What happened
Cybersecurity researchers have attributed a December 2025 cyberattack on Poland’s power grid to the Russia-aligned advanced persistent threat (APT) group known as Sandworm. The group deployed a novel data-wiping malware, dubbed DynoWiper, against parts of the nation’s energy infrastructure, including combined heat and power plants and systems managing renewable generation. There are no confirmed reports of successful disruption to electricity delivery, as defensive measures appear to have prevented outages.
Who is affected
The incident targeted Poland’s critical energy infrastructure, potentially affecting control systems tied to grid operations. While the attack did not cause a blackout, the operation is considered one of the most significant cybersecurity incidents against Polish energy systems in recent years. Sandworm’s activity coincided with the 10-year anniversary of its destructive 2015 attack on Ukraine’s power grid.
Why CISOs should care
- Sandworm is a nation-state threat actor with a history of destructive cyber operations against critical infrastructure, including the 2015 Ukrainian blackout and global impacts from NotPetya in 2017.
- The use of wiper malware against operational technology (OT) environments highlights an escalation beyond typical ransomware/extortion objectives to data destruction and potential disruption.
- Critical infrastructure sectors are increasingly targeted for geopolitical leverage, not just financial gain, requiring robust readiness and threat modeling at the enterprise level.
3 Practical Actions
- Review and Harden OT Security: Conduct an immediate assessment of OT and ICS network segmentation, access controls, and anomaly detection to limit lateral movement and contain destructive malware.
- Update Incident Response Playbooks: Incorporate wiper malware scenarios into tabletop exercises and test data recovery from isolated backups under simulated destructive attack conditions.
- Enhance Threat Intelligence Integration: Subscribe to reputable threat intel feeds that track APT TTPs and wiper malware indicators to inform detection rules and prioritized defenses.
