In the ongoing conflict between Russia and Ukraine, cyber warfare has become a prominent and destructive front. One of the most notorious hacking groups linked to the Russian government, known as Sandworm, has been actively deploying highly damaging cyberattacks against Ukrainian targets. This group, which is controlled by Russia’s military intelligence agency—the GRU—has a history of launching sophisticated and ruthless operations intended to disrupt, destroy, and weaken Ukraine’s infrastructure and economy.
Recent reports from cybersecurity firm ESET have shed light on a series of aggressive cyberattacks carried out by Sandworm throughout 2024. In April, the group targeted a Ukrainian university with two different types of “wiper” malware. Wipers are particularly malicious because their primary goal is to permanently erase sensitive data from targeted computers, often damaging the physical hardware that stores that data as well. ESET researchers identified one of these wipers as Sting, which affected fleets of Windows computers by scheduling a destructive task named “DavaniGulyashaSdeshka,” a phrase derived from Russian slang that roughly translates to “eat some goulash.” The second wiper used in this attack was named Zerlot.
But the university attack was only the beginning. In the months that followed—June and September—Sandworm launched multiple other attacks using various wiper malware variants. These attacks targeted a broad range of critical infrastructure sectors across Ukraine, including government agencies, energy providers, and logistics companies. These sectors have long been prime targets of Russian cyber aggression. Interestingly, ESET noted a less common but strategically important target: organizations within Ukraine’s grain industry. Since grain exports represent a significant portion of Ukraine’s revenue, attacks against this sector are likely intended to weaken the country’s economic resilience during the ongoing war.
The use of wiper malware by Russian state-backed hackers is not new. Their destructive capabilities were first widely recognized during the spread of the NotPetya worm in 2017, a self-replicating malware initially aimed at Ukraine but which rapidly spread worldwide, causing massive financial damage estimated in the tens of billions of dollars. NotPetya crippled thousands of organizations across numerous countries, many of which were forced to halt operations for extended periods.
Sandworm itself has a documented history of deploying destructive malware against Ukraine dating back to at least 2016. One notable campaign involved attacks on the country’s electricity grid during the harsh winters of 2016 and 2017, leaving large portions of the population without heat. These attacks showcased the group’s ability to cause real-world harm beyond just digital disruption.
Since then, Russian state hackers have consistently used wiper malware as a weapon against various Ukrainian targets. Over a dozen distinct wiper attacks have been linked to the Kremlin in recent years. For example, in 2022, a wiper attack disabled 10,000 satellite modems in Ukraine, severely limiting communications. Another attack in the same year targeted a Kyiv-based TV station, disrupting media operations. Other notable wipers include WhisperGate, which struck government and IT sector networks in Ukraine, and further campaigns that disabled hundreds of organizations across the country.
It is important to note, however, that not all wiper attacks come from Sandworm alone. Other Russian-affiliated groups have also been active in deploying destructive malware in Ukraine. ESET has detected attacks from groups such as RomCom and Gamaredon. RomCom notably exploited a zero-day vulnerability in the popular WinRar file compression utility to install malware on Ukrainian systems. Gamaredon has also been active with wiper attacks over the past year. In some cases, these groups have collaborated; for instance, during some Sandworm wiper campaigns, a group identified as UAC-0099 gained initial access through spear phishing attacks before Sandworm deployed their destructive payloads. Such cooperation is unusual given the intense rivalry that often exists between different Russian cyber units.
Looking ahead, cybersecurity experts predict that wiper malware will remain a favored tool of Russian state-aligned threat actors. Despite some reports suggesting a shift towards espionage-focused activities by these groups in late 2024, Sandworm and others have continued to conduct wiper attacks regularly since the start of 2025. This ongoing use of destructive cyberattacks serves as a stark reminder that Russia’s cyber warfare strategy against Ukraine is multifaceted, combining both intelligence gathering and outright sabotage.
In summary, the war between Russia and Ukraine is being fought not just on the battlefield but also in cyberspace. Sandworm,