The Russian nation-state hacking group generally known as Sandworm has been attributed to what has been described because the “largest cyber assault” concentrating on Poland’s energy system within the final week of December 2025.
The assault was unsuccessful, the nation’s power minister, Milosz Motyka, mentioned final week.
“The command of the our on-line world forces has identified within the final days of the 12 months the strongest assault on the power infrastructure in years,” Motyka was quoted as saying.
In accordance with a new report by ESET, the assault was the work of Sandworm, which deployed a beforehand undocumented wiper malware codenamed DynoWiper. The hyperlinks to Sandworm are based mostly on overlaps with prior wiper exercise related to the adversary, significantly within the aftermath of Russia’s army invasion of Ukraine in February 2022.
The Slovakian cybersecurity firm, which recognized using the wiper as a part of the tried disruptive assault aimed on the Polish power sector on December 29, 2025, mentioned there isn’t a proof of profitable disruption.
The December 29 and 30, 2025, assaults focused two mixed warmth and energy (CHP) vegetation, in addition to a system enabling the administration of electrical energy generated from renewable power sources comparable to wind generators and photovoltaic farms, the Polish authorities mentioned.
“Every part signifies that these assaults had been ready by teams immediately linked to the Russian providers,” Prime Minister Donald Tusk mentioned, including the federal government is readying further safeguards, together with a key cybersecurity laws that may impose strict necessities on danger administration, safety of data expertise (IT) and operational expertise (OT) methods, and incident response.
It is value noting that the exercise occurred on the tenth anniversary of the Sandworm’s assault in opposition to the Ukrainian energy grid in December 2015, which led to the deployment of the BlackEnergy malware, plunging components of the Ivano-Frankivsk area of Ukraine into darkness.
The trojan, which was used to plant a wiper malware dubbed KillDisk, induced a 4–6 hour energy outage for roughly 230,000 individuals.
“Sandworm has a protracted historical past of disruptive cyber assaults, particularly on Ukraine’s essential infrastructure,” ESET mentioned. “Quick ahead a decade and Sandworm continues to focus on entities working in numerous essential infrastructure sectors.”
In June 2025, Cisco Talos mentioned a essential infrastructure entity inside Ukraine was focused by a beforehand unseen information wiper malware named PathWiper that shares some stage of purposeful overlap with Sandworm’s HermeticWiper.
The Russian hacking group has additionally been noticed deploying data-wiping malware, comparable to ZEROLOT and Sting, in a Ukrainian college community, adopted by serving a number of data-wiping malware variants in opposition to Ukrainian entities energetic within the governmental, power, logistics, and grain sectors between June and September 2025.
