Safa Marwah
Sophisticated threat actors linked to Russia’s notorious Sandworm group are believed to have orchestrated a targeted cyber assault on critical energy infrastructure within Poland in late December 2025, attempting to deploy a previously undocumented data-wiping malware identified as DynoWiper. This incident underscores the persistent and escalating threat posed by state-sponsored entities to essential services, marking a significant escalation in hybrid warfare tactics against a NATO and European Union member state. The meticulously planned but ultimately thwarted operation highlights the continued weaponization of cyber capabilities in geopolitical conflicts, particularly against nations perceived as adversaries by Moscow.
The cyberattack, spanning December 29th and 30th, 2025, specifically targeted two combined heat and power plants, alongside a crucial management system responsible for integrating electricity generated from renewable sources such as wind turbines and photovoltaic farms. This multifaceted targeting indicates a strategic intent to not only disrupt traditional energy generation but also to compromise the emerging infrastructure underpinning Poland’s transition to sustainable energy. The deployment of DynoWiper suggests a primary objective of destruction and disruption, aiming to render critical operational technology systems inoperable and inflict significant operational and financial damage.
Sandworm, a group recognized by various aliases including UAC-0113, APT44, and Seashell Blizzard, has been a prominent and highly destructive force in the realm of state-sponsored cyber warfare since at least 2009. Widely attributed to Russia’s Main Intelligence Directorate (GRU), specifically Military Unit 74455, the group has an extensive history of pioneering disruptive and destructive cyber operations. Their operational signature often involves the deployment of data-wiping malware designed to cause maximum damage and impede recovery efforts. This latest incident against Poland’s energy grid aligns precisely with their established pattern of targeting critical national infrastructure to achieve strategic geopolitical objectives.
A decade prior to the Polish incident, in December 2015, Sandworm executed a landmark cyberattack that plunged approximately 230,000 people in Ukraine into darkness. This highly publicized event, which involved the BlackEnergy malware, demonstrated the group’s capability to directly impact civilian life through cyber means and served as a stark warning of the potential for such attacks to escalate. The 2017 NotPetya attack, also attributed to Sandworm, further showcased their capacity for widespread, indiscriminate destruction, causing billions of dollars in global damages, despite its initial targeting of Ukraine. These historical precedents provide critical context for understanding the severity and intent behind the recent Polish incident.
The newly identified DynoWiper malware represents an evolution in Sandworm’s destructive toolkit. While comprehensive technical details remain scarce, security researchers have confirmed its classification as a data wiper, detected as Win32/KillFiles.NMO, with a specific SHA-1 hash. Data wipers function by systematically iterating through a computer’s filesystem, deleting or corrupting files, and often overwriting critical system areas. The ultimate outcome is an inoperable operating system that necessitates complete rebuilding from backups or reinstallation, a process that can be both time-consuming and costly, particularly for complex industrial control systems (ICS) and operational technology (OT) environments. The absence of publicly available samples of DynoWiper on common malware analysis platforms suggests a tightly controlled deployment or successful containment before widespread dissemination.
Polish officials reacted swiftly to the cyber intrusion. Prime Minister Donald Tusk issued a public statement, unequivocally attributing the attacks to "groups directly linked to the Russian services." This high-level political attribution underscores the perceived certainty of the intelligence assessment and the gravity with which the Polish government views the incident. Such direct accusations from a NATO member state against Russia regarding an attack on critical infrastructure carry significant diplomatic and strategic weight, signaling a potential for broader international repercussions.
The method of initial access and the duration of the threat actors’ presence within Poland’s systems prior to the attempted wiper deployment remain undisclosed. However, the sophistication typically associated with Sandworm suggests a carefully planned infiltration, potentially involving reconnaissance, lateral movement, and the establishment of persistent access. Cybersecurity experts emphasize the importance of understanding the adversary’s full kill chain, from initial compromise to execution, to effectively bolster defenses. Analysts frequently refer to comprehensive reports, such as Microsoft’s February 2025 assessment of Sandworm’s "BadPilot" campaign, which details the group’s multi-year global access operations, to inform defensive strategies.
The Polish energy sector incident is not an isolated event in Sandworm’s recent operational history. Throughout 2025, the group was implicated in a series of destructive data-wiping attacks targeting critical sectors within Ukraine, including education, government, and notably, the vital grain industry. These attacks, occurring in June and September 2025, further demonstrate Sandworm’s consistent use of wipers to inflict economic and societal damage, particularly against nations actively resisting Russian aggression. The expansion of such tactics to a NATO and EU member like Poland signifies a potential shift in the risk landscape, testing the resilience of Western critical infrastructure and the collective defense mechanisms of international alliances.
The geopolitical implications of this attempted attack are substantial. Poland, a frontline state within NATO and a staunch supporter of Ukraine, represents a strategic target for Russian cyber operations aimed at destabilizing regional security and testing the resolve of the Western alliance. Targeting critical energy infrastructure can serve multiple purposes: it can inflict economic damage, sow public discord, demonstrate capabilities, and potentially coerce political decisions. The "failed" nature of the wiper attack, while a testament to Polish defensive capabilities, does not diminish the malicious intent or the strategic significance of the attempt. It highlights the constant cat-and-mouse game between sophisticated state-sponsored attackers and national cybersecurity defenses.
Effective defense against such advanced persistent threats (APTs) requires a multi-layered approach. For critical infrastructure operators, this includes rigorous network segmentation, robust access controls, continuous monitoring for anomalous activity, and the implementation of strong incident response plans. Crucially, the ability to rapidly recover from a destructive attack hinges on comprehensive and frequently tested backup strategies, ensuring that systems can be rebuilt from clean images. Furthermore, proactive threat intelligence, including detailed insights into Sandworm’s evolving tactics, techniques, and procedures (TTPs), is indispensable for anticipating and mitigating future threats. International collaboration and intelligence sharing among allied nations are also paramount to create a collective defense posture capable of deterring and defending against state-sponsored aggression.
Looking ahead, the incident involving DynoWiper against Poland’s energy grid signals a continued trajectory of escalating cyber warfare. Nation-state actors, particularly those with a track record like Sandworm, are continuously refining their tools and methods to bypass existing defenses. The development of novel wipers, the exploration of new attack vectors, and the persistent targeting of critical infrastructure across various sectors are trends expected to intensify. The implications extend beyond immediate operational disruption, touching upon national security, economic stability, and public trust. The ability of nations to maintain cyber resilience and to effectively deter or respond to such sophisticated attacks will remain a defining challenge in the contemporary geopolitical landscape, demanding sustained investment in cybersecurity capabilities and international cooperation. The thwarted attack in Poland serves as a critical reminder of the ongoing digital battle for control over essential services and national sovereignty.
Aura Kasih
Ridwan Kamil
Lisa Mariana