A cyber-attack on Poland’s energy infrastructure in late 2025 has been attributed to a prolific Russian state-backed APT group.
Sandworm (aka UAC-0113, APT44, and Seashell Blizzard) is thought to be part of the Russian military intelligence service known as GRU. ESET claimed in a brief statement on Friday that the group was responsible for a series of attacks on Poland’s power grid in late December.
“The attackers deployed a wiper, which we analyzed and named DynoWiper. We’re not aware that any successful disruption occurred as a result of this attack,” explained ESET principal threat intelligence researcher, Robert Lipovsky.
“Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed.”
Read more on Sandworm: Russian APT Sandworm Disrupted Power in Ukraine Using Novel OT Techniques.
The campaign against Polish energy assets is still being investigated, but Lipovsky said the timing of the “coordinated cyber-attack” might be deliberate.
“It’s the 10-year anniversary of the Sandworm-orchestrated attack against the Ukrainian power grid – the first ever malware-facilitated blackout in December 2015,” he said. “When the APT group used the BlackEnergy malware to gain access to critical systems at several electrical substations, around 230,000 people were left without electricity for several hours.”
Sandworm has been highly active since Russia’s invasion of Ukraine in 2022, targeting energy infrastructure inside Ukraine on multiple occasions. In March 2024 it hit energy, heating and water facilities in 10 regions of the war-torn country in a bid to amplify the impact of missile strikes.
Then in both Q2 and Q3 2025 it deployed data wipers such as Zerolot and Sting against government, energy and logistics entities. The long-term goal of such attacks is to weaken the economy and demoralize the population, forcing the government to give in to the demands of the Putin administration.
Poland on High Alert
Polish prime minister, Donald Tusk, revealed earlier this month that the country had successfully repelled the destructive attack on its own energy infrastructure a few weeks earlier.
“The systems we have in Poland today proved effective,” he said. “At no point was critical infrastructure threatened, meaning the transmission networks and everything that determines the safety of the entire system.”
However, the government is rushing to finalize a National Cybersecurity System Act – its implementation of NIS2 – to mandate stricter requirements for risk management, IT and OT security, and incident response.
“I hope to implement this act as soon as possible,” said Tusk. “We will be equipping Polish institutions with tools to protect the market against systems and devices that would make it easier for foreign states to interfere and obtain information. We are striving for the autonomy and Polonization of security systems.”
The attack itself took place on December 29 and 30, 2025, and apparently targeted two combined heat and power (CHP) plants and a renewable energy system.
