Russian APT "Sandstorm" Deploys Wiper Malware Against Ukrainian Energy Grid

Ukraine's Computer Emergency Response Team (CERT-UA) has reported a coordinated cyber attack against the country's energy infrastructure attributed to Russian APT group Sandstorm (also tracked as Sandworm/Voodoo Bear), involving new destructive wiper malware designed specifically to damage industrial control systems.

The attack, which occurred on February 19, 2026, targeted three regional power distribution companies in eastern Ukraine. The new malware, designated "VoltReaper" by CERT-UA, targets Siemens SIPROTEC protective relays and ABB RTU560 remote terminal units used in electrical substations.

Unlike previous energy sector attacks attributed to Sandstorm, VoltReaper doesn't just disrupt operations — it attempts to cause physical damage by manipulating protective relay settings that could lead to equipment failure during load fluctuations.

Ukrainian cyber defenders, with assistance from ESET and Microsoft's Threat Intelligence Center, detected the attack during the initial reconnaissance phase and were able to prevent significant damage. However, two substations experienced temporary outages lasting approximately four hours.

This attack represents a concerning evolution in the targeting of critical infrastructure, combining cyber capabilities with the potential for physical destruction. NATO's Cooperative Cyber Defence Centre of Excellence has issued a technical analysis and updated threat advisories for member states.