One of the world’s most ruthless and advanced hacking groups, the Russian state-controlled Sandworm, has launched a series of destructive cyberattacks in the ongoing war against neighboring Ukraine, researchers reported Thursday.
In April, Sandworm targeted a Ukrainian university using two types of wipers—a form of malware designed to permanently destroy sensitive data and often the infrastructure storing it. One wiper, tracked under the name Sting, targeted fleets of Windows computers by scheduling a task named **DavaniGulyashaSdeshka**, a phrase derived from Russian slang that loosely translates to “eat some goulash,” according to researchers from ESET. The other wiper used in the attack is tracked as Zerlot.
### A Not-So-Common Target
In June and September, Sandworm unleashed multiple variants of wipers against a range of critical infrastructure targets in Ukraine, including organizations in government, energy, and logistics sectors. These targets have long been in the crosshairs of Russian hackers.
However, there was a fourth, less common target: organizations in Ukraine’s grain industry. “Although all four have previously been documented as targets of wiper attacks at some point since 2022, the grain sector stands out as a not-so-frequent target,” ESET noted. “Considering that grain export remains one of Ukraine’s main sources of revenue, such targeting likely reflects an attempt to weaken the country’s war economy.”
### The History and Impact of Wipers
Wipers have been a favored tool of Russian hackers since at least 2012, notably with the spreading of the NotPetya worm. This self-replicating malware initially targeted Ukraine but quickly spiraled out of control, causing global chaos within hours. NotPetya resulted in tens of billions of dollars in financial damages after shutting down thousands of organizations worldwide, many for days or even weeks.
In 2016 and 2017, Sandworm was responsible for taking down parts of Ukraine’s electricity grid using destructive malware sharing characteristics with wipers. These attacks left many Ukrainians without heat during the harsh winter months.
More recently, researchers have linked the Kremlin to over a dozen other wiper attacks targeting Ukraine. Examples include a 2022 attack that disabled 10,000 satellite modems within the country and another that targeted a Kyiv TV station. Other recent wiper-related attacks by Russian state hackers include one tracked as WhisperGate, which targeted Ukrainian government and IT sector networks, alongside another assault impacting hundreds of similar organizations.
### Multiple Russian Groups Involved
Not all attacks have been attributed directly to Sandworm, a group active for nearly two decades and operating under the GRU, Russia’s military intelligence agency. Some wiper attacks have been carried out by other groups reportedly working for different branches of the Russian government.
ESET has observed similar attacks by these groups continuing through 2024. For instance, one group identified by ESET as RomCom exploited a zero-day vulnerability in the WinRAR file compression utility to install malware on Ukrainian systems. Separate wiper attacks by the group Gamaredon have also been active over the past 11 months.
In certain cases, collaboration occurred between different Russian hacking groups. During some Sandworm wiper attacks, a group tracked as **UAC-0099** gained initial access through spear phishing campaigns targeting victims. ESET described this cooperation as unusual, given the typically fierce rivalry among Russian cyber groups.
### Looking Ahead
ESET’s recent findings suggest that wiper malware, a long-preferred cyberweapon of the Kremlin, will remain a significant threat for the foreseeable future.
“These destructive attacks by Sandworm are a reminder that wipers continue to be frequently used by Russia-aligned threat actors in Ukraine,” ESET said. “Although reports suggested a possible shift towards espionage activities by such groups in late 2024, Sandworm has been conducting wiper attacks against Ukrainian entities regularly since early 2025.”
The ongoing use of wiper malware highlights the sustained cyber conflict entwined with the broader geopolitical struggle in the region, underscoring the persistent cyber threats facing Ukraine’s critical infrastructure and economy.
https://arstechnica.com/security/2025/11/wipers-from-russias-most-cut-throat-hackers-rain-destruction-on-ukraine/