Full Report
Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue source. [...]
Analysis Summary
# Threat Actor: Sandworm
## Attribution & Identity
**Attribution:** Russian state-backed hacker group.
**Known Aliases:** APT44 (also referenced as APT44 in the text), Sandworm.
**Associated Groups:** In some reported incidents, access was transferred from UAC-0099 to APT44 for wiper deployment.
## Activity Summary
Sandworm conducted destructive operations between April and September 2025, specifically deploying data-wiping malware variants against Ukrainian entities in June and September 2025. This activity expanded targeting to include Ukraine's vital grain sector, which is its main source of revenue. Earlier in April 2025, APT44 deployed 'ZeroLot' and 'Sting' wipers against a university in Ukraine. While the group has shown recent focus on espionage, destructive data wiper attacks remain a continuous activity against Ukraine.
## Tactics, Techniques & Procedures
- Deployment of multiple data-wiping malware families aimed at destroying digital information (corrupting files, disk partitions, and master boot records).
- Utilizing Windows scheduled tasks named after non-technical terms (e.g., 'Sting' executed via a task named after the Hungarian dish 'goulash').
- In some cases, gaining initial access via cooperation with threat actor UAC-0099 before deploying the wipers.
## Targeting
- **Sectors:** Education, Government, Energy, Logistics, and the Grain sector (noted as a new focus area due to its economic importance).
- **Geography:** Ukraine.
- **Victims:** Ukrainian entities across the mentioned sectors, including a university (April 2025).
## Tools & Infrastructure
- **Malware families used:** Data-wiping malware variants, specifically 'ZeroLot' and 'Sting' wipers.
- **Infrastructure:** Not explicitly detailed in terms of C2, domains, or IPs in the provided context.
## Implications
The targeting shift towards the grain sector suggests a strategic effort by the actor to weaken Ukraine's war economy by disrupting its primary source of national revenue. The use of data wipers ensures maximum, non-recoverable destruction, causing severe operational disruption rather than simple monetary gain (as seen in ransomware).
## Mitigations
- Maintain critical data backups on **offline media** to protect them from hackers.
- Implement strong endpoint detection and intrusion prevention systems (EDR/IPS).
- Ensure all software is kept updated to prevent a wide range of attacks, including data wiping incidents.