Sandworm's New Wipers Target Energy: Why Continuous Monitoring is Essential Now

The recently published ESET APT Activity Report Q2-Q3 2025 provides a valuable, if concerning, summary of nation-state activity.The core takeaway for the energy sector is the continued, and even escalated,use of destructive wiper malware by Russia-aligned threatactors, specifically Sandworm.

Their operations during this period focused heavilyon Ukrainian governmental, logistics, and critically, the energy and grain sectors, demonstrating thatcyberattacks are fully integrated into efforts aimed at economic andoperational disruption.

The Shift to Destructive Attacks

While many APT campaigns focus on espionage orfinancial theft, Sandworm's objective remains clearly destructive. The reportdetails the deployment of new data wipers, including Zerolotand Sting. These strains are specifically designed topermanently erase data and halt operations, moving beyond simple reconnaissanceor temporary disruption.

This shift presents a serious challenge fortraditional security models that rely primarily on perimeter defense orsignature-based detection.

• The Problem: These wipers are often executed long after the initial intrusion. Threat actors like the observed UAC-0099 group conduct initial access and internal compromise, effectively setting the stage before handing over access to the destruction team, Sandworm. This pre-staging activity can go unnoticed by standard security logs.
• The Technique: In past attacks, Sandworm has abused legitimate tools like Active Directory Group Policy to push their payloads, masking the malicious activity within normal administrative functions. This makes detection extremely challenging without an understanding of typical network behavior.

Why the OT/ICS Network Requires Behavioral AI

For critical infrastructure operators, this type ofsophisticated, multi-stage attack highlights the limitations of treatingcybersecurity as an IT problem. The only reliable defense against a pre-staged destructive compromise is to detect thesubtle anomalies that occur before the finalpayload is dropped.

This is where an AI-driven behavioral monitoringplatform is necessary:

1. Establishing a Baseline: Our AI is trained on the specific operational data of industrial control systems (ICS). It models the expected, routine communication and activity within your OT network - what is normal for a substation, a distribution center, or a SCADA system.
2. Detecting Lateral Movement: An intruder conducting reconnaissance, establishing persistence, or escalating privileges (as UAC-0099 would do) must deviate from this normal baseline. They create unusual internal network connections, access files     they shouldn't, or log in from unexpected machines. Argen Energy's platform flags these low-and-slow behavioral deviations as early warnings.
3. Contextual Compliance: This heightened threat profile reinforces the importance of regulations like NERC CIP and the forthcoming NIS2 Directive. Compliance steps - from rigorous access controls to continuous vulnerability management - are not just requirements; they are the necessary foundation for building true cyber resilience against the most motivated adversaries.

The risk of a destructive wiper attack is atangible reality for the energy sector. Our focus must shift from reacting toknown threats to preempting the conditions thatallow these destructive attacks to succeed.

‍