A significant cyberattack targeting Poland’s power grid in late December 2025 has been attributed to the notorious Russia-aligned Advanced Persistent Threat group known as Sandworm, signaling a potential escalation in digital warfare against critical national infrastructure. The operation, described as the largest of its kind against Poland in recent years, utilized a newly identified data-wiping malware that cybersecurity firm ESET has named “DynoWiper.” This incident serves as a stark reminder of the sophisticated and persistent threats posed by state-sponsored actors, whose objectives often extend beyond espionage to include tangible, real-world disruption. The attack’s methods and timing suggest a deliberate and calculated message, echoing some of the most infamous infrastructure attacks in history and raising concerns about the security of essential services across Europe and beyond. The ongoing investigation into the full scope of the intrusion continues to reveal a complex and multi-layered operation designed for maximum psychological and operational impact.
The Digital Fingerprints and Weapon of Choice
The attribution of the attack to Sandworm, made with what ESET researchers describe as “medium confidence,” is built upon a meticulous analysis of the digital evidence left behind. This assessment stems from a “strong overlap” observed between the Tactics, Techniques, and Procedures (TTPs) employed in this intrusion and those seen in numerous prior destructive cyber campaigns widely associated with the group, a known unit within Russia’s military intelligence. The operational signatures, particularly the choice of a destructive wiper payload designed to erase data and render systems useless, are considered hallmarks of Sandworm’s established modus operandi. This preference for disruptive over stealthy tools aligns perfectly with the group’s history of prioritizing chaos and incapacitation of its targets, making the link a compelling one for investigators who have tracked the group’s evolution over the past decade. The consistency in their approach provides a clear, albeit unsettling, pattern of behavior.
At the heart of this operation was the destructive tool DynoWiper, a piece of malware engineered with the explicit purpose of erasing data and rendering computer systems inoperable. Security products now detect this specific threat under the signature Win32/KillFiles.NMO. While the complete intended impact of the DynoWiper deployment is still being pieced together, the very nature of the malware points towards a clear objective of causing significant disruption rather than engaging in espionage or seeking financial gain. Despite the severity of the malware and the high-profile nature of the target, public statements have clarified that there is no awareness of any successful disruption occurring as a result of this attack. This outcome suggests that the targeted entity’s defensive measures and incident response protocols may have been robust enough to mitigate the ultimate operational impact on the power grid, preventing a potentially catastrophic blackout and highlighting the critical importance of proactive cybersecurity postures.
A Deliberate Echo of Past Aggressions
A crucial element highlighted by investigators is the profoundly strategic timing of the operation against Poland’s energy system. The attack was deliberately executed on the tenth anniversary of Sandworm’s infamous 2015 cyberattack against Ukraine’s power grid, a watershed moment in the history of cyber warfare. That historic event marked the first time a power outage was successfully and publicly attributed to a malware-facilitated cyberattack. During the December 2015 incident, Sandworm deployed the notorious BlackEnergy malware to infiltrate the networks of several Ukrainian electrical substations. After gaining access, the operators then remotely manipulated industrial control systems, which led to a widespread blackout that affected approximately 230,000 people for several hours. By precisely timing the 2025 attack to coincide with this anniversary, the perpetrators sent a clear and intimidating message, underscoring their advanced capabilities and their long-standing, unwavering focus on energy infrastructure as a primary target.
Revisiting the technical debate surrounding the 2015 attack provides critical context for understanding these modern threats. An in-depth analysis from SANS challenged simplistic narratives, asserting that while malware was integral to enabling the attack, it did not directly cause the outage on its own. The ‘KillDisk’ component, a wiper similar in function to DynoWiper, was crucial for providing access and disabling systems, but the final blackout was likely the result of direct, manual actions taken by the human operators after they had compromised the networks. This important distinction emphasizes the blended nature of sophisticated infrastructure attacks, where malware serves as a powerful tool for access and disruption, but the final, decisive act is often executed with the expertise and precision of a skilled operator. This human-in-the-loop approach demonstrates a level of control and intent that goes far beyond automated malware deployment, making such threats far more difficult to defend against.
The Dual Threat of Destruction and Espionage
The attack on Poland was not viewed as an isolated event but as part of a broader, sustained campaign by Sandworm and other Russian-aligned threat actors against critical infrastructure, particularly in Ukraine and Eastern Europe. An ESET APT Activity Report covering the period from April to September 2025 noted that Sandworm was observed conducting wiper attacks against Ukrainian targets on a regular basis, solidifying its reputation as a persistent agent of digital disruption. This pattern of aggression extended beyond a single tool or tactic. Research from Symantec and Carbon Black in October 2025 detailed other Russian-linked intrusions against Ukrainian entities, including a major business services company and a local government body. In those cases, the attackers employed stealthier methods to achieve objectives of data theft and long-term persistence, utilizing a custom webshell linked to Sandworm and relying heavily on “living-off-the-land” (LOTL) techniques to evade detection. This dual approach of combining loud, destructive attacks with quiet, persistent intrusions demonstrated the versatility and strategic depth of the group’s operations. Further evidence of this long-term persistence was provided when Ukraine’s cyber spy chief revealed that Russian hackers had been present inside the network of Kyivstar, the country’s largest telecommunications provider, since at least May 2023. This long-term embedded access highlighted the profound and enduring threat these groups posed to national security.
