A sophisticated cyberattack targeting Poland's energy infrastructure was thwarted last month, with security researchers attributing the operation to the Russian nation-state hacking group Sandworm. The attackers deployed a previously undocumented wiper malware called DynoWiper, marking a significant escalation in threats to European critical infrastructure.
A major cyberattack targeting Poland's energy infrastructure in late December 2025 was successfully defended, but the incident reveals an alarming evolution in tactics by Russian state-sponsored threat actors. The Polish government confirmed that the attack, described by Energy Minister Milosz Motyka as "the strongest attack on the energy infrastructure in years," was directed at critical systems managing power generation and distribution.
The Attack Vector
According to a detailed analysis by cybersecurity firm ESET, the operation was conducted by Sandworm, a notorious Russian hacking group with a documented history of targeting critical infrastructure. The attackers deployed a newly discovered wiper malware codenamed DynoWiper, which appears to be a fresh tool in Sandworm's arsenal. The attribution is based on significant overlaps with previous wiper campaigns linked to the group, particularly those following Russia's invasion of Ukraine in February 2022.
The attack specifically targeted two combined heat and power (CHP) plants and a management system for renewable energy sources, including wind turbines and photovoltaic farms. These systems represent the convergence of traditional operational technology (OT) with modern IT infrastructure, creating complex attack surfaces that threat actors increasingly exploit.
Historical Context and Significance
The timing of this attack carries particular symbolic weight. It occurred exactly ten years after Sandworm's historic 2015 attack on Ukraine's power grid, which resulted in a 4-6 hour blackout affecting approximately 230,000 people in the Ivano-Frankivsk region. That attack utilized BlackEnergy malware to plant the KillDisk wiper, establishing a template for destructive cyber operations against critical infrastructure.
"Sandworm has a long history of disruptive cyberattacks, especially on Ukraine's critical infrastructure," ESET researchers noted in their report. "Fast forward a decade and Sandworm continues to target entities operating in various critical infrastructure sectors."
This continuity demonstrates the group's persistent focus on energy systems and their strategic importance in geopolitical conflicts. The Polish attack represents Sandworm's expansion beyond Ukraine into other European nations, potentially signaling a broader campaign against NATO-aligned infrastructure.
Technical Analysis of DynoWiper
While ESET's report provides limited technical details about DynoWiper's specific mechanisms, wiper malware typically operates through several destructive phases:
- Reconnaissance and Lateral Movement: The malware first establishes persistence and moves through the network to identify critical systems
- Data Collection: It may gather information about system configurations and data structures before destruction
- Destruction Phase: The wiper overwrites or encrypts critical files, system configurations, and data storage
- Anti-Forensics: Modern wipers often include techniques to prevent recovery and analysis
The development of new wiper variants indicates that threat actors continuously adapt their tools to evade detection and improve effectiveness. DynoWiper likely incorporates lessons learned from previous campaigns like HermeticWiper (used against Ukraine in 2022) and PathWiper (identified in June 2025).
Sandworm's Evolving Arsenal
Sandworm's activity in 2025 shows a pattern of continuous development and deployment of destructive malware:
- June 2025: Cisco Talos reported PathWiper targeting Ukrainian critical infrastructure, showing functional overlap with HermeticWiper
- Mid-2025: Deployment of ZEROLOT and Sting wipers in a Ukrainian university network
- June-September 2025: Multiple wiper variants used against Ukrainian governmental, energy, logistics, and grain sectors
This consistent activity demonstrates that wiper malware remains a preferred tool for nation-state actors seeking to cause disruption without necessarily maintaining long-term access for espionage.
Defensive Implications and Recommendations
The Polish government's successful defense against this attack provides valuable lessons for critical infrastructure operators worldwide:
1. Network Segmentation and Monitoring
Critical OT systems should be isolated from IT networks where possible, with strict access controls. Continuous monitoring for anomalous behavior in both IT and OT environments is essential. The attack on renewable energy management systems highlights how even "green" infrastructure requires robust security.
2. Threat Intelligence Sharing
The attribution to Sandworm was possible through analysis of malware signatures and tactics, techniques, and procedures (TTPs). Organizations should participate in information sharing and analysis centers (ISACs) specific to their sector.
3. Incident Response Preparedness
Polish Prime Minister Donald Tusk announced plans for enhanced cybersecurity legislation, including stricter requirements for risk management, IT/OT protection, and incident response. Organizations should:
- Develop and regularly test incident response plans specific to destructive malware
- Maintain offline, immutable backups of critical systems
- Establish clear communication protocols with regulatory bodies and law enforcement
4. Supply Chain Security
Attacks on renewable energy management systems suggest threat actors are targeting the entire energy ecosystem, including third-party vendors and software providers. Organizations must scrutinize their supply chains for vulnerabilities.
Broader Geopolitical Context
This attack occurs against a backdrop of increasing cyber tensions between Russia and NATO members. Poland, as a key NATO member bordering both Russia and Ukraine, represents a strategic target for Russian cyber operations. The attack may serve multiple objectives:
- Testing NATO's collective cyber defense capabilities
- Demonstrating capability to disrupt European energy supplies
- Creating psychological pressure on European governments supporting Ukraine
- Gathering intelligence on critical infrastructure protection measures
The Path Forward
The unsuccessful nature of this attack shouldn't lead to complacency. As ESET's analysis suggests, Sandworm continues to evolve its capabilities and expand its targeting. The development of new wiper malware like DynoWiper indicates that threat actors are investing significant resources in destructive cyber capabilities.
For critical infrastructure operators, this incident reinforces the need for:
- Defense-in-depth strategies that assume breach scenarios
- Regular security assessments of both IT and OT environments
- Collaboration with government agencies on threat intelligence and response
- Investment in security awareness for all personnel, including OT engineers
The Polish energy sector's successful defense provides a template for resilience, but the persistent threat from sophisticated nation-state actors means that vigilance and continuous improvement in security practices remain essential. As cyber threats continue to evolve in sophistication and scope, the energy sector's security must evolve accordingly, balancing operational efficiency with robust protection measures.
For organizations seeking to strengthen their defenses against similar threats, the ESET report provides detailed indicators of compromise and recommended detection rules available through their threat intelligence platform.
Comments
Please log in or register to join the discussion