The Russian nation-state hacking group often called Sandworm has been attributed to what has been described because the “largest cyber assault” focusing on Poland’s energy system within the final week of December 2025.
The assault was unsuccessful, the nation’s vitality minister, Milosz Motyka, stated final week.
“The command of the our on-line world forces has recognized within the final days of the 12 months the strongest assault on the vitality infrastructure in years,” Motyka was quoted as saying.
In keeping with a new report by ESET, the assault was the work of Sandworm, which deployed a beforehand undocumented wiper malware codenamed DynoWiper (aka Win32/KillFiles.NMO). The hyperlinks to Sandworm are based mostly on overlaps with prior wiper exercise related to the adversary, significantly within the aftermath of Russia’s army invasion of Ukraine in February 2022.
The Slovakian cybersecurity firm, which recognized the usage of the wiper as a part of the tried disruptive assault aimed on the Polish vitality sector on December 29, 2025, stated there isn’t a proof of profitable disruption.
The December 29 and 30, 2025, assaults focused two mixed warmth and energy (CHP) vegetation, in addition to a system enabling the administration of electrical energy generated from renewable vitality sources comparable to wind generators and photovoltaic farms, the Polish authorities stated.
“Every thing signifies that these assaults had been ready by teams straight linked to the Russian companies,” Prime Minister Donald Tusk stated, including the federal government is readying additional safeguards, together with a key cybersecurity laws that may impose strict necessities on danger administration, safety of knowledge know-how (IT) and operational know-how (OT) programs, and incident response.
It is price noting that the exercise occurred on the tenth anniversary of the Sandworm’s assault towards the Ukrainian energy grid in December 2015, which led to the deployment of the BlackEnergy malware, plunging elements of the Ivano-Frankivsk area of Ukraine into darkness.
The trojan, which was used to plant a wiper malware dubbed KillDisk, prompted a 4–6 hour energy outage for about 230,000 individuals.
“Sandworm has a protracted historical past of disruptive cyber assaults, particularly on Ukraine’s important infrastructure,” ESET stated. “Quick ahead a decade and Sandworm continues to focus on entities working in varied important infrastructure sectors.”
In June 2025, Cisco Talos stated a important infrastructure entity inside Ukraine was focused by a beforehand unseen knowledge wiper malware named PathWiper that shares some stage of practical overlap with Sandworm’s HermeticWiper.
The Russian hacking group has additionally been noticed deploying data-wiping malware, comparable to ZEROLOT and Sting, in a Ukrainian college community, adopted by serving a number of data-wiping malware variants towards Ukrainian entities lively within the governmental, vitality, logistics, and grain sectors between June and September 2025.
