Sandworm Blamed for Wiper Attack on Polish Power Grid - Dark Reading

Threat IntelligenceICS/OT SecurityCybersecurity OperationsPhysical SecurityNewsSandworm Blamed for Wiper Attack on Polish Power GridResearchers attributed the failed attempt to the infamous Russian APT Sandworm, which is notorious for wiper attacks on critical infrastructure organizations.Alexander Culafi,Senior News Writer,Dark ReadingJanuary 26, 20264 Min ReadSource: Pawel Chrzaszcz via Alamy Stock PhotoUPDATE A destructive cyberattack against Poland's power grid last month has been attributed to Russia's Sandworm advanced persistent threat (APT) group.Poland last month was targeted in a wiper attack against its energy grid that Minister of Energy Miłosz Motyka called one of the strongest the country had seen in years. Attackers on Dec. 29 and 30 targeted two combined heat and power plants, as well as "a system enabling the management of electricity generated from renewables (RES), i.e., renewable energy sources such as wind turbines and photovoltaic farms," according to an announcement on Prime Minister Donald Tusk's website. The announcement added that the attack failed and that "there was no blackout or other negative consequences." Although Tusk did not name Sandworm in the Jan. 15 announcement, he pointed a finger at the Russian government as the likely party responsible.Researchers from security firm ESET on Jan. 23 attributed the attack to the infamous Russian threat group with medium confidence. Similarly, ESET said in its blog post that it was "not aware of any successful disruption occurring as a result of this attack."Related:North Korea's Lazarus Targets macOS Users via ClickFixStill, any potential offensive cyber action between nations is notable. While the exact motivations of a Russian attack against Poland are unclear, Poland is a NATO member state as well as a strategic ally of Ukraine. Russia has a history targeting nations allied with Ukraine since the former's invasion of the latter began a few years ago; Russia has also allegedly targeted Poland in cyberattacks as recently as last summer.  Regarding the December attack, ESET saw what it described as "a strong overlap with numerous previous Sandworm wiper activity we analyzed," based on observed malware, as well as tactics, techniques, and procedures."Sandworm has a long history of disruptive cyberattacks, especially on Ukraine's critical infrastructure," ESET's blog read. "Meanwhile, the attack on Poland’s power grid in the last week of December involved data-wiping malware that ESET has now analyzed and named DynoWiper. ESET security solutions detect DynoWiper as Win32/KillFiles.NMO."ESET on Jan. 30 published a second blog post further noting that the threat actor's tactics, techniques, and procedures "closely resemble those seen earlier this year in an incident involving the ZOV wiper in Ukraine: Z, O, and V are Russian military symbols." ESET attributed the ZOV wiper attack to Sandworm with high confidence."Although Sandworm has previously targeted companies in Poland, it typically did so covertly – either for cyberespionage purposes only or by disguising its data-wiping activity as a ransomware attack, such as in the Prestige ransomware incidents," ESET wrote in the newest blog. "It is worth noting that we only attribute the data-wiping component of this activity to Sandworm with medium confidence. We do not have visibility into the initial access method used in this incident and therefore cannot assess how or by whom the first steps were carried out. In particular, the preparatory stages leading up to the destructive activity may have been conducted by another threat actor group collaborating with Sandworm."Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese TargetsSandworm APT's Destructive Cyberattack PastSandworm is a notorious APT group, previously credited with some of the most infamous cyberattacks of all time. In 2015, it deployed BlackEnergy malware to disrupt the Ukraine power grid and leave hundreds of thousands without electricity for several hours. ESET researchers observed that this recent attack against Poland occurred on the 10th anniversary of the BlackEnergy attack.In 2017, Sandworm targeted organizations in Ukraine and more than 60 other countries with NotPetya, a destructive data wiping malware based on Petya ransomware. Related:Africa Relinquishes Cyberattack Lead to Latin America — For NowThreat activity once again ramped up following Russia's invasion of Ukraine in early 2022. Sandworm launched regular wiper attacks against Ukraine both early in the initial invasion as well as more recently. According to an ESET report from September, Sandworm targeted Ukrainian governmental, energy, logistics, and grain sector organizations over the summer with wiper attacks. Researchers at the time noted, "Considering that grain export remains one of Ukraine’s main sources of revenue, such targeting likely reflects an attempt to weaken the country's war economy." Though Sandworm has been credited with espionage-related activity in the past, it is best known as a force for destruction and disruption in accordance with Russian geopolitical goals. In addition to aforementioned malware, Sandworm has also been spotted with other wiper strains like Industroyer (also known as CrashOverride). Industroyer, in particular, also used against Ukraine, was one of the more prominent cases of industrial control system/operational technology-focused malware observed since Stuxnet. Enter DynoWiper, the malware used in last month's attack against Poland. Where DynoWiper differs from Sandworm favorite Industroyer is that while the latter focuses on OT environments, observed DynoWiper samples focused solely on the IT environment. Other factors also drifted beyond Sandworm's typical MO, hence the medium confidence attribution.This article was updated on January 30, 2026 at 1:30 p.m. ET, with ESET's publishing of additional technical and attribution details.About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsThe Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOpsThe Total Economic Impact™ Of Google SecOpsThe Business Value of Google Threat IntelligenceThe Total Economic Impact™ Of Google SecOpsAI-driven SecOps: Transforming Financial Services SecurityAccess More ResearchWebinarsHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningZero Trust Architecture for Cloud environments: Implementation RoadmapTips for Managing Cloud Security in a Hybrid Environment?More WebinarsYou May Also LikeThreat IntelligenceHackers Target Cybersecurity Firm Outpost24 in 7-Stage Phishby Jai VijayanMar 17, 2026Threat IntelligenceIran's Cyber-Kinetic War Doctrine Takes Shapeby Alexander CulafiMar 06, 2026Threat IntelligenceReact2Shell Exploits Flood the Internet as Attacks Continueby Rob WrightDec 12, 2025Threat IntelligenceChinese Gov't Fronts Trick the West to Obtain Cyber Techby Nate Nelson, Contributing WriterOct 06, 2025Editor's ChoiceVulnerabilities & ThreatsEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesbyRob WrightApr 14, 20268 Min ReadСloud SecurityCSA: CISOs Should Prepare for Post-Mythos Exploit StormCSA: CISOs Should Prepare for Post-Mythos Exploit StormbyAlexander CulafiApr 13, 20266 Min ReadСloud SecurityNavigating the Unique Security Risks of Asia's Digital Supply ChainNavigating the Unique Security Risks of Asia's Digital Supply ChainbyAlexander CulafiApr 15, 20263 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningMon, May 11, 2026 at 1:00pm ETZero Trust Architecture for Cloud environments: Implementation RoadmapTues, May 12, 2026 at 1pm ESTTips for Managing Cloud Security in a Hybrid Environment?Thurs, May 7, 2026 at 1pm ESTMore WebinarsWhite Papers7 best practices for secrets lifecycle managementReinventing the SOC with agentic AIEnhancing SecOps with Google Threat IntelligenceEnhancing SecOps with Google Threat IntelligenceEnhancing SecOps with Google Threat IntelligenceExplore More White PapersBlack Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASS