ESET APT report finds state-backed hackers escalate cyberattacks, target Ukraine’s grain and energy sectors - Industrial Cyber

Attacks and Vulnerabilities Control device security Critical infrastructure Industrial Cyber Attacks IT/OT Collaboration Malware, Phishing & Ransomware News Reports Supply Chain Security System Design & Architecture Technology & Solutions Threat Landscape Vulnerabilities ESET APT report finds state-backed hackers escalate cyberattacks, target Ukraine’s grain and energy sectors November 07, 2025 New research from ESET detailed a surge in espionage and financially motivated cyber operations from state-aligned threat groups between April and September this year, underscoring how global geopolitical tensions are driving targeted attacks. These operations reflect the broader threat landscape observed during this period, showcasing key trends and developments. They represent only a small portion of the intelligence available to ESET’s APT report subscribers. The report also paints a picture of increasingly adaptive and coordinated nation-state campaigns, where espionage, disruption, and financial gain remain core objectives. In its report titled ‘APT Activity Report: Russia-aligned APTs ramp up attacks against Ukraine and its strategic partners,’ ESET also disclosed that Russia-linked Sandworm intensified destructive cyber operations against Ukraine in mid-2025, deploying multiple data-wiping malware variants across government, energy, logistics, and grain sectors. The targeting of grain exporters, a rare focus in previous campaigns, suggests an effort to disrupt one of Ukraine’s key economic lifelines amid the ongoing war. Investigators also confirmed that the UAC-0099 group played a supporting role by breaching networks and handing off validated targets to Sandworm for follow-up attacks. The report detailed that China-linked actors intensified their campaigns across Latin America, Southeast Asia, and Europe, using adversary-in-the-middle techniques and custom VPN tools to infiltrate government and industrial networks. Iran-backed groups expanded their spearphishing reach, leveraging compromised inboxes to spread internally within organizations, while North Korean operators broadened their cryptocurrency theft and espionage efforts into Central Asia. Russia-aligned APTs continued their focus on Ukraine and Europe, reflecting the enduring intersection of cyber activity and political conflict.  “Notable activities by lesser-known groups included FrostyNeighbor exploiting an XSS vulnerability in Roundcube. Polish and Lithuanian companies were targeted by spearphishing emails that impersonated Polish businesses,” ESET identified in the report. “The emails contained a distinctive use and combination of bullet points and emojis, a structure reminiscent of AI-generated content, suggesting possible use of AI in the campaign. Delivered payloads included a credential stealer and an email message stealer. We also identified a previously unknown Android spyware family in Iraq, which we named Wibag.”  The researchers also identified a malicious app masquerading as YouTube. “Wibag targets messaging platforms such as Telegram and WhatsApp, as well as Instagram, Facebook, and Snapchat. Its capabilities include keylogging and the exfiltration of SMS messages, call logs, location data, contacts, screen recordings, and recordings of WhatsApp calls and regular phone calls. Interestingly, the login page for the spyware’s admin panel displays the logo of the Iraqi National Security Service.” ESET observed increasing use of the adversary-in-the-middle technique for both initial access and lateral movement in what appears to be a response to the Trump administration’s strategic interest in Latin America and possibly influenced by the ongoing U.S.-China power struggle.  The FamousSparrow group embarked on an attack on Latin America, targeting multiple governmental entities in the region. Across Europe, governmental entities remained a primary focus of cyberespionage by Russia-aligned APT groups as they intensified their operations against Ukraine and several European Union member states. Notably, even non-Ukrainian targets of Russia-aligned groups exhibited strategic or operational links to Ukraine, reinforcing the notion that the country remains central to Russia’s intelligence efforts. RomCom exploited a zero-day vulnerability in WinRAR to deploy malicious DLLs and deliver a variety of backdoors, mainly focused on the financial, manufacturing, defense, and logistics sectors in the EU and Canada.  As zero-day exploits are costly, both the Gamaredon and Sandworm groups used the much less expensive spearphishing technique as their primary method of compromise. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in the intensity and frequency of its operations. Similarly, Sandworm focused on Ukraine, albeit with destruction as its motive rather than Gamaredon’s cyberespionage, largely concentrating on the governmental, energy, logistics, and grain sectors, the likely objective being the weakening of the Ukrainian economy. “Sandworm continues its destructive campaigns in Ukraine, deploying a range of data-wiping malware, primarily by exploiting the Group Policy feature of Active Directory,” ESET reported. “In April, the threat actor launched two wipers – ZEROLOT and Sting – against a Ukrainian university. Notably, the Sting wiper was executed via a Windows scheduled task named DavaniGulyashaSdeshka, a phrase derived from Russian slang that loosely translates to ‘eat some goulash.’”  