Cyber Incident Victim: Polish Power Grid
Date:
Dec 2025
Location:
Poland
Summary
Researchers attributed a wiper attack on the Polish power grid to the Russian APT Sandworm, noting that the malware struck combined heat and power plants and a renewable energy management system but caused no blackout or other disruption. ESET linked the incident to Sandworm with medium confidence, highlighting the group's history of destructive operations such as BlackEnergy, NotPetya and Industroyer, and observed that the used DynoWiper variant focused on IT rather than OT environments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 29 and 30, 2025, attackers launched a wiper attack against Poland's energy grid, targeting two combined heat and power plants and a system that manages electricity generated from renewable sources such as wind turbines and photovoltaic farms. The attack was described by Poland's Minister of Energy MiĆosz Motyka as one of the strongest the country had seen in years. According to an announcement posted on Prime Minister Donald Tusk's website on January 15, 2026, the attack failed and resulted in no blackout or other negative consequences.
Researchers from the security firm ESET attributed the incident to the Russian APT group Sandworm on January 23, 2026, expressing medium confidence in the attribution. ESET noted that it was not aware of any successful disruption resulting from the attack. The announcement by Prime Minister Tusk did not name Sandworm but pointed to the Russian government as the likely party responsible. Sandworm is known for previous wiper attacks, including the 2015 BlackEnergy operation against Ukraine's power grid and the 2017 NotPetya campaign affecting organizations in Ukraine and over 60 other countries.
Following Russia's invasion of Ukraine in early 2022, Sandworm increased its wiper activity against Ukrainian governmental, energy, logistics, and grain sector organizations, as reported by ESET in September 2025. The malware used in the December 2025 attack against Poland was identified as DynoWiper, which, unlike Sandworm's typical Industroyer wiper that focuses on operational technology, was observed to target only the information technology environment. The article covering the incident was updated on January 30, 2026, with ESET publishing additional technical and attribution details.