Russia’s Sandworm Unleashes DynoWiper on Polish Power Grid: A Near-Miss for 500,000 Homes

In late December 2025, the notorious Russian GRU-linked Sandworm group launched destructive cyberattacks on Poland’s energy infrastructure using new wiper malware named DynoWiper, targeting heat-and-power plants and renewable energy systems. Polish officials called it the strongest assault on their grid in years, potentially affecting 500,000 residents, though robust defenses prevented outages.

ESET researchers attributed the December 29-30, 2025, attacks to Sandworm, the Russian military intelligence unit infamous for the 2015 and 2016 Ukrainian blackouts. The operation hit two heat-and-power plants and a renewable energy management system for wind turbines and solar farms, coinciding with the 10th anniversary of prior grid strikes. Attackers deployed custom webshells, living-off-the-land techniques, and dual-use tools for persistence with minimal malware.

DynoWiper, a previously unknown wiper malware recovered by ESET, aimed to erase data and crash systems across the targeted networks. ESET PROTECT’s detection blocked the payload, limiting damage and preventing widespread disruption. Polish Energy Minister Milosz Motyka confirmed the assault’s severity, noting it could have blacked out around 500,000 homes if successful.

Sandworm’s tactics relied on stealthy access maintenance rather than heavy malware drops, a hallmark of their destructive campaigns. The group has a history of energy sector hits, including prolonged intrusions like the 2024 Kyivstar telecom breach in Ukraine. This Poland incident marks a rare overt strike on NATO-adjacent infrastructure.

Defensive measures, including endpoint protection and network monitoring, proved crucial in thwarting the wiper’s execution. ESET published detailed analysis, naming the malware DynoWiper after its grid-targeting intent. No outages occurred, but the event heightened alerts for European critical infrastructure.

Energy operators worldwide should enhance OT/IT segmentation, anomaly detection, and wiper-specific defenses against APTs like Sandworm. The attack highlights escalating hybrid warfare risks, timed symbolically near Ukraine blackout anniversaries.

As geopolitical tensions persist, such incidents signal potential for more aggressive cyber operations on power grids. Poland’s resilience offers a model, but vigilance remains essential.