The Russian nation-state hacking group known as Sandworm has been attributed to what has been described as the “largest cyber attack” targeting Poland’s power system in the last week of December 2025.
The attack was unsuccessful, the country’s energy minister, Milosz Motyka, said last week.
“The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on the energy infrastructure in years,” Motyka was quoted as saying.
According to a new report by ESET, the attack was the work of Sandworm, which deployed a previously undocumented wiper malware codenamed DynoWiper (aka Win32/KillFiles.NMO). The links to Sandworm are based on overlaps with prior wiper activity associated with the adversary, particularly in the aftermath of Russia’s military invasion of Ukraine in February 2022.
The Slovakian cybersecurity company, which identified the use of the wiper as part of the attempted disruptive attack aimed at the Polish energy sector on December 29, 2025, said there is no evidence of successful disruption.
The December 29 and 30, 2025, attacks targeted two combined heat and power (CHP) plants, as well as a system enabling the management of electricity generated from renewable energy sources such as wind turbines and photovoltaic farms, the Polish government said.
“Everything indicates that these attacks were prepared by groups directly linked to the Russian services,” Prime Minister Donald Tusk said, adding the government is readying extra safeguards, including a key cybersecurity legislation that will impose strict requirements on risk management, protection of information technology (IT) and operational technology (OT) systems, and incident response.
It’s worth noting that the activity occurred on the tenth anniversary of the Sandworm’s attack against the Ukrainian power grid in December 2015, which led to the deployment of the BlackEnergy malware, plunging parts of the Ivano-Frankivsk region of Ukraine into darkness.
The trojan, which was used to plant a wiper malware dubbed KillDisk, caused a 4–6 hour power outage for approximately 230,000 people.
“Sandworm has a long history of disruptive cyber attacks, especially on Ukraine’s critical infrastructure,” ESET said. “Fast forward a decade and Sandworm continues to target entities operating in various critical infrastructure sectors.”
In June 2025, Cisco Talos said a critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper that shares some level of functional overlap with Sandworm’s HermeticWiper.
The Russian hacking group has also been observed deploying data-wiping malware, such as ZEROLOT and Sting, in a Ukrainian university network, followed by serving multiple data-wiping malware variants against Ukrainian entities active in the governmental, energy, logistics, and grain sectors between June and September 2025.
