Key Takeaways
- A destructive cyberattack against Poland’s power grid was attributed to Russia’s Sandworm advanced persistent threat (APT) group.
- The attack, which occurred on December 29 and 30, targeted two combined heat and power plants and a system enabling the management of electricity generated from renewables.
- The attack failed, and there were no blackouts or negative consequences.
- Researchers from security firm ESET attributed the attack to Sandworm with medium confidence, citing a strong overlap with previous Sandworm wiper activity.
- The attack is notable as a potential offensive cyber action between nations, with Poland being a NATO member state and a strategic ally of Ukraine.
Introduction to the Cyberattack
A recent cyberattack against Poland’s power grid has been attributed to Russia’s Sandworm advanced persistent threat (APT) group. The attack, which occurred on December 29 and 30, targeted two combined heat and power plants, as well as a system enabling the management of electricity generated from renewables. According to an announcement on Prime Minister Donald Tusk’s website, the attack failed, and there were no blackouts or negative consequences. Although Tusk did not name Sandworm in the announcement, he pointed a finger at the Russian government as the likely party responsible.
Attribution to Sandworm
Researchers from security firm ESET attributed the attack to Sandworm with medium confidence, citing a strong overlap with previous Sandworm wiper activity. ESET said in its blog post that it was "not aware of any successful disruption occurring as a result of this attack." The company observed what it described as "a strong overlap with numerous previous Sandworm wiper activity we analyzed," based on observed malware, as well as tactics, techniques, and procedures. Sandworm has a long history of disruptive cyberattacks, especially on Ukraine’s critical infrastructure.
Sandworm’s History of Destructive Attacks
Sandworm is a notorious APT group, previously credited with some of the most infamous cyberattacks of all time. In 2015, it deployed BlackEnergy malware to disrupt the Ukraine power grid and leave hundreds of thousands without electricity for several hours. ESET researchers observed that this recent attack against Poland occurred on the 10th anniversary of the BlackEnergy attack. In 2017, Sandworm targeted organizations in Ukraine and more than 60 other countries with NotPetya, a destructive data wiping malware based on Petya ransomware. Threat activity once again ramped up following Russia’s invasion of Ukraine in early 2022, with Sandworm launching regular wiper attacks against Ukraine.
DynoWiper Malware
The malware used in last month’s attack against Poland is called DynoWiper. ESET researchers did not provide technical details regarding the seemingly new DynoWiper malware. However, they noted that Sandworm has been spotted with other wiper strains like Industroyer (also known as CrashOverride). Industroyer, in particular, also used against Ukraine, was one of the more prominent cases of industrial control system/operational technology-focused malware observed since Stuxnet. The use of DynoWiper in the attack against Poland is a significant development, as it highlights Sandworm’s continued ability to adapt and evolve its tactics, techniques, and procedures.
Implications of the Attack
The attack on Poland’s power grid is notable as a potential offensive cyber action between nations. Poland is a NATO member state and a strategic ally of Ukraine, and Russia has a history of targeting nations allied with Ukraine since the former’s invasion of the latter began a few years ago. The attack is a reminder of the ongoing cyber threat posed by Russia and the need for countries to remain vigilant and prepared to defend against such attacks. The fact that the attack failed and did not result in any significant disruption is a testament to the effectiveness of Poland’s cybersecurity measures and the quick response of its authorities.
Conclusion
In conclusion, the cyberattack against Poland’s power grid attributed to Sandworm is a significant development in the ongoing cyber conflict between Russia and its adversaries. The use of DynoWiper malware and the targeting of critical infrastructure highlight the ongoing threat posed by Sandworm and the need for countries to remain vigilant and prepared to defend against such attacks. The fact that the attack failed and did not result in any significant disruption is a testament to the effectiveness of Poland’s cybersecurity measures and the quick response of its authorities. As the cyber threat landscape continues to evolve, it is essential for countries to remain proactive and cooperative in defending against such attacks and preventing future incidents.