Unveiling DynoWiper: Sandworm’s Unsuccessful Cyber Assault on Poland’s Energy Infrastructure
In late December 2025, Poland’s energy sector faced a significant cyber threat attributed to the Russian state-sponsored hacking group known as Sandworm. This incident, described as the most substantial cyber attack on the nation’s power system in recent years, was ultimately thwarted, preventing any disruption to the energy infrastructure.
Milosz Motyka, Poland’s Energy Minister, highlighted the severity of the situation, stating that the country’s cyberspace forces had identified and neutralized the most intense attack on the energy infrastructure in years. The attack, which occurred on December 29 and 30, 2025, targeted two combined heat and power (CHP) plants and a system responsible for managing electricity generated from renewable sources, including wind turbines and photovoltaic farms.
ESET, a Slovakian cybersecurity firm, conducted an in-depth analysis of the incident and identified the deployment of a previously undocumented wiper malware named DynoWiper. The characteristics of this malware and the tactics employed in the attack bear significant similarities to prior activities associated with Sandworm, particularly those following Russia’s military invasion of Ukraine in February 2022.
Prime Minister Donald Tusk addressed the nation, indicating that the attacks were likely orchestrated by groups directly linked to Russian services. In response, the Polish government is preparing to implement enhanced cybersecurity measures, including legislation that will enforce stringent requirements on risk management, protection of information technology (IT) and operational technology (OT) systems, and incident response protocols.
This attempted cyber assault coincided with the tenth anniversary of Sandworm’s notorious attack on Ukraine’s power grid in December 2015. That historical incident involved the deployment of the BlackEnergy malware, leading to a 4–6 hour power outage that affected approximately 230,000 people in the Ivano-Frankivsk region. The attack utilized a wiper malware known as KillDisk to disrupt operations.
Sandworm has a well-documented history of executing disruptive cyber attacks, particularly targeting Ukraine’s critical infrastructure. Over the past decade, the group has continued to focus on entities operating in various critical infrastructure sectors.
In June 2025, Cisco Talos reported that a critical infrastructure entity within Ukraine was targeted by a new data wiper malware named PathWiper, which shares functional similarities with Sandworm’s HermeticWiper. Additionally, between June and September 2025, Sandworm was observed deploying data-wiping malware variants such as ZEROLOT and Sting against Ukrainian entities in the governmental, energy, logistics, and grain sectors.
The unsuccessful attack on Poland’s energy infrastructure underscores the persistent cyber threats posed by state-sponsored actors like Sandworm. It also highlights the critical importance of robust cybersecurity measures and international cooperation to safeguard essential services and infrastructure from such sophisticated cyber threats.
