Russia’s Sandworm Blamed for Polish Power Grid Wiper Attack

A significant cyber incident targeting Poland’s energy sector in late 2025 has been linked to a well-known Russian state-sponsored hacking collective. Security researchers have identified the group behind the attack as Sandworm, an entity also tracked as UAC-0113 and APT44, which is widely believed to operate under Russia’s military intelligence directorate, the GRU. The cybersecurity firm ESET stated that this group was responsible for a series of intrusions into Poland’s power grid infrastructure in the final days of December. According to their analysis, the attackers deployed a destructive piece of malware designed to wipe data from systems.

ESET principal threat intelligence researcher Robert Lipovsky detailed that the malware, named DynoWiper, was analyzed by his team. He noted there is no current evidence that the attack caused any successful operational disruption to the power supply. The attribution to Sandworm was made with what the firm describes as “medium confidence,” based on a strong correlation between the malware’s technical characteristics and the group’s established patterns of behavior. The tools, techniques, and procedures observed closely overlap with numerous previous wiper attacks orchestrated by Sandworm.

Investigations into the campaign are ongoing, but analysts suggest the timing may be symbolic. Lipovsky pointed out that the attack coincided with the ten-year anniversary of Sandworm’s historic operation against Ukraine’s power grid in December 2015, an event that caused the first-ever malware-induced blackout. That earlier incident used BlackEnergy malware to compromise electrical substations, leaving approximately 230,000 people without electricity for hours.

Since Russia’s full-scale invasion of Ukraine in 2022, Sandworm has maintained a relentless focus on critical infrastructure. The group has repeatedly targeted Ukrainian energy, heating, and water facilities, often aiming to compound the damage from physical missile strikes. Throughout 2025, the group was also active deploying other data wipers like Zerolot and Sting against government and logistics entities. The strategic objective behind these sustained cyber campaigns is widely viewed as an effort to cripple economic stability and undermine public morale, thereby applying pressure on governments.

In response to the incident, Polish Prime Minister Donald Tusk confirmed that the country’s defenses successfully neutralized the threat to its energy infrastructure. He assured the public that at no point was the nation’s critical power transmission network or overall system safety compromised. “The systems we have in Poland today proved effective,” Tusk stated. Nevertheless, the event has accelerated governmental efforts to bolster national cyber defenses.

The Polish government is now prioritizing the finalization and implementation of a National Cybersecurity System Act, which will enact the broader European NIS2 Directive. This legislation aims to impose stricter mandates for risk management, security for both information and operational technology systems, and incident response protocols. Tusk emphasized a push for greater technological autonomy, stating the goal is to equip Polish institutions with tools to protect against foreign interference and to “Polonize” security systems wherever possible. The late-December attack specifically targeted two combined heat and power plants along with a renewable energy installation.

(Source: InfoSecurity Magazine)