Late December 2025 witnessed a significant cybersecurity incident targeting Poland’s critical energy infrastructure, with the Russian-aligned Sandworm APT group identified as the perpetrator. The sophisticated attack involved the deployment of a previously unknown data-wiping malware, subsequently named DynoWiper, raising alarms about the escalating threat to national power grids. This incident marks a concerning escalation given Sandworm’s history of disruptive cyber operations.
The timing of the attack, coinciding with the tenth anniversary of Sandworm’s infamous 2015 cyber assault that caused a widespread power outage in Ukraine, suggests a deliberate and strategic choice by the threat actors. Security analysts at Welivesecurity and ESET researchers played a crucial role in identifying DynoWiper during their forensic examination of the intrusion. Their findings, which assigned the malware the detection signature Win32/KillFiles.NMO, confirmed its destructive purpose and its link to Sandworm’s established modus operandi.
DynoWiper’s Destructive Capabilities and Operational Impact on Poland’s Power Grid
DynoWiper functions as a potent file-destruction tool designed to overwrite and irretrievably delete critical data on compromised systems. Its architecture is indicative of Sandworm’s known tactics, which prioritize causing maximum disruption to targeted networks. The malware’s primary objective appears to be rapid data erasure, aiming to eliminate evidence and cripple operational capabilities simultaneously. Researchers noted its sophisticated understanding of Windows operating systems and potential vulnerabilities within power infrastructure environments, making its deployment a serious concern.
Technical assessments of the attack revealed that while Sandworm successfully breached systems and deployed the DynoWiper malware, there were no confirmed operational disruptions to Poland’s energy distribution services. This outcome could be attributed to effective defensive measures implemented by the Polish authorities or unforeseen challenges encountered by the attackers during the execution phase. Nevertheless, the mere ability to deploy active wiper malware within such a vital national infrastructure highlights growing vulnerabilities in European power systems and underscores the persistent threat posed by sophisticated state-sponsored hacking groups.
The ongoing analysis aims to further understand the full scope of the intrusion and the specific methods employed by Sandworm to gain access to Poland’s power grid. The incident serves as a stark reminder of the evolving cyber threat landscape and the critical need for robust cybersecurity defenses for national infrastructure. Efforts are underway to assess the long-term implications of this attack and to strengthen preventative measures against future intrusions by groups like Sandworm, particularly in light of ongoing geopolitical tensions.