Security researchers and government officials have attributed a late-December 2025 cyberattack on Poland’s power grid to the notorious Russian state-linked hacking group Sandworm. The incident — one of the most severe attempts on Poland’s critical energy infrastructure in years — involved destructive malware and coincided with the 10th anniversary of a similar attack on Ukraine’s power network.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
What Happened: Malware Attack Targeted Energy Systems
Between December 29 and 30, 2025, Poland’s energy infrastructure — including two combined heat and power plants and electricity systems for renewable energy installations — was targeted by a coordinated cyberattack using a newly identified data-wiping malware dubbed DynoWiper. The malware is designed to delete data and render systems unusable, potentially forcing system rebuilds or full restorations from backups.
Poland’s Energy Minister Milosz Motyka described the incident as the “strongest attack on the energy infrastructure in years”, though official statements confirm that the country’s cybersecurity defences successfully prevented any major disruptions or blackouts.
Cybersecurity firm ESET, based in Slovakia, analysed the malicious code and linked the attack to the Russian threat actor known as Sandworm — a group with a long history of sophisticated destructive campaigns against critical infrastructure in Europe and beyond.
Who Is Sandworm and Why It’s Significant
Sandworm is a Russia-aligned advanced persistent threat (APT) widely believed to operate under the GRU’s Unit 74455, part of Russia’s military intelligence. The group has been linked to several high-profile disruptive and destructive operations over the past decade, including:
- the 2015 Ukraine power grid attack, which caused widespread outages affecting about 230,000 residents, attributed to the use of the BlackEnergy malware;
- deployment of the infamous NotPetya ransomware that caused global disruption in 2017;
- repeated wiper campaigns against Ukrainian systems throughout 2025.
Researchers say the DynoWiper malware (detected as Win32/KillFiles.NMO) used in the Poland attack shows “medium confidence” ties to Sandworm due to strong overlaps in tactics, techniques and procedures (TTPs) with the group’s known operations.
Attack Failed to Cause Disruption but Raised Alarm
Despite the sophistication and timing of the assault, Polish authorities reported that defensive systems successfully thwarted the attackers. There were no confirmed outages of electricity or critical system failures due to the malware, indicating that robust cybersecurity measures helped contain the incident before it could achieve its intended destructive effect.
Officials said the attackers may have intended to disrupt communications between renewable energy installations (like wind turbines and solar farms) and grid operators, which could have had cascading effects on power distribution during peak winter demand.
Security analysts emphasise that the mere attempt — particularly on critical infrastructure — underscores persistent threats from state-linked cyber actors and the need for enhanced national and international cybersecurity cooperation.
Context and Significance
The attack’s timing — near the 10-year anniversary of Sandworm’s 2015 cyberattack on Ukraine’s power grid — raised concerns among cybersecurity experts about deliberate symbolic or strategic targeting. The 2015 incident is widely cited as the first malware-induced blackout in history.
Over recent years, Sandworm has remained active, frequently targeting utilities, government agencies and other infrastructure sectors — particularly in Eastern Europe — with wiper-type malware aimed at destruction rather than financial theft.
Poland, a member of NATO and a staunch supporter of Ukraine, has since increased its focus on strengthening cyber defences for critical infrastructure, including energy systems, telecom networks and government platforms.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
