The Russian nation-state hacking group Sandworm has been linked to what Polish officials have described as the largest cyber attack on the country’s power infrastructure in late December 2025.
The attempted attack, however, failed to cause any disruptions, according to Poland’s Energy Minister, Milosz Motyka.
“The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on the energy infrastructure in years,” Motyka said.
Details of the Attempted Attack
Slovakian cybersecurity firm ESET attributed the attack to Sandworm, identifying the use of a previously undocumented wiper malware dubbed DynoWiper. The connection between Sandworm and previous "wiper" activities of similar attack types was identified through investigation, specifically looking for evidence of connections between Sandworm attacks and Russia's military activities and any overlap that might have existed as far back as 2022.
Key information about this attack is:
1. Attacks occurred between December 29th and 30th, 2025
2. Targets included two combined heat and power plants; as well as a management system that manages renewable energy sources such as wind and photovoltaic farms
3. Impact: No successful disruption reported
Polish Prime Minister Donald Tusk emphasized the nation’s preparedness, noting additional safeguards and new cybersecurity legislation are being prepared to strengthen risk management, IT/OT protection, and incident response.
Historical Context
The attempted December 2025 attack coincides with the 10th anniversary of Sandworm’s 2015 strike against Ukraine’s power grid, which used BlackEnergy and KillDisk malware to cause a 4–6 hour outage affecting 230,000 people in the Ivano-Frankivsk region.
In addition to coordinating attacks against Ukraine, Sandworm has launched a number of destructive malware campaigns against critical infrastructure since its inception as a nation-state group. Some examples of these sorts of malicious attacks are:
1. PathWiper: Data wiper used against Ukrainian critical infrastructure in June 2025
2. ZEROLOT and Sting: Wiper attacks targeting a Ukrainian university network
3. Multiple wiper variants deployed against governmental, energy, logistics, and agricultural sectors between June and September 2025
“Fast forward a decade, and Sandworm continues to target entities operating in critical infrastructure sectors,” ESET noted.
Implications
Consequently, the failed attack against Poland shows that cyber-hackers associated with nation-states continue to develop their ability to create and execute malicious attacks on critical infrastructure. Even this failed attack on Poland highlights the importance of:
1. Enhanced visibility for both IT and OT networks.
2. Effective cyber-Access Restrictions, Enforcement of Access Segmentation.
3. Updating Cyber-Incident Response Procedures and Plans to specifically address Wiper Malware Threats.
4. Developing collaborative relationships with Cybersecurity Firms to provide the ability to detect and report early-stage indicators of Intrusions.
Source: The Hacker News
