Poland Repels Suspected Russia-Linked Cyberattack Targeting Renewable Energy Grid Communications
Polish officials reported thwarting what they described as the most serious cyberattack on the country’s energy infrastructure in years, saying the intrusion came close to causing a widespread power outage. The attempted disruption occurred in the final days of December and targeted communications links between multiple renewable energy installations—such as solar farms and wind turbines—and electricity distribution operators across large parts of Poland, in what authorities characterized as a coordinated sabotage effort.
Digital Affairs Minister Krzysztof Gawkowski said the incident “very close to a blackout” appeared to be a deliberate attempt to cut power to Polish citizens and that “everything points to Russian sabotage,” though officials did not provide technical details, name a specific threat actor, or disclose the defensive measures implemented afterward. The incident reflects a broader pattern of increased Russia-linked cyber activity against Polish critical infrastructure since Russia’s 2022 invasion of Ukraine, alongside ongoing kinetic strikes on Ukraine’s energy system that Ukrainian authorities have described as creating an “unprecedented” energy crisis.
Sources
Related Stories
Sandworm-Linked DynoWiper Used in Failed Attack on Poland’s Energy Infrastructure
Polish officials reported a **failed late-December cyberattack** targeting the country’s energy infrastructure, described by Energy Minister Milosz Motyka as the “strongest attack” on the sector in years. The activity on December 29–30 targeted **two combined heat and power (CHP) plants** and attempted to disrupt systems and communications supporting electricity management from **renewable sources** (including wind and photovoltaic installations) and their links to power distribution operators; local reporting indicated the impact could have been significant if successful. Security firm **ESET** said the attempted disruptive operation involved a previously undocumented **wiper** malware it named **DynoWiper**, designed to irreversibly destroy data and render systems inoperable. ESET attributed the activity with **medium confidence** to **Sandworm** (a GRU-linked threat actor) based on overlaps with prior Sandworm-associated destructive campaigns, particularly against Ukraine’s energy sector; Polish leadership publicly blamed Russia-linked groups and indicated additional safeguards and cybersecurity legislation were being prepared to strengthen IT/OT risk management and incident response. Both reporting noted the timing was close to the **10-year anniversary** of Sandworm’s 2015 attacks on Ukraine’s power grid.
1 months ago
Sandworm Accused of Cyberattack on Poland’s Power Grid
Polish authorities and reporting tied to **ESET research** attributed a disruptive cyber incident affecting Poland’s electricity grid to **Russia-linked threat actors**, with **Sandworm** named as the likely operator behind the operation in late 2025. The incident was characterized as a targeted attack on critical infrastructure, reinforcing ongoing concerns about state-aligned activity against European energy networks. A separate malware-newsletter roundup recirculated the attribution as one of many items, while an unrelated CSO Online feature focused on forward-looking **CISO predictions for 2026** and did not provide incident-specific details. Executive teams should treat the Poland grid activity as part of the broader pattern of **Russian state-linked** operations against OT/ICS environments, with emphasis on validating segmentation, monitoring for lateral movement into OT, and ensuring incident response playbooks cover grid/industrial disruption scenarios.
1 months ago
Static Tundra Sabotage Attempts Against Poland’s Energy Sector Using DynoWiper
CERT Polska reported **late-2025 sabotage activity** against Poland’s energy sector attributed to the threat actor **Static Tundra**, including coordinated intrusions affecting renewable energy facilities, a large combined heat and power (CHP) plant, and an energy-linked manufacturer. The activity showed a shift from espionage to disruption, including an operational technology (OT) incident in which attackers reached a renewable facility’s **Grid Control Point (GCP)** and executed a shutdown of industrial automation devices. Investigators also observed targeting of **Moxa NPort** serial-to-Ethernet devices, including password changes to lock out operators and deployment of corrupted firmware that could prevent controller startup and require manual recovery. The same reporting described two destructive malware families, **DynoWiper** and **LazyWiper**, used to render systems and data unrecoverable; DynoWiper was documented deleting files from **Mikronika RTU controllers**, while LazyWiper appeared to provide redundant destructive capability. Separately, an opinion piece highlighted that attempted disruption of the Polish distribution grid was **rebuffed and reported**, and used the Poland case (alongside speculative discussion of Venezuela) to argue that energy infrastructure attacks are becoming more common; it provided limited additional technical detail beyond noting ambiguity around attribution and the broader trend toward “democratized” attack tooling.
1 months ago