Cyber Incident Victim: Poland's power grid
Date:
Dec 2025
Location:
Poland
Summary
Poland's power grid was targeted by a wiper malware dubbed DynoWiper, which security analysts linked to the Russia‑aligned Sandworm APT group based on overlapping tactics and code. The attack aimed to disrupt communications between renewable energy installations and distribution operators but was repelled, resulting in no electricity outage or compromise of critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late December 2025, during the last week of the month, Poland’s power grid faced what officials described as the largest cyberattack targeting the country in years. The attack focused on disrupting the communication links between renewable energy installations and power distribution operators. Researchers identified the malicious payload as data‑wiping malware that ESET later named DynoWiper and detected as Win32/KillFiles.NMO. ESET’s analysis of the malware led to its naming and the provision of detection signatures. Polish authorities stated that the coordinated operation was successfully repelled and that it failed to cause a blackout or compromise any critical infrastructure. They also reported that no successful disruption of electricity service resulted from the incident. Based on analysis of the malware’s code and associated tactics, techniques, and procedures, ESET researchers attributed the attack to the Russia‑aligned Sandworm APT with medium confidence. They noted a strong overlap with numerous previous Sandworm wiper activities observed in earlier research. The timing of the attack coincided with the 10th anniversary of the Sandworm‑orchestrated cyberattack on Ukraine’s power grid in December 2015. That 2015 incident used the BlackEnergy malware to infiltrate supervisory control and data acquisition systems at several electrical substations, leading to the first known malware‑facilitated blackout that left roughly 230,000 people without electricity for several hours. Sandworm has a documented history of conducting disruptive operations against Ukrainian critical infrastructure, including regular wiper attacks noted in ESET’s APT Activity Report covering April to September 2025. In the preceding year, ESET reported that Sandworm had deployed multiple wiper variants against universities and other critical‑infrastructure targets within Ukraine.
DynoWiper is classified as a wiper, a type of malware designed to permanently erase code and data stored on infected servers with the objective of destroying operational capability. ESET’s security products detect this threat under the designation Win32/KillFiles.NMO. The associated indicator of compromise includes the SHA‑1 hash 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6. Public sources do not provide further detail on why the wiper did not achieve a power outage or how it was prevented from executing its intended effect. Official statements confirm that the attack was thwarted without impacting electricity delivery or causing infrastructural damage.