Russian state-sponsored groups continue their cyber assaults on Ukraine and are now aiming their destructive wipers at more industries, including the grain sector, ESET’s latest APT activity report shows.
Over the past months, activity associated with Russian APTs focused on European Union member states and Ukraine, typically relying on spear-phishing emails as the initial access vector.
According to ESET, even the non-Ukrainian targets appear linked to the country and the overall war efforts, suggesting that Russian intelligence is mobilizing attention and resources to the ongoing conflict.
In this context, recent destructive cyberattacks attributed to Sandworm (also known as APT44, Iridium, Seashell Blizzard, TeleBots, and Voodoo Bear, and associated with GRU) stand out.
In April, Sandworm targeted a Ukrainian university with the Zerolot and Sting wipers. In June and September, the APT was seen deploying multiple data-wiping malware variants against Ukrainian governmental, energy, logistics, and grain entities.
The not-so-common targeting of the grain sector, which remains the main source of revenue for the country, suggests an attempt to weaken Ukraine’s war economy, ESET notes in its report (PDF).
The cybersecurity firm also observed a collaboration between the APT and UAC-0099, a Russian threat actor conducting initial intrusions and then transferring targets of interest to Sandworm.
“These destructive attacks by Sandworm are a reminder that wipers very much remain a frequent tool of Russia-aligned threat actors in Ukraine. Although there have been reports suggesting an apparent refocusing on espionage activities by such groups in late 2024, we have seen Sandworm conducting wiper attacks against Ukrainian entities on a regular basis since the start of 2025,” ESET notes.
Gamaredon, which was seen working with Turla in recent attacks, continued to refine its main stealers, dubbed PteroPSDoor and PteroVDoor, and has adopted new tunneling and serverless computing services.
In May, a threat actor tracked as InedibleOchotense was seen impersonating ESET in attacks against various Ukrainian entities, via spear-phishing emails and Signal text messages.
Another Russian APT that stood out this year is RomCom (also tracked as Storm-0978, Tropical Scorpius, and UNC2596), which exploited a zero-day vulnerability in WinRAR to deploy various backdoors against defense, financial, logistics, and manufacturing entities in Europe and Canada.
“Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in the intensity and frequency of its operations. Similarly, Sandworm focused on Ukraine — albeit with destruction as its motive rather than Gamaredon’s cyberespionage,” ESET notes.
The cybersecurity firm’s APT activity report also details the latest attacks associated with Chinese, Iranian, and North Korean threat actors.
Related: Former US Defense Contractor Executive Admits to Selling Exploits to Russia
Related: Russian Government Now Actively Managing Cybercrime Groups: Security Firm
Related: Russian APT Switches to New Backdoor After Malware Exposed by Researchers
Related: Microsoft: Russia, China Increasingly Using AI to Escalate Cyberattacks on the US
