In a stark reminder of the digital battlefront shadowing geopolitical conflicts, Polish cybersecurity defenses successfully neutralized a sophisticated assault on the nation’s energy infrastructure in late 2025, an incident now attributed to a notorious Russian state-sponsored hacking group. The attempted incursion, which unfolded over two days on December 29 and 30, 2025, specifically targeted two combined heat and power (CHP) plants along with a renewable energy system, aiming to cripple vital services during a critical period. Cybersecurity analysts from the firm ESET have since linked the campaign to Sandworm, a prolific threat actor widely believed to be an operational unit of Russia’s GRU military intelligence service. The attack’s failure marks a significant victory for Poland’s defensive posture, demonstrating resilience against one of the world’s most aggressive cyber-espionage groups. Polish Prime Minister Donald Tusk affirmed that the nation’s critical infrastructure was never truly at risk, crediting robust protective measures for preventing what could have been a catastrophic disruption. The event has nonetheless accelerated legislative efforts within Poland to further harden its digital defenses against future aggression.
Anatomy of the Attack
The Signature of Sandworm
The attribution of the attempted cyber-attack to Sandworm, also tracked as APT44 and UAC-0113, was established with medium confidence by researchers at ESET, who pointed to a compelling overlap in the attackers’ methodology with the group’s established playbook. This connection was not based on a single piece of evidence but rather on a mosaic of tactical, technical, and procedural (TTP) similarities that form a distinct digital signature. Sandworm has a long and well-documented history of deploying destructive wiper malware, and the techniques used in the Polish incident mirrored those observed in previous campaigns, particularly against Ukrainian targets. This pattern of behavior, which includes specific methods of gaining initial access, moving laterally across networks, and deploying payloads, provided strong circumstantial evidence. The “medium confidence” assessment reflects the intelligence community’s rigorous standards, acknowledging the absence of a definitive, irrefutable link while indicating that the available evidence strongly points toward the Russian GRU unit. This methodical approach to attribution is crucial in a landscape where threat actors often employ false flags and sophisticated obfuscation to hide their origins and intent.
DynoWiper a Destructive Digital Weapon
At the heart of the thwarted operation was a newly identified piece of destructive malware, which researchers have dubbed DynoWiper. Unlike ransomware that encrypts data for financial gain, wiper malware is engineered for a singular, malicious purpose: the irreversible destruction of data and the incapacitation of targeted systems. DynoWiper was designed to erase critical information from infected IT and potentially OT systems, which could have rendered the CHP plants and renewable energy facility inoperable. The deployment of such a tool underscores the attackers’ intent not to steal information or extort money, but to cause tangible, physical disruption. The successful defense by Polish authorities meant that DynoWiper was neutralized before it could execute its destructive commands, preventing any impact on the power grid. The discovery of this new tool adds to the growing arsenal associated with Sandworm, highlighting the group’s continuous development of bespoke cyber weapons tailored for high-stakes attacks against critical national infrastructure, a trend that poses a persistent and evolving threat to nations worldwide.
A Pattern of Escalation
A Decade of Digital Warfare
The timing of the attack on Polish energy facilities was far from coincidental, carrying a symbolic weight that was not lost on cybersecurity analysts. The operation was launched precisely on the 10-year anniversary of Sandworm’s landmark 2015 cyber-attack on Ukraine’s power grid, an event that resulted in the world’s first-ever blackout caused by malware. That historic incident served as a watershed moment, demonstrating that cyber weapons could be used to produce physical consequences comparable to conventional military strikes. The late 2025 attempt appears to be a deliberate echo of that event, signaling a persistent focus on energy infrastructure as a primary target. This decade-long campaign of aggression, particularly its intensification since the full-scale invasion of Ukraine in 2022, reveals a clear strategic doctrine. Sandworm consistently leverages cyber operations to augment physical warfare, aiming to sow chaos, undermine economic stability, and demoralize the civilian population of its adversaries. The choice to strike during the holiday season further suggests a psychological component, designed to maximize social disruption and fear.
Bolstering a Digital Shield
In the wake of the failed attack, the Polish government has emphasized its commitment to reinforcing the nation’s cyber defenses, treating the incident as both a validation of existing systems and a catalyst for further improvement. Prime Minister Donald Tusk’s public confirmation of the successful defense was coupled with an announcement to accelerate the implementation of a new National Cybersecurity System Act. This forthcoming legislation is designed to mandate more stringent security protocols across both information technology (IT) and operational technology (OT) environments for all entities deemed critical to national infrastructure. The focus on OT systems—the industrial control systems that manage physical processes in facilities like power plants—is particularly significant, as these networks have historically been less protected than traditional IT networks. By legislating higher security standards, Poland aimed to create a more unified and resilient defensive ecosystem, making it more difficult for adversaries to find and exploit vulnerabilities. This proactive legislative response reflected a broader European trend toward codifying cybersecurity best practices into law, acknowledging that the digital security of one nation is intrinsically linked to the stability of the entire region.