, cyberwarfare has been a silent front in global conflicts—but what’s happening behind Ukraine’s digital walls right now is anything but quiet.
Russian state-backed hacking group Sandworm, widely feared and highly sophisticated, has ramped up a wave of destructive cyberattacks in Ukraine this year. The attacks don’t just aim to snoop or steal—they’re designed to destroy. We’re talking about malware that erases entire systems and grinds operations to a halt.
What’s Happening on the Ground (or Rather, the Grid)
Photo by Maciej Rusek on Unsplash
The group, part of Russia’s military intelligence (the GRU), has been busy launching wiper malware at Ukrainian targets throughout 2025. According to researchers at cybersecurity firm ESET, attacks were carried out in April, June, and September, striking everything from universities to energy companies.
In April, for instance, a Ukrainian university was hit by two separate types of wiper malware—one called “Sting” and another named “Zerlot.” The Sting variant was deployed using a scheduled task with a quirky Russian phrase: “DavaniGulyashaSdeshka.” It loosely translates to “eat some goulash.” It’s darkly ironic, considering the malware it triggered left systems starved of data.
Then came more wiper attacks in June and September, hitting critical sectors: government, logistics, and energy. But one target raised eyebrows more than others—Ukraine’s grain industry.
Why Target Grain?
Photo by Christophe Maertens on Unsplash
Grain isn’t just food in Ukraine—it’s a major part of its economy. Given how central agriculture is to Ukraine’s revenue, ESET notes that Sandworm’s attacks on this sector are likely meant to cripple the country’s ability to fund its own defense.
Grain exports, like electricity and logistics infrastructure, are critical lifelines. Attacking them isn’t just sabotage—it’s strategy.
What Are Wipers, Really?
Wipers do exactly what they sound like: they wipe data. Unlike ransomware, which locks data and demands payment, wipers destroy everything beyond repair. There’s no negotiating. No coming back.
Sound familiar? You might remember the NotPetya malware back in 2017. It started in Ukraine and spread worldwide, causing billions in damages. That, too, was a wiper. And guess who was behind it? Sandworm.
In fact, this tactic goes back at least a decade with this group. In 2016 and 2017, they took down parts of Ukraine’s electrical grid, leaving thousands without power during winter.
Since then, Russia-linked wiper campaigns have hit various Ukrainian targets: a TV station in Kyiv, government networks, and even 10,000 satellite modems in one 2022 attack.
Who Else Is Involved?
It’s not just Sandworm. Other Russian-affiliated hacking groups have joined in.
- RomCom exploited a WinRAR zero-day vulnerability to deliver malware.
- Gamaredon launched its own wiper attacks.
- UAC-0099 acted as the spear-phishing scout, giving Sandworm the foothold it needed.
While collaboration between these hacker groups is rare (think rival factions inside a larger machine), ESET noted that some of these attacks had different teams working in sync—despite their usual competition.
What This Tells Us About Cyberwar in 2025
Despite claims that Russia’s cyber efforts were shifting toward espionage in late 2024, ESET’s research makes it clear: destructive attacks haven’t stopped—they’ve only picked up pace.
ESET warns that wipers remain one of the Kremlin’s tools of choice. And Sandworm? They’re using it whenever and wherever the opportunity strikes.
If anything, this is a grim reminder that in modern warfare, key targets aren’t just military—they’re digital. University networks. Farming operations. TV stations. Malware like Sting and Zerlot don’t just delete files—they erase stability.
Whether you’re in cybersecurity or just trying to understand how tech is shaping conflict, there’s a clear takeaway: today’s wars aren’t only about land or air—they’re about bytes.
🗝️ Keywords: Sandworm, Ukraine cyberattacks, wiper malware, Russian hacking, destructive malware, GRU cyber operations, Zerlot, Sting malware, RomCom, UAC-0099, Gamaredon, NotPetya, grain industry cyberattack, cyberwarfare 2025 📌 Stay informed. Stay curious.
