A cyberattack described by Polish officials as the most serious assault on the country’s energy infrastructure in years has been linked to the Russian state-backed hacking group Sandworm. The incident happened during the final week of December 2025 and targeted parts of Poland’s power and energy systems.
Poland’s Energy Minister, Milosz Motyka, publicly stated that cybersecurity forces detected what he called the strongest attack on the nation’s energy sector in a long time. Despite the intensity of the operation, officials said the attack did not succeed in disrupting electricity services.
ESET: New wiper malware used in the operation
Cybersecurity firm ESET reported that the attack involved a previously unknown destructive malware strain classified as a wiper, meaning it is designed to erase data and disable systems rather than steal information.
ESET has named the newly discovered malware DynoWiper, noting that it had not been publicly documented before this incident.
The company attributed the operation to Sandworm based on technical and operational similarities with earlier wiper-focused attacks connected to the same threat actor, particularly campaigns seen after Russia’s military invasion of Ukraine in early 2022.
Importantly, ESET said there are no confirmed signs that the attackers successfully caused disruption.
What was targeted in Poland?
Polish authorities said the activity took place on December 29 and 30, 2025, and included targets such as:
- Two combined heat and power (CHP) plants
- A system used to manage electricity generated from renewable energy sources, including:
- wind turbines
- photovoltaic (solar) farms
Polish Prime Minister Donald Tusk stated that the attack appears connected to groups with direct ties to Russian state services. He added that Poland is preparing stronger protective measures, including plans for major cybersecurity legislation that will raise security standards across:
- risk management
- IT and OT protection (Operational Technology environments)
- incident detection and response
A symbolic timing: 10 years after Ukraine’s 2015 blackout
Security analysts have pointed out a disturbing coincidence: the attempted operation occurred around the 10-year anniversary of Sandworm’s well-known cyberattack against Ukraine’s power grid in December 2015.
That historic incident used BlackEnergy malware and included a destructive component (wiper) often referred to as KillDisk, which contributed to power outages lasting several hours and affected a large number of civilians.
Sandworm’s long record of disruptive attacks
ESET emphasized that Sandworm has consistently shown interest in critical infrastructure disruption, with Ukraine being a major target over the years.
In addition to this recent Poland case, other security teams have reported wiper-related incidents tied to Russian threat activity in 2025. For example:
- Cisco Talos disclosed that a critical infrastructure organization in Ukraine faced a new wiper malware named PathWiper, which showed functional similarities to previous Sandworm-linked destructive tools.
- Other campaigns have reportedly included multiple wiping malware families such as ZEROLOT and Sting, used in different Ukrainian environments including universities and organizations in sectors like:
- government
- energy
- logistics
- grain and agriculture