Sandworm-Linked DynoWiper Used in Failed Attack on Poland’s Energy Infrastructure
Polish officials reported a failed late-December cyberattack targeting the country’s energy infrastructure, described by Energy Minister Milosz Motyka as the “strongest attack” on the sector in years. The activity on December 29–30 targeted two combined heat and power (CHP) plants and attempted to disrupt systems and communications supporting electricity management from renewable sources (including wind and photovoltaic installations) and their links to power distribution operators; local reporting indicated the impact could have been significant if successful.
Security firm ESET said the attempted disruptive operation involved a previously undocumented wiper malware it named DynoWiper, designed to irreversibly destroy data and render systems inoperable. ESET attributed the activity with medium confidence to Sandworm (a GRU-linked threat actor) based on overlaps with prior Sandworm-associated destructive campaigns, particularly against Ukraine’s energy sector; Polish leadership publicly blamed Russia-linked groups and indicated additional safeguards and cybersecurity legislation were being prepared to strengthen IT/OT risk management and incident response. Both reporting noted the timing was close to the 10-year anniversary of Sandworm’s 2015 attacks on Ukraine’s power grid.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Elastic publishes technical analysis, indicators, and YARA for DynoWiper
On February 5, 2026, Elastic Security Labs released a technical analysis of a DynoWiper sample, describing its file-corruption behavior, exclusions, and reboot logic. Elastic also published hashes, IP indicators, a YARA rule, and noted that canary-based EDR protections had stopped overwriting on more than 100 machines at the CHP plant.
CERT Polska details operational impact and blocked wiper execution at CHP
The CERT report said the attacks disrupted communications and remote control at renewable sites but did not stop electricity generation, while the attempt to affect heat supply at the CHP plant failed. In the CHP environment, an EDR product reportedly blocked DynoWiper execution, preventing broader destruction.
CERT Polska reveals initial access via exposed FortiGate devices without MFA
CERT Polska said the attackers primarily gained access through internet-exposed Fortinet FortiGate VPN and firewall devices, often unpatched and lacking multi-factor authentication, then reused credentials and moved laterally through Active Directory. The report also described months of reconnaissance, credential theft, and attempts to access Microsoft 365 from on-premises credentials.
Poland's CERT publishes technical report and shifts attribution to Static Tundra
On January 30–31, 2026, CERT Polska released a technical report detailing coordinated attacks on 30-plus wind and solar farms, a manufacturing company, and a major CHP plant. CERT attributed the activity to Static Tundra, also tracked as Berserk Bear/Ghost Blizzard/Dragonfly and linked to Russia's FSB Center 16, creating a public attribution dispute with ESET and Dragos.
Dragos attributes campaign to ELECTRUM within Sandworm ecosystem
Dragos assessed with medium confidence that the operation was conducted by ELECTRUM, a cluster it says overlaps with the Sandworm/APT44 ecosystem, with KAMACITE possibly supporting access operations. The firm said the attackers likely exploited exposed network devices and vulnerabilities in RTUs and communications infrastructure.
Dragos says attack affected about 30 facilities and breached OT systems
On January 28, 2026, Dragos reported that the campaign compromised control and communications systems at roughly 30 distributed energy facilities and gained access to OT systems. Dragos said some key equipment was disabled beyond repair and characterized the operation as a first major cyberattack focused on distributed energy resources.
ESET attributes the failed attack to Sandworm and names DynoWiper
By January 23–24, 2026, ESET publicly analyzed the malware used in the incident, named it DynoWiper (Win32/KillFiles.NMO), and attributed the operation to the Russia-aligned Sandworm group with medium confidence. ESET said it was not aware of any successful disruption and cited overlap with Sandworm's prior destructive tooling and tactics.
Polish leadership blames Russia-linked actors and plans safeguards
In the aftermath of the attack, Polish officials described it as the strongest or one of the largest attacks on the country's energy infrastructure in years, and Prime Minister Donald Tusk said indications pointed to groups linked to Russian services. The government also said it was preparing stronger safeguards and cybersecurity legislation covering IT/OT risk management and incident response.
Polish defenses block wider disruption and prevent outages
Polish authorities and responders detected and mitigated the attack before it could interrupt national electricity or heat supply. Reporting indicates communications and control were impaired at affected sites, but critical infrastructure remained operational and no grid-wide outage occurred.
Attackers deploy DynoWiper and other destructive actions in Poland
During the late-December operation, the intruders used the previously undocumented DynoWiper wiper and, in some reporting, a PowerShell-based wiper called LazyWiper, alongside firmware tampering, controller resets, and other destructive actions. These actions disrupted monitoring and remote-control capabilities and in some cases damaged equipment beyond repair, but did not cause a blackout.
