Key Takeaways
- A major cyberattack on Poland’s power grid was carried out by the Russia-linked hacking group Sandworm in late December.
- The attack involved data-wiping malware called DynoWiper, which is designed to destroy critical files and render systems unusable.
- The attack was thwarted before it caused power outages, but it could have cut electricity to as many as half-a-million people if successful.
- The incident was attributed to Sandworm with medium confidence due to a strong overlap with previous Sandworm wiper activities.
- The attack was unprecedented in nature and intent, targeting communications between renewable energy installations and electricity distribution operators.
Introduction to the Cyberattack
A major cyberattack that nearly cut electricity to hundreds of thousands of people in Poland late last year was reportedly carried out by Sandworm, a Russia-linked hacking group known for targeting power grids. The attack in late December involved data-wiping malware dubbed DynoWiper, which is designed to destroy critical files and render systems unusable. The analysts at cybersecurity firm ESET said that they attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activities they analyzed.
The Attack’s Impact and Attribution
The attack was thwarted before it caused power outages, but Polish authorities warned that, if successful, it could have cut electricity to as many as half-a-million people. In a comment to American cybersecurity journalist Kim Zetter, ESET said the attempted attack on Poland was “unprecedented,” noting that previous cyber incidents targeting the country had not been disruptive “in nature or intent.” The timing of the attack was also symbolic, taking place almost exactly a decade after Sandworm’s December 2015 cyberattack on Ukraine’s power grid — the first known blackout caused by malware — which left around 230,000 people without electricity.
Details of the Attack
Polish Energy Minister Miłosz Motyka, who called the incident “the largest attack on energy infrastructure in years,” said the hackers targeted communications between renewable energy installations — including solar farms and wind turbines — and electricity distribution operators across large parts of the country. Unlike earlier cyber incidents focused on large power plants or transmission networks, the attack appeared to strike many smaller power sources at once. According to Motyka, Poland has not seen this type of attack before but expects it to happen again. Digital Affairs Minister Krzysztof Gawkowski said the incident came “very close to a blackout” and showed signs of a coordinated sabotage campaign.
Sandworm’s History and Motivations
Sandworm, which researchers have linked to Russia’s military intelligence, has been active since at least 2013 and is responsible for some of Moscow’s most high-profile destructive cyberattacks. The group has played a central role in cyber operations linked to Russia’s war in Ukraine, including attacks on nearly 20 Ukrainian energy facilities in 2024, Kyiv said. Sandworm’s motivations and goals are not entirely clear, but its actions suggest a desire to disrupt and destabilize critical infrastructure in countries perceived as enemies of Russia. The group’s use of data-wiping malware like DynoWiper is particularly concerning, as it can cause significant damage to a country’s economy and national security.
Conclusion and Implications
The attempted cyberattack on Poland’s power grid is a stark reminder of the growing threat of state-sponsored cyberattacks on critical infrastructure. The incident highlights the need for countries to invest in robust cybersecurity measures and to develop strategies for mitigating the impact of such attacks. It also underscores the importance of international cooperation and information sharing in the fight against cyber threats. As the threat landscape continues to evolve, it is essential for countries to stay vigilant and to take proactive steps to protect their critical infrastructure from cyber threats. The attribution of the attack to Sandworm with medium confidence serves as a warning to other countries that they may be vulnerable to similar attacks, and it is crucial for them to take immediate action to strengthen their cybersecurity defenses.
