Poland’s Energy Grid Targeted by Sandworm’s DynoWiper Malware
In late 2025, Poland experienced one of its largest cyberattacks, linked to the Russia-aligned APT group Sandworm. ESET researchers have investigated and named the destructive malware used in this attack DynoWiper.
The cyber incident took place during the last week of December, coinciding with the tenth anniversary of Sandworm’s assault on Ukraine’s energy infrastructure that caused a significant blackout. While the full repercussions of the attack are still under investigation, ESET has noted that DynoWiper, detected as Win32/KillFiles.NMO, is a variant of wiper malware known for causing data destruction rather than disruption. ESET expressed medium confidence in attributing the attack to Sandworm based on their analysis of the malware’s tactics, techniques, and procedures (TTPs). Fortunately, they reported that there were no known successful disruptions to the energy supply as a result of this latest incident, although Sandworm has a reputation for targeting critical infrastructure, particularly in Ukraine.
This situation underscores the persistent threat posed by cyber actors like Sandworm on critical infrastructure across Europe. As threat actors continue to innovate, the necessity for enhanced cybersecurity measures becomes increasingly pertinent.
The ramifications of this attack highlight the pressing need for defenders to strengthen their cyber defenses. Implementing robust threat intelligence, monitoring solutions, and proactive incident response strategies can significantly reduce the potential impact of similar future attacks.
Indicators of Compromise (IOCs)
- SHA-1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6
- Detection: Win32/KillFiles.NMO
- Malware Name: DynoWiper