Coordinated cyberattacks hit Poland's energy sector and related targets
On December 29–30, 2025, attackers targeted more than 30 wind and solar facilities, two heat-and-power/combined heat and power plants, and related communications and control systems in Poland. The operation aimed to disrupt communications between distributed renewable installations and power distribution operators during peak winter conditions.
Attackers begin long-term access and data theft at Polish CHP plant
CERT Polska later reported that in the combined heat and power plant case, the intruders had been stealing data and escalating access since March 2025, focusing on OT modernization and SCADA-related information. This established that the December sabotage attempt was preceded by months of reconnaissance and preparation.
Sandworm causes first known Ukraine power-grid blackout
In December 2015, Sandworm conducted a cyberattack on Ukraine's power grid that caused significant outages, a benchmark repeatedly cited by later reporting on the Poland incident. The event is referenced as the first known malware-induced blackout and as a precursor to later grid-focused operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
28 references tracked. Mallory keeps watching after this page renders.
Poland's energy control systems were breached through exposed VPN access - Help Net Security
helpnetsecurity.com
Open sourceDYNOWIPER: Destructive Malware Targeting Poland's Energy Sector - Elastic Security Labs
elastic.co
Open source2025 cyberattack on Polish power grid - Wikipedia
en.wikipedia.org
Open sourceCERT Polska: Static Tundra behind coordinated Poland critical infrastructure hack | SC Media
scworld.com
Open sourceSandworm hackers linked to failed wiper attack on Poland’s energy systems
bleepingcomputer.com
Open sourceWiper malware targeted Poland energy grid, but failed to knock out electricity - Ars Technica
arstechnica.com
Open sourceNew DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector
thehackernews.com
Open sourceResearchers say Russian government hackers were behind attempted Poland power outage | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Sandworm Accused of Cyberattack on Poland’s Power Grid
Polish authorities and reporting tied to **ESET research** attributed a disruptive cyber incident affecting Poland’s electricity grid to **Russia-linked threat actors**, with **Sandworm** named as the likely operator behind the operation in late 2025. The incident was characterized as a targeted attack on critical infrastructure, reinforcing ongoing concerns about state-aligned activity against European energy networks. A separate malware-newsletter roundup recirculated the attribution as one of many items, while an unrelated CSO Online feature focused on forward-looking **CISO predictions for 2026** and did not provide incident-specific details. Executive teams should treat the Poland grid activity as part of the broader pattern of **Russian state-linked** operations against OT/ICS environments, with emphasis on validating segmentation, monitoring for lateral movement into OT, and ensuring incident response playbooks cover grid/industrial disruption scenarios.
Mar 21, 2026
Static Tundra Sabotage Attempts Against Poland’s Energy Sector Using DynoWiper
CERT Polska reported **late-2025 sabotage activity** against Poland’s energy sector attributed to the threat actor **Static Tundra**, including coordinated intrusions affecting renewable energy facilities, a large combined heat and power (CHP) plant, and an energy-linked manufacturer. The activity showed a shift from espionage to disruption, including an operational technology (OT) incident in which attackers reached a renewable facility’s **Grid Control Point (GCP)** and executed a shutdown of industrial automation devices. Investigators also observed targeting of **Moxa NPort** serial-to-Ethernet devices, including password changes to lock out operators and deployment of corrupted firmware that could prevent controller startup and require manual recovery. The same reporting described two destructive malware families, **DynoWiper** and **LazyWiper**, used to render systems and data unrecoverable; DynoWiper was documented deleting files from **Mikronika RTU controllers**, while LazyWiper appeared to provide redundant destructive capability. Separately, an opinion piece highlighted that attempted disruption of the Polish distribution grid was **rebuffed and reported**, and used the Poland case (alongside speculative discussion of Venezuela) to argue that energy infrastructure attacks are becoming more common; it provided limited additional technical detail beyond noting ambiguity around attribution and the broader trend toward “democratized” attack tooling.
Mar 21, 2026
Sandworm Linked to Cyberattack That Disrupted Ukraine’s Power Grid
Ukrainian electric utilities suffered a coordinated cyberattack that caused power outages for civilians, marking one of the clearest cases of a cyber operation producing a real-world disruption of critical infrastructure. Reporting from iSIGHT Partners and SANS ICS assessed with high confidence that the outage was intentional and attributed the intrusion to **Sandworm Team**, citing the presence of **BlackEnergy 3** malware in affected environments and the use of the destructive component **KillDisk** during the operation. U.S. government industrial control system alerts later documented the incident as a cyberattack against Ukrainian critical infrastructure and tied it to a broader, ongoing malware campaign targeting ICS environments. The reporting said **KillDisk** may have been used less to trigger the outage than to hinder restoration and operator visibility after the attack, while flooding utility call centers with phone traffic likely complicated response efforts; the incident also fit Sandworm’s wider pattern of targeting Ukrainian entities, regional power organizations, and other government and media networks while showing sustained interest in **SCADA** and industrial control systems.
May 25, 2026