The Russian state-linked Sandworm hacking group has been identified as responsible for what is described as the “largest cyberattack” targeting Poland’s power system in the last week of December 2025. Although the attack was detected and neutralized without causing any disruption, experts have linked this activity to a new variant of “wiper” malware deployed by the threat actor.
Details of the DynoWiper attack and malware
According to a report by ESET, the attack was the work of Sandworm, which used a previously undocumented wiper malware called DynoWiper (also known as Win32/KillFiles.NMO). The attribution to Sandworm is based on similarities with the group’s previous activities, especially in the context of the Russian invasion of Ukraine.
The attack took place between December 29 and 30, 2025 and targeted:
- Two cogeneration plants (CHP).
- A management system for electricity generated from renewable energy sources, such as wind turbines and photovoltaic parks.
ESET, which identified the use of DynoWiper in the attempted attack, confirmed that there is no evidence of successful disruption of the systems.
Historical context and Sandworm
This incident coincides with the 10th anniversary of Sandworm’s attack on the Ukrainian power grid in December 2015. Back then, the group deployed the BlackEnergy malware and a wiper called KillDisk, causing a 4-6 hour blackout that affected approximately 230,000 people in the Ivano-Frankivsk region.
Sandworm is known for its history of disruptive attacks against critical infrastructure, with a particular focus on Ukraine. Other recent attacks by the group include:
- June 2025: Attack on a Ukrainian critical infrastructure entity using the PathWiper wiper.
- June-September 2025: Deployment of wiper malware variants such as ZEROLOT and Sting against government, energy, logistics and grain entities in Ukraine.
Polish government response
Polish Prime Minister Donald Tusk attributed the attacks to “groups directly linked to Russian services.” In response, the government is preparing additional safeguards, including new cybersecurity legislation. This legislation will impose strict requirements in key areas of security:
- Risk management.
- Protection of information technology (IT) and operational technology (OT) systems.
- Incident response.
Conclusiones
The Sandworm attack against Poland’s energy infrastructure underscores the persistence of state threat actors in attacking critical sectors. The reappearance of a significant attack on the anniversary of the 2015 Ukraine incident is no coincidence, and the use of new wiper malware like DynoWiper demonstrates the continued evolution of the group’s tactics. The Polish response, focused on strengthening risk management and security of OT systems, is crucial to mitigate future disruption attempts.
References
- ESET Report: [Mentioned in the text, ESET report on DynoWiper and Sandworm]
- Politicom.pl: [Source cited by the article about Minister Motyka’s statements]