Sandworm Hackers Linked to Failed Wiper Attack on Poland’s Energy Infrastructure
A late December 2025 cyberattack targeting Poland’s energy sector has been linked to the Russian state-aligned threat group Sandworm, according to new findings from security researchers. While the attack ultimately failed to cause widespread disruption, investigators say it involved an attempted deployment of a destructive data wiper designed to render systems unusable.
The incident adds to a long history of disruptive operations attributed to Sandworm, a group widely associated with cyberattacks against critical infrastructure across Eastern Europe. Although no large-scale outages were reported, the operation highlights persistent efforts to sabotage energy environments through destructive malware.
Timeline of the December Attack
The activity took place between December 29 and December 30, 2025, when attackers attempted to compromise systems connected to Poland’s energy operations. Targets included two combined heat-and-power plants as well as a management platform responsible for overseeing renewable energy sources such as wind and photovoltaic generation.
Polish authorities confirmed that while malicious activity was detected, operational impact was limited. The attempted attack did not result in sustained outages or irreversible damage to energy production.
The DynoWiper Payload
Researchers identified the malware involved as a new destructive wiper, internally tracked as DynoWiper. The malware is designed to delete or corrupt critical files, effectively disabling affected systems and preventing recovery through conventional means.
Security firm ESET classified the wiper as Win32/KillFiles.NMO and associated it with the SHA-1 hash 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6. Despite this identification, no public malware samples have been uploaded to common repositories, suggesting the attack was either narrowly scoped or disrupted early.
Attribution to Sandworm
Analysts assessing the incident linked the operation to Sandworm based on tooling, techniques, and targeting patterns consistent with the group’s previous campaigns. Sandworm has been repeatedly associated with attacks on power grids, industrial control systems, and government networks.
The group is best known for past operations that caused real-world disruption, including blackouts and destructive data loss. This latest incident appears to follow a similar playbook, even though the intended outcome was not fully realized.
Why the Attack Failed
Officials indicated that defensive measures and rapid detection played a key role in limiting the damage. Segmentation between operational technology and IT systems, along with monitoring of abnormal behavior, likely prevented the wiper from spreading widely.
The absence of publicly recovered malware samples also suggests the attackers may not have achieved full execution of the payload across their intended targets.
Implications for Energy Security
Even a failed wiper attack carries strategic significance. Energy systems remain high-value targets due to their economic and societal importance, and repeated probing attempts indicate sustained interest from advanced threat actors.
Analysts recommend that operators review recent intelligence reporting on Sandworm activity and reassess defensive controls around industrial environments, particularly where renewable energy management systems intersect with traditional grid operations.
A Continuing Pattern of Disruption
The attempted DynoWiper deployment reinforces the view that destructive cyber operations remain an active component of geopolitical conflict. While this incident did not escalate into a major outage, it demonstrates continued intent to target civilian infrastructure.
For European energy operators, the case serves as a reminder that preparedness, visibility, and rapid response remain essential as threat actors refine tools aimed at causing physical and economic disruption through cyberspace.