In June and September, Sandworm deployed multiple data-wiping malware variants against Ukrainian entities active in the governmental, energy, logistics, and grain sectors. “Although all four have previously been documented as targets of wiper attacks at some point since 2022, the grain sector stands out as a not-so-frequent target. Considering that grain export remains one of Ukraine’s main sources of revenue, such targeting likely reflects an attempt to weaken the country’s war economy. During this period, we observed and confirmed that the UAC-0099 group conducted initial access operations and subsequently transferred validated targets to Sandworm for follow-up activity.”  Moreover, recent activities of UAC-0099 were thoroughly documented by CERT-UA and Fortinet. These destructive attacks by Sandworm are a reminder that wipers very much remain a frequent tool of Russia-aligned threat actors in Ukraine. Although there have been reports suggesting an apparent refocusing on espionage activities by such groups in late 2024, ESET has seen Sandworm conducting wiper attacks against Ukrainian entities regularly since the start of 2025. The Belarus-aligned group FrostyNeighbor exploited an XSS vulnerability in Roundcube. Polish and Lithuanian companies were targeted by spearphishing emails that impersonated Polish businesses. The emails contained a distinctive use and combination of bullet points and emojis, a structure reminiscent of AI-generated content, suggesting possible use of AI in the campaign. Delivered payloads included a credential stealer and an email message stealer. “Interestingly, one Russia-aligned threat actor, InedibleOchotense, conducted a spearphishing campaign impersonating ESET. This campaign involved emails and Signal messages delivering a trojanized ESET installer that leads to the download of a legitimate ESET product along with the Kalambur backdoor,” said Jean-Ian Boutin, director of threat research at ESET. In Asia, APT groups continued targeting governmental entities as well as both the technology and the engineering and manufacturing sectors, a pattern consistent with the previous reporting period. North Korea-aligned threat actors remained highly active in operations directed at South Korea and its technology sector, particularly cryptocurrency, which is a key source of revenue for the regime. This was followed by targeting of governmental entities, engineering, and manufacturing sectors. Iran-aligned APT groups maintained their primary focus on Israel, with their continued targeting of the government and engineering sectors. “China-aligned groups remain very active, with campaigns spanning Asia, Europe, Latin America, and the US being observed recently by ESET researchers. This global embrace illustrates that China-aligned threat actors continue to be mobilized to help serve a wide array of Beijing’s current geopolitical priorities,” adds Boutin. Between June and September, ESET also observed FamousSparrow conducting several operations throughout Latin America, mostly against governmental entities. These represent the bulk of activities that ESET has attributed to the group during this period, suggesting that this region was the group’s main operational focus in recent months. These activities might be partly linked with the current US-China power struggle in the region, resulting from the Trump administration’s renewed interest in Latin America.  Overall, the observed victimology of FamousSparrow’s ‘Latin American tour’ includes multiple governmental entities in Argentina, a governmental entity in Ecuador, a governmental entity in Guatemala, multiple governmental entities in Honduras, and a governmental entity in Panama. Across Europe, governmental entities remained a primary focus of cyberespionage – a trend driven largely by Russia-aligned APT groups intensifying their operations against Ukraine and several European Union member states. Notably, even non-Ukrainian targets exhibited strategic or operational links to Ukraine, reinforcing the notion that the country remains central to Russia’s intelligence efforts. Gamaredon continued to be the most active threat actor operating within Ukraine, while Sandworm sustained its destructive campaigns, targeting the governmental, energy, logistics, and grain sectors in Ukraine.  Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Booz Allen warns AI‑driven cyberattacks outpace human-driven defenses across critical infrastructure Kai debuts agentic AI platform to eliminate manual security workflows, boost cyber resilience across critical infrastructure Food and Ag-ISAC finds 72 active threat actors behind persistent, sophisticated cyber attacks targeting food supply chains ARCON teams with DNV Cyber to strengthen privileged access management capabilities in the Nordics New York introduces cybersecurity rules, $2.5 million grant program to strengthen water infrastructure defenses Building ‘Incident Management for Industrial Control Systems’ to address gaps in OT cyber incident response GAO report highlights risks to CMMC rollout as nation-state attacks target defense contractors Why industrial cybersecurity must evolve as climate disruption and digitalization reshape critical infrastructure ISAC advisory highlights cyber and physical risks to critical infrastructure as Middle East tensions rise Suspected Iran-linked cyberattack hits medical technology giant Stryker amid Middle East tensions