Key Takeaways
- The Russian state-sponsored APT group Sandworm was behind the December 2025 cyberattack on Poland’s power grid.
- The attack targeted two combined heat and power plants and a renewable energy management system, but was thwarted before it could cause a blackout or compromise critical infrastructure.
- Sandworm has been active since at least 2009 and is believed to be associated with Russia’s General Staff Main Intelligence Directorate (GRU) military unit 74455.
- The APT group deployed a new data wiper, dubbed DynoWiper, in the attack, which aligns with previous Sandworm wiper attacks.
- The attack occurred 10 years after Sandworm’s disruptive attack on Ukraine’s power grid, which resulted in multiple blackouts in the Ivano-Frankivsk region.
Introduction to the Attack
The Russian state-sponsored APT group Sandworm was behind the December 2025 cyberattack targeting Poland’s power grid, according to a report by cybersecurity firm ESET. The attack, which occurred on December 29-30, targeted Poland’s energy infrastructure, including two combined heat and power (CHP) plants and a renewable energy management system. Polish officials have blamed Russia for the assault, which is said to have been the largest cyberattack against Poland in years. Fortunately, the attack was thwarted before it could cause a blackout or compromise critical infrastructure, according to the country’s officials.
Sandworm’s History and Tactics
Sandworm, also known as APT44, BlackEnergy Lite, Seashell Blizzard, Telebots, and Voodoo Bear, has been active since at least 2009 and is believed to be associated with Russia’s General Staff Main Intelligence Directorate (GRU) military unit 74455. The APT group has become notorious for its espionage and information operations, as well as cyber disruptions. In 2015, Sandworm used the BlackEnergy malware in a disruptive attack against Ukraine’s power grid, resulting in multiple blackouts in the Ivano-Frankivsk region. This attack was a significant milestone in the history of cyberattacks, and it marked the beginning of a new era of cyber warfare.
The December 2025 Attack
According to ESET, Sandworm was most likely behind the December 2025 cyberattack on the Polish power grid, based on the employed malware and associated tactics, techniques, and procedures (TTPs). The cybersecurity firm said that Sandworm deployed a new data wiper, dubbed DynoWiper (Win32/KillFiles.NMO), in the attack, but did not cause disruptions. The intended impact of the assault has yet to be determined. ESET noted that the malware aligns with previous Sandworm wiper attacks, but no technical details on the threat have been published. The fact that the attack occurred 10 years after Sandworm’s attack on Ukraine’s power grid is not a coincidence, as the APT group continues to regularly mount wiper attacks against Ukrainian targets.
Implications and Concerns
The attack on Poland’s power grid is a significant concern for the country’s critical infrastructure and national security. The fact that the attack was thwarted before it could cause any damage is a testament to the effectiveness of the country’s cybersecurity measures. However, the attack highlights the ongoing threat posed by Russian state-sponsored APT groups, such as Sandworm. The use of data wipers, such as DynoWiper, is particularly concerning, as they can cause significant damage to critical infrastructure and disrupt essential services. The attack also underscores the need for countries to be vigilant and proactive in their cybersecurity efforts, particularly in the face of ongoing cyber threats from nation-state actors.
Related Incidents and Trends
The attack on Poland’s power grid is not an isolated incident. There have been several other recent incidents involving Russian state-sponsored APT groups, including attacks on energy research and defense collaboration entities, as well as cyberattacks on the French postal service and Danish water utility. These incidents highlight the ongoing threat posed by Russian cyber actors and the need for countries to be aware of the risks and take steps to protect themselves. Additionally, the use of misconfigurations in critical infrastructure attacks, as noted by Amazon, is a growing trend that requires attention and action from cybersecurity professionals and organizations.
Conclusion
In conclusion, the December 2025 cyberattack on Poland’s power grid, attributed to the Russian state-sponsored APT group Sandworm, highlights the ongoing threat posed by nation-state actors to critical infrastructure and national security. The use of data wipers, such as DynoWiper, is a significant concern, and the attack underscores the need for countries to be vigilant and proactive in their cybersecurity efforts. The incident also highlights the importance of international cooperation and information sharing in the fight against cyber threats. As the threat landscape continues to evolve, it is essential for organizations and governments to stay informed and take steps to protect themselves against the growing threat of cyberattacks.