Sandworm's DynoWiper Malware Foiled in Major Polish Power Grid Cyberattack

Russian APT Group Sandworm Targets Polish Power Sector with DynoWiper Malware

Poland's energy infrastructure was the target of a failed cyberattack in late December 2025, orchestrated by the Russian nation-state threat actor Sandworm. The attack, described by Energy Minister Milosz Motyka as the "largest cyber attack" on Poland's power system, involved the deployment of a new destructive malware strain dubbed DynoWiper. Poland's Cyberspace Forces Command successfully detected and mitigated the threat before it could disrupt operations.

Technical Details of the Attack

While specific indicators of compromise (IOCs) and technical analysis of DynoWiper remain limited, the malware's name suggests a wiper functionality, designed to erase or corrupt data rather than exfiltrate it. Sandworm, a group linked to Russia's GRU military intelligence agency, has a history of deploying destructive malware, including:

• NotPetya (2017) – A global wiper disguised as ransomware
• Industroyer (2016) – Targeted Ukraine's power grid, causing blackouts
• CaddyWiper (2022) – Used in attacks on Ukrainian organizations

The attack on Poland's power sector aligns with Sandworm's tactics, techniques, and procedures (TTPs), which often involve disrupting critical infrastructure for geopolitical leverage. The group has previously targeted energy sectors in Ukraine, the U.S., and Europe, making this latest attempt consistent with its strategic objectives.

Impact and Response

Poland's Cyberspace Forces Command confirmed that the attack was neutralized before causing damage, though details on the initial infection vector remain undisclosed. Minister Motyka emphasized the growing sophistication of cyber threats to national infrastructure, stating:

"The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on our energy sector to date."

The incident underscores the persistent risk posed by state-sponsored APT groups to industrial control systems (ICS) and operational technology (OT) environments. While Poland's defenses held, the attack serves as a warning for other nations to harden critical infrastructure against similar threats.

Recommendations for Security Teams

Organizations in the energy sector and other critical infrastructure should:

1. Enhance Monitoring – Deploy anomaly detection for ICS/OT networks to identify wiper or destructive malware activity.
2. Segment Networks – Isolate OT systems from corporate IT networks to limit lateral movement.
3. Update Incident Response Plans – Ensure playbooks account for wiper malware and nation-state TTPs.
4. Conduct Threat Hunting – Proactively search for Sandworm-related IOCs and living-off-the-land (LotL) techniques.
5. Collaborate with CERTs – Share threat intelligence with national cybersecurity agencies to improve collective defense.

Conclusion

Though unsuccessful, the DynoWiper attack highlights the evolving cyber threat landscape for critical infrastructure. As state-sponsored groups refine their capabilities, defenders must prioritize resilience against destructive cyber operations. Poland's swift response demonstrates the importance of proactive cybersecurity measures in mitigating nation-state threats.

For further updates, follow threat intelligence reports from CERT Polska and industry-leading cybersecurity firms.