Sandworm Deploys DynoWiper in Attack on Poland's Power Grid

Russian military intelligence hackers launched what Polish officials are calling the country's most significant cyberattack on energy infrastructure in years—and security researchers say they've recovered the wiper malware used in the assault.

ESET published findings Friday attributing the late December attack to Sandworm, the GRU unit responsible for some of the most destructive cyber operations of the past decade, including the 2015 and 2016 Ukrainian blackouts. The attack coincided almost exactly with the tenth anniversary of those earlier power grid strikes.

What Happened

The attacks occurred on December 29 and 30, 2025, targeting multiple components of Poland's energy infrastructure. Affected entities included two heat-and-power plants and a management system for renewable energy sources like wind turbines and solar farms.

Polish Energy Minister Milosz Motyka confirmed in January that the assault represented the strongest attack on the country's power infrastructure in years. Had the attack succeeded, authorities estimate it could have disrupted power to approximately 500,000 Polish residents.

The attack was ultimately unsuccessful. Poland's cybersecurity authorities and energy operators detected and contained the intrusion before it achieved its apparent goal of operational disruption.

The DynoWiper Malware

ESET obtained and analyzed the malware deployed during the attack, which they've designated DynoWiper (detected as Win32/KillFiles.NMO). Unlike ransomware designed for extortion, wiper malware exists for a single purpose: destroying data irreversibly.

Malware Details:

• SHA-1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6
• Classification: Data-wiping malware
• Detection: Win32/KillFiles.NMO

DynoWiper follows the pattern of previous Sandworm destructive tools. The group has deployed numerous wipers over the years, including BlackEnergy, Industroyer, NotPetya, and CaddyWiper—each associated with attacks on Ukrainian critical infrastructure or broader disruptive campaigns.

Why ESET Attributes This to Sandworm

ESET researchers attribute the Poland attack to Sandworm with medium confidence based on several factors. The operational tactics align with previous Sandworm wiper campaigns, and the targeting of critical infrastructure in Eastern Europe fits the group's established pattern.

Sandworm, also tracked as APT44 or Seashell Blizzard, operates under Russia's Main Intelligence Directorate (GRU). The U.S. and British governments have formally attributed the unit's operations to Russian military intelligence. For context on Sandworm's history and significance, our cybersecurity book recommendations include detailed accounts of the group's NotPetya and Ukrainian blackout operations.

The timing matters too. Sandworm has demonstrated what researchers describe as "anniversary attacks"—operations timed to coincide with significant dates. The December 2025 attack on Poland landed almost exactly ten years after Sandworm's pioneering attacks against Ukraine's power grid in December 2015.

Poland as a Target

This attack represents an escalation. Robert Lipovsky, principal threat intelligence researcher at ESET, characterized the operation as "unprecedented" for Poland. While the country has faced previous Russian-aligned cyber operations—particularly since Russia's full-scale invasion of Ukraine in 2022—prior attacks weren't disruptive in nature or intent.

Poland has been a vocal supporter of Ukraine and serves as a key logistics hub for Western military aid. The country shares a border with both Ukraine and Russia's Kaliningrad exclave, making it a natural target for Russian pressure campaigns.

The attack also fits a broader pattern. Russian APT groups, including Sandworm, have continued targeting Ukrainian infrastructure with wipers and ransomware throughout 2025. Poland's support for Ukraine appears to have extended the target list.

Why This Matters

The Poland attack signals that Russian cyber operations against European critical infrastructure continue to expand beyond Ukraine. Energy sector organizations—particularly those in NATO countries supporting Ukraine—should treat Sandworm-associated threats as an active concern.

The attack's failure doesn't diminish its significance. Sandworm operators will learn from this attempt. Defenders in Poland and allied nations gained intelligence about current Sandworm TTPs, but the group will adapt.

Organizations operating critical infrastructure should review network segmentation between IT and OT environments, ensure incident response plans account for destructive attacks (not just ransomware), and monitor for the specific IOCs ESET has released. Contact ESET's threat intelligence team at [email protected] for additional technical indicators.

We previously covered Amazon's disruption of a separate multi-year Sandworm campaign targeting the Western energy sector through misconfigured edge devices—a reminder that this threat actor maintains multiple concurrent operations against similar targets.