Polish authorities and independent researchers have attributed a large-scale cyberattack on Poland’s power grid in late December 2025 to Russia-linked state hackers. The attack targeted systems that manage energy generation and distribution and involved malware designed to wipe data from industrial control systems and disrupt operations. The incident did not cause widespread outages, but officials described it as one of the most significant cyber operations ever directed at Polish critical infrastructure.
Poland’s government reported that systems on December 29 and 30 were subjected to digital intrusion attempts targeting the information technology and operational technology networks of combined heat and power plants and the management systems for renewable energy installations. Those systems coordinate electricity production from wind turbines, solar farms, and other distributed energy sources. Polish authorities said the attacks were repelled before any power loss occurred.
Security analysts at cybersecurity firm ESET identified the malware used in the incident as a new variant of wiper software called DynoWiper. ESET attributed the attack to a long-running Russian advanced persistent threat group widely known as Sandworm, which Western governments associate with Russia’s Main Intelligence Directorate (GRU). The group has been linked to previous disruptive cyber campaigns, including an attack on Ukraine’s power grid in 2015.
The Polish digital affairs minister said the incident was the first known large-scale attack on distributed energy resources and described the targeting of both large and smaller renewable installations as an escalation in cyber threats to the energy sector. Officials said the attack showed how digital systems that link power generation assets to grid control infrastructure can be exploited.
Prime Minister Donald Tusk and energy officials said the operation appeared intended to disrupt communication between generating facilities and grid operators. The scale and sophistication of the attack prompted warnings from national authorities that critical infrastructure remains vulnerable to future incursions by state-linked actors. Despite the lack of outages, the episode triggered plans to strengthen cybersecurity requirements for energy systems and to equip public and private operators with advanced tools for threat detection and response.
Independent reporting indicated that researchers who analysed the malware and intrusion techniques saw strong similarities with previous campaigns by Sandworm, including code overlap and tactics consistent with GRU-linked actors. Western governments have in the past officially attributed destructive cyberattacks on infrastructure in Europe to units of Russian military intelligence and have imposed sanctions related to such operations.
Poland’s energy minister described the late December event as the most powerful cyberattack on the national energy system in years and confirmed that defensive measures prevented power loss for consumers during a period of cold weather. The government’s assessment emphasised the importance of vigilance and enhanced protection for critical infrastructure networks.