A cyberattack in late December 2025 targeting parts of Poland’s energy infrastructure has been linked to the Russian state-aligned hacking group Sandworm, although officials say the effort did not succeed in disrupting power systems. Security researchers attribute the attempted intrusion to Sandworm based on analysis of the malware used and similarities with the group’s previous operations.
The attack occurred on 29 and 30 December 2025, when malicious software known as DynoWiper was deployed against control systems for two combined heat and power plants and a system used to manage electricity from renewable sources such as wind turbines and solar facilities. DynoWiper is a type of “wiper” malware designed to erase data and render infected systems unusable if executed. Security firm ESET analysed samples of the malware and attributed the activity to Sandworm with medium confidence, citing overlaps with destructive tools previously associated with the group.
Polish officials characterised the incident as a serious cyberattack on the nation’s energy infrastructure. Milosz Motyka, Poland’s energy minister, said the attack was “the strongest” seen in recent years, though defences held and the malware did not achieve its intended effect. Researchers and government representatives both reported that no operational disruption occurred as a result of the malware deployment.
Sandworm, also tracked by cybersecurity firms as UAC-0113 and APT44, is widely regarded as a nation-state threat actor with links to Russia’s military intelligence unit (GRU) and a long history of cyber operations targeting critical infrastructure. The group has been previously connected to destructive attacks on energy systems, including a 2015 wiper attack on Ukraine’s power grid that resulted in outages for approximately 230,000 customers.
Polish authorities and researchers have not disclosed full technical details of how the attackers gained initial access to energy systems or the timeline of the intrusion. The ESET analysis noted that similarities in “tactics, techniques, and procedures” of the malware support the attribution to Sandworm, a group with a record of deploying wiper malware in other campaigns throughout 2025.
The timing of the attack, occurring almost ten years after the 2015 Ukraine power grid hack, also linked to Sandworm, drew attention from cybersecurity analysts. Polish Prime Minister Donald Tusk said authorities would continue to strengthen cyber defences and work with international partners to protect critical infrastructure from similar threats.