Russian Sandworm Group Targets Poland’s Energy Grid with DynoWiper Malware

Russian APT Sandworm Attempts Destructive Wiper Attack on Poland’s Energy Sector

A cyberattack targeting Poland’s power grid in late December 2025 has been attributed to Sandworm, a Russian state-sponsored advanced persistent threat (APT) group. The attackers attempted to deploy DynoWiper, a newly identified destructive malware designed to erase data and disrupt critical infrastructure operations. The attack was ultimately unsuccessful, though forensic analysis reveals significant technical sophistication.

Technical Details of the Attack

Security researchers investigating the incident confirmed that Sandworm, also known as APT44 or Voodoo Bear, leveraged DynoWiper in the assault. The malware exhibits characteristics typical of wiper strains, including:

• File corruption capabilities targeting system-critical and operational data
• Persistence mechanisms to evade detection during lateral movement
• Network propagation techniques to maximize impact across interconnected systems

While the exact initial infection vector remains under investigation, historical Sandworm tactics suggest phishing, supply chain compromise, or exploitation of unpatched vulnerabilities (e.g., CVE-2023-23397 in Microsoft Outlook) as likely entry points. The attack occurred amid heightened geopolitical tensions, aligning with Russia’s pattern of cyber operations against NATO-aligned critical infrastructure.

Impact and Attribution

Though the attack failed to cause operational disruption, its implications are severe:

• Potential for cascading failures: A successful wiper deployment could have triggered blackouts or prolonged outages by corrupting industrial control system (ICS) configurations.
• Escalation of hybrid warfare: The incident underscores Russia’s continued use of cyberattacks as a tool of geopolitical coercion.
• Erosion of trust in critical infrastructure: Repeated targeting of energy sectors may force costly defensive upgrades across Europe.

Attribution to Sandworm is based on tactics, techniques, and procedures (TTPs) observed in prior attacks, including the 2015/2016 Ukrainian power grid blackouts and the 2017 NotPetya wiper campaign. Poland’s Computer Emergency Response Team (CERT.PL) and private sector partners are collaborating on a full forensic analysis.

Mitigation and Recommendations

Security teams at energy providers and critical infrastructure operators should:

1. Isolate ICS networks from corporate IT environments using strict segmentation.
2. Deploy endpoint detection and response (EDR) solutions capable of identifying wiper malware behaviors.
3. Enforce multi-factor authentication (MFA) for all remote access to operational technology (OT) systems.
4. Conduct tabletop exercises to simulate wiper attacks and validate incident response plans.
5. Monitor for indicators of compromise (IOCs) associated with DynoWiper, which will be released by CERT.PL in the coming days.

The incident serves as a stark reminder of the persistent threat posed by state-sponsored actors to critical infrastructure. Organizations are urged to prioritize resilience against destructive malware, particularly in sectors vital to national security.