Risky Bulletin | Between Two Nerds: Russia's Cyber War on Wheat

Podcast: Risky Bulletin (Risky Biz)
Host(s): Tom Uren and The Grugq ("Gruck")
Episode Date: November 17, 2025

Brief Overview

In this episode, Tom Uren and The Grugq ("Gruck") dive into the Russian Sandworm Group's cyber attacks targeting Ukraine's grain sector, as detailed in a recent ESET report. They examine motivations behind these destructive "wiper" campaigns, question the strategic coherence of Russian cyber operations, discuss the evolving cyberwarfare landscape, and reflect on broader lessons and misconceptions seen in the West regarding both the utility and reality of cyber effects in ongoing warfare.

Key Discussion Points & Insights

1. Russia's Cyber Attacks on the Ukrainian Grain Sector

• Sandworm's Wiper Campaigns: The recent ESET report highlights repeated destructive (“wiper”) campaigns by the Russian Sandworm APT group—part of Russia’s GRU—specifically targeting Ukraine’s grain sector.
• Why the Grain Sector? (00:13)
  • Grain is key to Ukraine’s economy.
  • Up to 25% of arable land already lost due to war zones or landmines, making large-scale disruption more difficult.
  • Russia has historically used more direct means (like blockading Black Sea shipping) to target agriculture.
• Doubts About Effectiveness (02:05)
  • Tom Uren: Questions the impact of wiping digital infrastructure, as most logistics could likely continue manually.
    "If, you know, I'm a farmer or even someone in the logistics chain… I'm just going to pick up the phone…"
  • Gruck jokes about the idea of a “magic Excel spreadsheet… running on a pirated copy of Windows.” (02:05)

2. Lack of Strategic Coherence—Russian Cyber Operations

• Decentralized Motivations (03:00–04:25)
  • Gruck: Russian cyber campaigns often lack top-down coherence; initiatives are driven by mid-level managers seeking to justify their existence or avoid reassignment.
  • Operational “success” is frequently redefined for internal consumption:
    "Assuming strategic coherence is risky, right? Like, it's just… maybe they did it because that was the only thing they could break into." (03:54)
• Expanding Targets as Priorities Shift (05:11)
  • As high-value targets harden defences or are no longer operational, attackers "move down the list" to less critical ministries (“Minister of Agriculture” then “Minister of Recreation”).
  • More teams, same or fewer targets, resulting in redundancy and sometimes arbitrary goals.

3. The Nature of Cyber Attacks: Splash Over Substance

• Media Coverage Bias (07:00)
  • Only the “splashy” incidents—the “spectaculars”—are reported, distorting the public's understanding of the true cyber campaign.
    "Trying to interpret the cyber war based purely on that information is going to give you a very distorted view." – Gruck (07:56)
• Routine Cyber Operations (17:26, 18:24)
  • Many cyber ops are routine—analogous to military “patrols”—and driven more by operating procedures than an overarching strategy.
  • Espionage and opportunistic attacks remain constant, even as the value of effect operations drops.

4. Learning the Wrong Lessons?

• Western Misconceptions (08:22–09:47)
  • The West often frames Russian cyber ops as “amateurish,” missing the context and constraints of real war.
  • Gruck:
    "The Russians are learning how to wage cyber war during attritional warfare… but in the West, we're not necessarily drawing those same lessons." (08:22)
• Limits of Cyber Effects (09:23–14:01)
  • Early “big bang” disruptions (e.g., Viasat hack) were in line with Western doctrine, tailored for a coup de main, not sustained/nightmarish wars of attrition.
  • After intense initial disruption, the value of effect operations wanes as opponents harden, fragment, or adapt.
  • Tom:
    "If it was a Western military, probably just a few Western militaries could do it. But ... that would probably be helpful. It's not going to hurt." (12:40).

