Destructive Wiper Malware Hits Ukraine’s Grain Sector – A Warning for CISOs

What happened

The Russian state-backed threat actor Sandworm (also known as APT44) has carried out destructive data wiper attacks against Ukrainian entities in June and September 2025, targeting especially the country’s grain sector, along with education, government, energy and logistics organizations.

Unlike ransomware, where data is encrypted and held for ransom, the wiper malware used here is designed purely for sabotage: files, disk partitions and master boot records are corrupted or destroyed, leaving little or no avenue for recovery.

According to security firm ESET, these operations mark a shift in focus to Ukraine’s vital economic infrastructure, the grain sector is among its main revenue streams, making it a strategic target.

Who is affected

• Primary victims include Ukrainian organizations operating in agriculture/commodity exports, logistics, government services, and education.
• While the attacks are geographically targeted at Ukraine, the tactics and destructive nature of wipers signal a broader risk to any organization with critical infrastructure dependencies or high-value economic functions.
• CISOs in industries that manage critical supply chains (agriculture, export logistics, manufacturing) should consider themselves in scope given how attackers are shifting to economic disruption rather than just espionage or data theft.

Why CISOs should care

• This incident highlights that sophisticated adversaries are moving beyond exfiltration and espionage to the destruction of data and systems, a significant escalation in impact and recovery costs.
• Even organizations outside the immediate geographic target zone can be collateral damage or laterally targeted. The approach of combining initial access via one threat actor (UAC-0099) and transferring it to Sandworm for wiper deployment demonstrates how adversaries compose attack chains.
• For those responsible for business continuity, resilience and cyber-risk management: wiper attacks are harder to recover from than ransomware because there’s no extortion element, only disruption and damage. That means fewer options, longer downtime, and higher costs.
• The grain-sector targeting highlights how cyberattackers are increasingly viewing economic functions (export infrastructure, revenue-generating operations) as valid targets, meaning CISOs must broaden their threat models to include business operations risk, not just IT/data risk.

3 Practical actions for CISOs

1. Validate your offline, immutable backups: Ensure that your critical business systems and data (especially those tied to revenue or supply-chain continuity) are backed up to media or systems that are air-gapped or otherwise inaccessible to attackers. Review backup recovery procedures regularly.
2. Conduct destructive-scenario tabletop exercises: Run simulations of a full-blown wiper attack (versus typical ransomware) that destroys systems and data. Evaluate how your organization would respond: recovery time, business impact, dependencies, communications, legal/regulatory obligations.
3. Expand threat modelling to cover business-critical infrastructure and supply chains: Map not just your IT assets but the operational and economic infrastructure your organization supports or interacts with. Include third-party dependencies (logistics, export, and manufacturing) and ensure controls such as endpoint detection, intrusion prevention, software patch hygiene, segmentation, and monitoring are in place across all these sectors.