One of the most formidable hacking entities globally, the Russian state-backed group known as Sandworm, has executed a series of destructive cyberattacks amid the ongoing conflict with Ukraine, according to recent findings released by cybersecurity researchers.
In April, Sandworm specifically targeted a Ukrainian university with dual wipers—malicious software designed to irretrievably destroy critical data and the infrastructures that support it. One of these wipers, identified as Sting, infiltrated networks of Windows computers through a scheduled task named DavaniGulyashaSdeshka, a Russian slang expression translating roughly to “eat some goulash.” The second wiper variant is tracked under the designation Zerlot.
Subsequently, in June and September, Sandworm escalated its operations by deploying a variety of wipers against essential Ukrainian infrastructure entities, impacting organizations spanning government, energy, and logistics sectors. Notably, the group also focused on a somewhat uncommon target—the grain industry in Ukraine. While each of the mentioned sectors has been documented as a target of wiper attacks since 2022, the grain sector’s involvement is particularly striking, given that grain exports constitute a significant revenue stream for Ukraine. This targeting appears to aim at undermining the country’s war economy.
Wipers have been a preferred tool for Russian hackers since at least 2012, exemplified by the NotPetya worm, which primarily affected Ukraine before unleashing widespread chaos across the globe. The NotPetya incident resulted in tens of billions of dollars in damages, causing lengthy disruptions for thousands of organizations.
Considering the tactics employed in these attacks, various techniques from the MITRE ATT&CK framework are relevant. Initial access could have been facilitated through phishing methods or exploiting software vulnerabilities, allowing the attackers to gain a foothold in target networks. Once established, they would likely pursue persistence to maintain access, and privilege escalation techniques to gain elevated rights within systems.
Moreover, the destructive nature of the wipers indicates a calculated strategy to inflict significant operational damage both to disrupt immediate functionality and to cause longer-term economic repercussions. As cyber threats continue to evolve, organizations must remain vigilant, implementing comprehensive security measures and maintaining an awareness of emerging tactics and techniques employed by state-sponsored actors.
This escalation serves as a reminder of the persistent cybersecurity risks that can impact critical infrastructure, necessitating proactive strategies for business owners to safeguard their operations in an increasingly hostile digital landscape.
