The Russian nation-state hacking group known as Sandworm has been linked to what officials have described as the “largest cyber attack” targeting Poland’s power system during the last week of December 2025.
However, the attack failed, according to the country’s energy minister, Milosz Motyka, who spoke last week.
“The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on the energy infrastructure in years,” Motyka said.
ESET Attributes the Attack to Sandworm
Meanwhile, a new report from ESET attributes the attack to Sandworm, which deployed a previously undocumented wiper malware dubbed DynoWiper (also known as Win32/KillFiles.NMO). Researchers based the attribution on overlaps with earlier wiper campaigns tied to the group, particularly those that followed Russia’s military invasion of Ukraine in February 2022.
Additionally, the Slovak cybersecurity firm confirmed that the attackers used the wiper during an attempted disruptive operation against Poland’s energy sector on December 29, 2025. Nevertheless, the company found no evidence of successful disruption.
According to the Polish government, the attackers targeted two combined heat and power (CHP) plants on December 29 and 30, 2025. At the same time, they aimed at a system that manages electricity generated from renewable energy sources, including wind turbines and photovoltaic farms.
Polish Government Points to Russian Intelligence Links
“Everything indicates that these attacks were prepared by groups directly linked to the Russian services,” Prime Minister Donald Tusk said. He added that the government is preparing additional safeguards, including key cybersecurity legislation that will impose strict requirements on risk management, protection of information technology (IT) and operational technology (OT) systems, as well as incident response.
Notably, the activity coincided with the tenth anniversary of Sandworm’s attack against Ukraine’s power grid in December 2015. That earlier incident involved the deployment of BlackEnergy malware and plunged parts of Ukraine’s Ivano-Frankivsk region into darkness.
The trojan enabled attackers to deploy a wiper malware known as KillDisk, which triggered a power outage lasting between four and six hours and affected approximately 230,000 people.
Sandworm’s Longstanding Focus on Critical Infrastructure
“Sandworm has a long history of disruptive cyber attacks, especially on Ukraine’s critical infrastructure,” ESET said. “Fast forward a decade and Sandworm continues to target entities operating in various critical infrastructure sectors.”
In June 2025, Cisco Talos reported that attackers targeted a critical infrastructure entity in Ukraine using a previously unseen data-wiping malware named PathWiper, which shares functional similarities with Sandworm’s HermeticWiper.
Furthermore, researchers have observed the group deploying additional data-wiping malware, including ZEROLOT and Sting, within a Ukrainian university network. Subsequently, attackers launched multiple data-wiping malware variants against Ukrainian organizations operating across the government, energy, logistics, and grain sectors between June and September 2025.
Source: TheHackerNews
Read more at Impreza News
