A recently disclosed cyberattack against Poland’s energy infrastructure has been linked to the Russian state-backed hacking group Sandworm, highlighting the persistent threat facing Europe’s critical sectors. The incident occurred between December 29 and 30, 2025, and reportedly targeted elements of the country’s power grid, including combined heat and power plants and systems managing electricity from renewable sources such as wind and solar. Although the attackers attempted to deploy a new destructive data wiper known as DynoWiper, Polish authorities say the operation ultimately failed to cause large-scale disruption.
Sandworm, also tracked as UAC-0113, APT44, and Seashell Blizzard, has a long history of conducting disruptive and destructive cyber operations aligned with Russian strategic interests. Active since at least 2009 and believed to be part of Russia’s GRU Military Unit 74455, the group is infamous for past campaigns, including an attack on Ukraine’s energy grid roughly a decade ago that temporarily cut power to about 230,000 people. The latest activity in Poland fits a broader pattern of Sandworm’s focus on critical infrastructure, particularly in countries supporting Ukraine or opposing Russian policies.
In the Polish case, security firm ESET linked Sandworm to the attack and identified the destructive malware used as DynoWiper, a previously unknown data-wiping tool. Data wipers are designed to iterate through a filesystem and delete or corrupt files, rendering the operating system unusable and forcing victims to rebuild systems from backups or perform complete reinstalls. ESET says DynoWiper is detected as Win32/KillFiles.NMO and has a specific SHA-1 hash, though no public samples have yet appeared on common malware analysis platforms such as VirusTotal or Any.Run.
Polish officials reported that the attackers focused on two combined heat and power plants, as well as a management system responsible for controlling energy generated from wind turbines and photovoltaic farms. Prime Minister Donald Tusk stated that “everything indicates” the operation was carried out by groups directly linked to Russian services, underscoring the political and geopolitical context surrounding the intrusion. While authorities did not provide detailed information on the extent of the compromise or the attackers’ dwell time, they emphasized that the attempt to cause destructive impact was thwarted.
Despite the failed outcome, cybersecurity experts warn that the incident should serve as a serious wake-up call for defenders across Europe. Team Cymru’s Senior Threat Intel Advisor Will Thomas has urged security teams to review Microsoft’s February 2025 report on Sandworm to better understand the group’s tactics, techniques, and procedures. With Sandworm also tied to destructive wiper attacks on Ukraine’s education, government, and grain sectors in mid and late 2025, the Polish incident reinforces the need for robust backups, network segmentation, and proactive threat hunting in all critical infrastructure environments.