A late December 2025 cyberattack on Poland's energy infrastructure, targeting combined heat and power plants and renewable energy management systems, has been attributed to the Russian state-sponsored Sandworm group. The attackers attempted to deploy a new data-wiping malware called DynoWiper, but the attack was ultimately unsuccessful, highlighting the ongoing threat to critical national infrastructure and the importance of robust defensive measures.
In late December 2025, Poland's energy sector faced a sophisticated cyberattack aimed at disrupting critical infrastructure. The incident, which targeted two combined heat and power plants and a management system for renewable energy sources like wind turbines and photovoltaic farms, has now been officially linked to the notorious Russian state-sponsored hacking group known as Sandworm. The attackers attempted to deploy a new destructive data-wiping malware, dubbed DynoWiper, but the attack was ultimately unsuccessful, preventing widespread power outages.
The Attack and Its Attribution
Sandworm (also tracked as UAC-0113, APT44, and Seashell Blizzard) is a highly capable Russian nation-state hacking group believed to be part of Russia's Military Unit 74455 of the Main Intelligence Directorate (GRU). Active since 2009, the group is infamous for carrying out disruptive and destructive attacks, most notably the 2015 assault on Ukraine's energy grid that left approximately 230,000 people without power. The recent attack on Poland bears a chilling resemblance to these past operations, targeting the heart of a nation's energy supply.
Polish Prime Minister Donald Tusk confirmed the attribution in a press statement, saying, "Everything indicates that these attacks were prepared by groups directly linked to the Russian services." The attack occurred on December 29-30, 2025, and was first reported by cybersecurity firm ESET. While the full technical details remain limited, ESET has classified the malware as Win32/KillFiles.NMO and provided a SHA-1 hash (4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6) for identification. Notably, a sample of DynoWiper has not yet been found on public malware analysis platforms like VirusTotal, Triage, or Any.Run, suggesting it may be a new, previously unseen variant or a closely guarded tool within Sandworm's arsenal.
Understanding Data Wipers and the DynoWiper Threat
Data wipers are a category of malware designed for pure destruction. Unlike ransomware, which encrypts data for financial gain, wipers permanently delete files, corrupt system components, and render operating systems unusable. When executed, a wiper typically iterates through a filesystem, overwriting or deleting critical files, system libraries, and configuration data. The result is a system that cannot boot or function, often requiring a complete rebuild from backups or a full reinstallation of the operating system.
The attempted deployment of DynoWiper on Poland's energy systems underscores the persistent threat posed by nation-state actors to critical infrastructure. The attack's focus on both traditional power generation (combined heat and power plants) and modern renewable energy management systems indicates a comprehensive understanding of Poland's energy grid architecture. This dual-target approach is a hallmark of advanced persistent threat (APT) groups, which conduct extensive reconnaissance to maximize impact.
Expert Context and Defensive Recommendations
While specific details about DynoWiper's infection vector and dwell time within Poland's systems are not publicly available, the incident serves as a critical reminder for defenders. Will Thomas, Senior Threat Intel Advisor for Team Cymru (also known as BushidoToken), recommends that security professionals review Microsoft's February 2025 report on Sandworm. This report provides valuable insights into the group's tactics, techniques, and procedures (TTPs), which can help organizations identify and mitigate similar threats.
Sandworm's recent activities are not isolated. The group has been linked to destructive data-wiping attacks on Ukraine's education, government, and grain sectors in June and September 2025. This pattern of behavior demonstrates a strategic focus on destabilizing critical sectors in adversary nations. For organizations in the energy, utilities, and other critical infrastructure sectors, the following practical takeaways are essential:
Implement Robust Backup and Recovery Procedures: Ensure that critical systems have immutable, offline backups that are regularly tested. In the event of a wiper attack, the ability to restore from a clean backup is the most effective recovery method.
Adopt a Zero-Trust Architecture: Assume that networks are already compromised. Segment critical infrastructure networks, enforce strict access controls, and continuously monitor for anomalous activity.
Leverage Threat Intelligence: Subscribe to and actively use threat intelligence feeds from organizations like ESET, Microsoft, and CISA. Understanding the latest TTPs of groups like Sandworm can inform defensive strategies.
Conduct Regular Penetration Testing and Red Team Exercises: Proactively test defenses against simulated nation-state attacks to identify and remediate vulnerabilities before adversaries can exploit them.
Enhance Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting and blocking wiper malware behavior, such as mass file deletion and system file corruption.
The Broader Geopolitical Context
This attack on Poland is part of a broader pattern of Russian cyber aggression targeting European energy infrastructure. It follows a similar incident in Denmark, where a Russian cyberattack was blamed for disrupting a water utility. Additionally, Amazon recently reported disrupting Russian GRU hackers attempting to attack edge network devices, and Sandworm has been observed posing as hacktivists in breaches targeting water utilities.
For security professionals, the key takeaway is that nation-state threats are not abstract concepts—they are active, evolving, and capable of causing real-world disruption. The failed attack on Poland's energy systems is a testament to the effectiveness of defensive measures, but it also serves as a stark warning. As Sandworm and similar groups continue to refine their tools and tactics, the need for vigilant, proactive defense has never been greater.
Related Resources
- ESET Research on Sandworm: ESET's analysis of Sandworm activities
- Microsoft's February 2025 Report on Sandworm: Microsoft Threat Intelligence Center (MSTIC) Report
- CISA Guidance on Critical Infrastructure Security: CISA's Critical Infrastructure Security Resources
- Team Cymru Threat Intel: Team Cymru Research and Publications
Comments
Please log in or register to join the discussion