5. Cyber's Role: Intelligence vs. Effects

• Espionage Remains Key (25:46)
  • Gruck:
    "Cyber is great. I don't think it's great for war. I think that where it is great for war is in espionage… but not for effects."

6. The Realities and Improvisations of Russian Cyber Operations

• Motivational Drivers and Metrics (16:16 onward, 27:59)
  • Many attacks are performed to "make up the numbers"—for internal targets, for metrics, for promotion.
  • Anecdote: Russian police (and likely cyber teams) maintain monthly quotas, sometimes through “creative” methods (e.g., staging missing persons), suggesting metrics trump actual impact.
    "Did you hack 30 companies this week like you were supposed to?" (29:04)
• Quarterly Patterns and Reporting Cycles (29:45–30:29)
  • ESET observed wiper attacks in June and September: possibly reflecting “quarterly reporting” or “end-of-quarter goals” inside Russian agencies.
    "Oh, crikey, we've got to meet our quarters goals." – Tom (30:03)
• Predictions
  • Expect another wiper wave as Russian bureaucratic “financial year” closes. Targets may be pragmatically chosen for timing, not strategy.

Notable Quotes & Memorable Moments

• On Arbitrary Cyber Impact:

  "The one Excel spreadsheet that tracks all of the grain and it's not backed up and it's also running on a pirated copy of Windows." — Gruck (02:05)

• On Russian Cyber Operations:

  "Assuming strategic coherence is risky, right?" — Gruck (03:54)

• On Cyber Reporting:

  "You see the ones that are splashy and cause effects..." — Tom (07:14)
  "The spectaculars… show up." — Gruck (07:19)

• On Western Lessons:

  "The Russians are learning how to wage cyber war during attritional warfare… we're not necessarily drawing those same lessons." — Gruck (08:22)

• On Quotas and Motivations:

  "Did you hack 30 companies this week like you were supposed to?" — Gruck (29:04)

• On the Cyclical Nature of Attacks:

  "Oh, crikey, we've got to meet our quarters goals." — Tom (30:03)

Important Timestamps

• 00:13: Setting the scene: Sandworm’s wiper campaigns, targeting the grain sector.
• 02:05: The “magic Excel spreadsheet” joke; skepticism about real-world impact of disruptions.
• 03:54: Examining the lack of strategic coherence in Russian cyber ops.
• 05:11: Attacker priorities shift as top-tier targets harden or disappear.
• 07:00–07:56: Discussion on "spectaculars" and survivorship bias in cyber incident reporting.
• 08:22–09:47: Western misconceptions about Russian cyber capability and doctrine.
• 12:40: Framing disruptive ops as helpful but not decisive.
• 17:26–18:24: The concept of routine cyber operations in modern wartime.
• 25:46: Summing up: cyber's greatest role is still espionage, not direct effects.
• 27:59: Russian organizational/cultural quirks—metrics beating meaning.
• 29:45: Quarterly patterns and the humor in state-driven quotas for cyber activity.

Final Reflections

• Effects vs. Espionage: Cyber operations deliver limited battlefield effects over time; their greatest contributions are in intelligence gathering.
• Routine, Not Revolution: Most attacks reflect routine operational churn, driven by internal dynamics, not grand strategy.
• Biases and Blind Spots: Public reporting—skewed toward loud/petty attacks—distorts understanding of the broader cyber campaign.
• Metrics Over Meaning: Russian cyber operations often fulfill bureaucratic requirements and career incentives rather than achieve lasting battlefield results.
• Predictable Unpredictability: Listeners should be wary of reading too much strategy into observable attack patterns—organizational pressure, resourcefulness, and even holidays can be as important as military priority.

This episode provides a candid, sometimes wryly comedic, take on Russia’s cyber war on wheat. Both hosts stress that, beyond headlines and spreadsheets, “cyber war” is as likely to be shaped by workplace inertia and reporting cycles as by geopolitics or military doctrine. For analysts or enthusiasts, it’s a reality check on cyberwar’s messy, improvisational realities.