Ravie LakshmananJan 24, 2026Malware / Important Infrastructure
The Russian nation-state hacking group often called Sandworm has been attributed to what has been described because the “largest cyber assault” concentrating on Poland’s energy system within the final week of December 2025.
The assault was unsuccessful, the nation’s power minister, Milosz Motyka, stated final week.
“The command of the our on-line world forces has identified within the final days of the yr the strongest assault on the power infrastructure in years,” Motyka was quoted as saying.
In keeping with a brand new report by ESET, the assault was the work of Sandworm, which deployed a beforehand undocumented wiper malware codenamed DynoWiper. The hyperlinks to Sandworm are based mostly on overlaps with prior wiper exercise related to the adversary, notably within the aftermath of Russia’s navy invasion of Ukraine in February 2022.
The Slovakian cybersecurity firm, which recognized using the wiper as a part of the tried disruptive assault aimed on the Polish power sector on December 29, 2025, stated there isn’t any proof of profitable disruption.
The December 29 and 30, 2025, assaults focused two mixed warmth and energy (CHP) crops, in addition to a system enabling the administration of electrical energy generated from renewable power sources similar to wind generators and photovoltaic farms, the Polish authorities stated.
“The whole lot signifies that these assaults had been ready by teams instantly linked to the Russian companies,” Prime Minister Donald Tusk stated, including the federal government is readying further safeguards, together with a key cybersecurity laws that may impose strict necessities on threat administration, safety of data expertise (IT) and operational expertise (OT) techniques, and incident response.
It is value noting that the exercise occurred on the tenth anniversary of the Sandworm’s assault in opposition to the Ukrainian energy grid in December 2015, which led to the deployment of the BlackEnergy malware, plunging elements of the Ivano-Frankivsk area of Ukraine into darkness.
The trojan, which was used to plant a wiper malware dubbed KillDisk, brought about a 4–6 hour energy outage for roughly 230,000 individuals.
“Sandworm has an extended historical past of disruptive cyberattacks, particularly on Ukraine’s essential infrastructure,” ESET stated. “Quick ahead a decade and Sandworm continues to focus on entities working in varied essential infrastructure sectors.”
In June 2025, Cisco Talos stated a essential infrastructure entity inside Ukraine was focused by a beforehand unseen knowledge wiper malware named PathWiper that shares some degree of purposeful overlap with Sandworm’s HermeticWiper.
The Russian hacking group has additionally been noticed deploying data-wiping malware, similar to ZEROLOT and Sting, in a Ukrainian college community, adopted by serving a number of data-wiping malware variants in opposition to Ukrainian entities lively within the governmental, power, logistics, and grain sectors between June and September 2025.
