DynoWiper: The New Cyber Threat Targeting Poland’s Energy Sector
In December 2025, a formidable cyber threat emerged, targeting Poland’s energy infrastructure. Dubbed DynoWiper, this malicious software is designed to irreversibly erase critical data, rendering systems inoperable.
Discovery and Initial Deployment
Security researchers first identified DynoWiper in December 2025 during an attack on a Polish energy company. Unlike ransomware, which encrypts data for ransom, DynoWiper’s sole purpose is destruction. It overwrites data across infected networks, leading to complete system failures.
Attack Methodology
The attackers utilized various file variants, including schtask.exe, schtask2.exe, and an update executable, all deployed on December 29, 2025. After initial execution failures, they modified the malware to bypass security measures. Fortunately, the company’s endpoint detection and response systems successfully blocked these attempts, mitigating potential damage.
Attribution to Sandworm
Analysts from Welivesecurity noted similarities between DynoWiper and the ZOV wiper, previously used against Ukrainian targets. This connection suggests that the Russia-aligned group Sandworm, known for attacks on energy sectors, is behind DynoWiper. Sandworm is linked to Unit 74455 of Russia’s Main Intelligence Directorate (GRU) and has a history of targeting critical infrastructure in Eastern Europe.
Technical Breakdown
DynoWiper operates in three destructive phases:
1. File Identification: It searches all fixed and removable drives, excluding certain system directories to maintain temporary functionality.
2. Data Overwriting: Utilizing a 16-byte buffer of random data, it overwrites file contents. Files smaller than 16 bytes are entirely overwritten, while larger files have portions destroyed to expedite the process.
3. System Disruption: The cumulative effect renders systems unbootable, causing significant operational disruptions.
Sophisticated Deployment Tactics
The attackers demonstrated advanced network penetration skills by exploiting Active Directory Group Policy to distribute DynoWiper. This method requires Domain Admin privileges, indicating deep infiltration into the organization’s network. The malware was placed in a shared directory, enabling simultaneous execution across multiple machines.
Pre-Attack Reconnaissance
Before deploying DynoWiper, the attackers engaged in extensive reconnaissance:
– Credential Theft: They used tools like Rubeus to steal credentials and attempted to dump the LSASS process memory via Windows Task Manager.
– Establishing Remote Access: A SOCKS5 proxy tool named rsocx was deployed to create reverse connections with external servers.
This multi-stage approach underscores the attackers’ meticulous planning before unleashing the destructive payload.
Implications for the Energy Sector
The emergence of DynoWiper highlights the escalating cyber threats facing critical infrastructure. Energy companies must adopt stringent security measures, including:
– Access Controls: Implement strict access policies to limit unauthorized entry.
– Network Segmentation: Divide networks into segments to contain potential breaches.
– Continuous Monitoring: Employ real-time monitoring to detect and respond to threats promptly.
Proactive defense strategies are essential to safeguard against such sophisticated cyberattacks.
Conclusion
DynoWiper represents a significant escalation in cyber warfare tactics, focusing solely on data destruction without financial motives. Its deployment against Poland’s energy sector serves as a stark reminder of the vulnerabilities within critical infrastructure. Organizations must remain vigilant, continuously updating their security protocols to counteract evolving threats.
