The Russian state hacking group known as Sandworm is said to have been behind what was described as the “largest cyber attack” targeting Poland’s electricity system in the last week of December 2025.
The country’s Energy Minister Milos Motyka said last week that the attack had failed.
“The Cyberspace Command has diagnosed the last few days of this year as the most powerful attack on energy infrastructure in years,” Motyka said.
According to a new report from ESET, the attack was the work of Sandworm, which deployed a previously undocumented wiper malware codenamed DynoWiper. The association with Sandworm is based on overlap with previous enemy-related wiper activity, particularly in the aftermath of Russia’s military invasion of Ukraine in February 2022.
A Slovak cybersecurity company that identified the wiper as part of a devastating attack targeting Poland’s energy sector on December 29, 2025, said there was no evidence of a successful destruction.
According to the Polish government, the attacks on December 29 and 30, 2025 targeted two combined heat and power (CHP) plants and systems that enable the management of electricity generated from renewable energy sources such as wind turbines and solar power plants.
“Everything shows that these attacks were prepared by groups with direct links to Russian services,” Prime Minister Donald Tusk said, adding that the government was preparing additional safeguards, including significant cybersecurity legislation that imposes strict requirements on risk management, the protection of information technology (IT) and operational technology (OT) systems, and incident response.
Notably, this activity occurred on the 10th anniversary of the Sandworm attack on Ukraine’s power grid in December 2015. The attack deployed BlackEnergy malware and plunged parts of Ukraine’s Ivano-Frankivsk region into darkness.
This Trojan horse was used to plant wiper malware called KillDisk, causing a power outage for approximately 230,000 people for 4 to 6 hours.
“Sandworm has a long history of destructive cyberattacks, particularly against critical infrastructure in Ukraine,” ESET said. “Ten years later, sandworms continue to target companies operating in a variety of critical infrastructure sectors.”
In June 2025, Cisco Talos announced that critical infrastructure entities in Ukraine were targeted by a never-before-seen data wiper malware named PathWiper, which has some functional overlap with Sandworm’s HermeticWiper.
The Russian hacker group was also observed deploying data erasure malware such as ZEROLOT and Sting on Ukrainian university networks, and subsequently provided multiple data erasure malware variants to Ukrainian organizations operating in the government, energy, logistics, and grain sectors from June to September 2025.
Source link
