Sandworm's DynoWiper Malware Targets Polish Power Sector
Sandworm's DynoWiper malware targets Polish power sector in attempted cyber attack
A recent cyber attack targeting Poland's power system has been attributed to the Russian nation-state hacking group Sandworm. The attack, which occurred in late December 2025, was unsuccessful, but highlights the group's continued focus on critical infrastructure. The attack was carried out using a previously undocumented wiper malware codenamed DynoWiper.
What Happened
The attack was first reported by the Polish government, which stated that the command of the cyberspace forces had diagnosed the strongest attack on the energy infrastructure in years. The attack targeted two combined heat and power plants, as well as a system enabling the management of electricity generated from renewable energy sources. According to ESET, the attack was the work of Sandworm, which deployed the DynoWiper malware. The links to Sandworm are based on overlaps with prior wiper activity associated with the adversary, particularly in the aftermath of Russia's military invasion of Ukraine in February 2022.
Technical Details
The DynoWiper malware is a previously undocumented wiper malware that was used in the attempted disruptive attack aimed at the Polish energy sector. The malware is similar to other wiper malwares used by Sandworm, such as HermeticWiper and KillDisk. The malware is designed to wipe data from infected systems, making it difficult to recover. The attack occurred on the tenth anniversary of Sandworm's attack against the Ukrainian power grid in December 2015, which led to the deployment of the BlackEnergy malware.
Impact and Risk
The attack highlights the risk of cyber attacks on critical infrastructure, particularly those carried out by nation-state hacking groups. The Polish government has stated that it is readying extra safeguards, including a key cybersecurity legislation that will impose strict requirements on risk management, protection of information technology (IT) and operational technology (OT) systems, and incident response. The attack also highlights the need for organizations to be aware of the threat posed by Sandworm and to take steps to protect themselves from similar attacks.
Mitigation Steps
To protect themselves from similar attacks, organizations should take steps to improve their cybersecurity posture. This includes implementing robust security measures, such as firewalls and intrusion detection systems, as well as conducting regular security audits and penetration testing. Organizations should also ensure that they have a comprehensive incident response plan in place, which includes procedures for responding to and containing cyber attacks. Additionally, organizations should stay informed about the latest threats and vulnerabilities, and take steps to patch and update their systems regularly.
Frequently Asked Questions
The DynoWiper malware is a previously undocumented wiper malware that was used in the attempted disruptive attack aimed at the Polish energy sector. It is similar to other wiper malwares used by Sandworm, such as HermeticWiper and KillDisk.
The attack has been attributed to the Russian nation-state hacking group Sandworm. The group has a history of carrying out cyber attacks on critical infrastructure, particularly in Ukraine.
To protect themselves from similar attacks, organizations should take steps to improve their cybersecurity posture. This includes implementing robust security measures, such as firewalls and intrusion detection systems, as well as conducting regular security audits and penetration testing.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.