A Russian nation-state hacking group known as Sandworm has been linked to what Polish officials described as the largest cyberattack ever attempted against the country’s power system. The attack, which occurred in the final days of December 2025, was ultimately unsuccessful.
ESET attributed the operation to Sandworm, based on technical overlaps with the threat actor’s previous wiper malware campaigns. In the Poland campaign, attackers deployed a previously undocumented data-destroying malware, dubbed ‘DynoWiper,’ however, it appears that there was no disruption to energy supplies.
The attacks targeted two combined heat and power plants, as well as a system used to manage electricity generated from renewable sources such as wind and solar, the Polish government said.
Ten years ago, in December 2015, Sandworm targeted Ukraine’s power grid with the KillDisk data-wiping malware, which caused widespread power outages.
Sandworm has a long history of using destructive malware against critical infrastructure, particularly in Ukraine following Russia’s full-scale invasion in 2022.
Last June, Cisco Talos reported that a Ukrainian critical infrastructure entity was targeted by a new data-wiping malware called “PathWiper,” similar to Sandworm’s HermeticWiper.
The group has also deployed other wipers, including ZEROLOT and Sting, targeting Ukrainian government, energy, logistics, and grain organizations between June and September 2025.