Sandworm APT Targets Poland Power Grid with Dyn Group Targeting

An alarming cyberattack targeted Poland’s energy infrastructure in late December 2025, an incident security experts are calling the country’s largest in years.

The Russian-aligned Sandworm group, known for orchestrating some of the most damaging attacks on critical infrastructure, emerged as the culprit behind this coordinated assault.

The group deployed a previously undocumented data-wiping malware payload that has since been named DynoWiper, marking another chapter in Sandworm’s long history of aggressive operations.

This attack represents a significant escalation in regional tensions, arriving precisely on the tenth anniversary of Sandworm’s devastating 2015 assault on Ukraine’s power grid—an operation that caused the first-ever malware-driven blackout, leaving approximately 230,000 people without electricity.

The timing suggests a deliberate strategic choice by threat actors intent on demonstrating their capabilities during a symbolically charged moment. Poland’s electrical systems faced genuine operational risk as the malware spread through the infrastructure.

Welivesecurity analysts and ESET researchers identified DynoWiper during their detailed forensic analysis of the attack’s technical components.

The researchers assigned it the detection signature Win32/KillFiles.NMO within their security solutions, confirming its role as the primary destructive payload.

These findings came through comprehensive investigation of the malware’s code structure and its connection to established Sandworm operational techniques.

DynoWiper’s Destructive Capabilities and Operational Impact

DynoWiper operates as a file-destruction tool engineered to overwrite and eliminate critical data on infected systems.

The malware’s design reflects Sandworm’s signature methodology of employing wiper functionality to cause maximum disruption to targeted networks.

Unlike traditional malware that aims for persistence or information theft, DynoWiper prioritizes rapid destruction, removing evidence while simultaneously crippling operational capabilities.

Its implementation reveals sophisticated understanding of Windows systems and the specific vulnerabilities present within power infrastructure networks.

The attack’s technical assessment showed that while Sandworm achieved successful system penetration and malware deployment, the incident resulted in no confirmed operational disruptions to Polish energy distribution.

This finding suggests either defensive measures successfully contained the spread or the attackers faced unexpected resistance during execution phases.

Nonetheless, the ability to deploy active wiper malware within critical national infrastructure represents a serious breach and underscores growing vulnerabilities in European power systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.