Poland narrowly avoided a large-scale power outage after repelling a cyberattack targeting its energy grid on December 29-30, 2025. The attack—attributed to Russia’s Sandworm (GRU Unit 74455)—struck approximately 30 facilities and marks the first major cyberattack against distributed energy resources (DERs) worldwide.
Incident overview
| Attribute | Details |
|---|---|
| Attack dates | December 29-30, 2025 |
| Attribution | Sandworm (APT44, GRU Unit 74455) |
| Confidence | Medium (ESET) |
| Facilities compromised | ~30 |
| Potential affected population | 500,000 |
| Malware deployed | DynoWiper, LazyWiper |
| Outcome | Attack repelled; no widespread outage |
| Physical damage | Some equipment damaged beyond repair |
Timeline
| Date | Event |
|---|---|
| December 29-30, 2025 | Attack on Polish energy infrastructure |
| January 2026 | Polish PM Donald Tusk publicly blames Russia |
| January 15, 2026 | ESET publishes analysis attributing attack to Sandworm |
| January 2026 | Poland fast-tracks new cybersecurity legislation |
| January 2026 | Arrests of individuals suspected of Russian espionage |
The attack occurred on the 10th anniversary of Sandworm’s 2015 attack on Ukraine’s power grid—the first-ever malware-facilitated blackout, which left 230,000 people without electricity.
Attack scope
According to Dragos, approximately 30 facilities were compromised:
| Target Type | Details | Impact |
|---|---|---|
| Wind farms | Multiple sites | Operational technology compromised |
| Solar farms | Multiple sites | Remote terminal units affected |
| Combined heat and power plant | Supplies heat to ~500,000 customers | Critical heating infrastructure |
| Private manufacturing company | Undisclosed | Industrial systems targeted |
| Remote terminal units (RTUs) | Communication infrastructure | Equipment damaged beyond repair |
Attack outcome
| Metric | Status |
|---|---|
| Power outages | None (attack repelled) |
| Transmission system | Not affected |
| Physical damage | Equipment at multiple sites damaged beyond repair |
| OT system access | Attackers gained access to operational technology |
| Recovery | Ongoing at damaged facilities |
Polish officials stated the attack could have affected 500,000 people if successful. Digital affairs minister confirmed Poland came “very close” to a blackout.
DynoWiper malware
ESET named the wiper malware DynoWiper (detected as Win32/KillFiles.NMO). A second variant, LazyWiper, was also deployed.
Technical characteristics
| Attribute | Details |
|---|---|
| Primary purpose | Data destruction |
| Ransomware component | None—pure destruction |
| Target systems | IT systems, recovery infrastructure |
| Destruction method | File overwriting with random data |
| Reboot trigger | Forces system restart after wiping |
Destruction mechanism
| File size | Behavior |
|---|---|
| ≤16 bytes | Fully overwritten |
| >16 bytes | Partial overwrite (speed optimization) |
| Final action | Forced system reboot |
The wiper uses a 16-byte buffer containing random data generated at execution start. Files larger than 16 bytes have only portions overwritten to speed up destruction.
Relationship to ZOV wiper
| Similarity | Details |
|---|---|
| Directory exclusions | Same logic for protected paths |
| File handling | Similar small/large file processing |
| Previous deployment | ZOV used against Ukrainian financial institution (November 2025) |
DynoWiper operates in a broadly similar fashion to the ZOV wiper, suggesting shared development or tooling.
First-ever DER attack
Dragos described this as “the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and [combined heat and power] facilities being added to grids worldwide.”
Why DERs are vulnerable
| Factor | Risk |
|---|---|
| Limited investment | Smaller facilities receive less security funding |
| Internet exposure | Remote management creates attack surface |
| Misconfigurations | Common in rapidly deployed renewable infrastructure |
| Staffing | Often lack dedicated security personnel |
| IT/OT convergence | Shared networks without segmentation |
Physical damage confirmed
“While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site.”
This confirms that cyberattacks on energy infrastructure can cause permanent physical damage—not just operational disruption.
Attribution
ESET attributes the attack to Sandworm with medium confidence based on:
| Evidence | Details |
|---|---|
| Malware overlap | Strong similarity to previous Sandworm wiper activity |
| Tactical patterns | Matches Ukraine grid attack techniques |
| Target selection | Consistent with Russian strategic interests |
| Timing | Anniversary of 2015 Ukraine blackout |
| Political context | Poland actively supporting Ukraine |
Sandworm background
| Attribute | Details |
|---|---|
| Also tracked as | UAC-0113, APT44, Seashell Blizzard |
| Affiliation | Russia’s GRU Military Unit 74455 |
| Active since | At least 2009 |
| Previous grid attacks | Ukraine 2015, 2016, 2022 |
| Specialization | Critical infrastructure disruption |
Previous Sandworm grid attacks
| Year | Target | Outcome |
|---|---|---|
| 2015 | Ukraine power grid | 230,000 without power (first malware blackout) |
| 2016 | Ukraine power grid | Outages in Kyiv area |
| 2022 | Ukraine power grid | Attempted during Russian invasion |
| 2025 | Poland power grid | Attack repelled; equipment damaged |
Polish Prime Minister Donald Tusk publicly blamed Russia for the attack.
Poland’s response
Immediate actions
| Action | Result |
|---|---|
| Attack repelled | No widespread outage |
| Transmission protected | Backbone infrastructure secure |
| Incident response | Rapid containment |
| Public attribution | Russia blamed publicly |
Legislative response
Poland is fast-tracking new cybersecurity legislation with requirements for:
| Requirement | Purpose |
|---|---|
| Enhanced risk management | Mandatory security assessments |
| IT/OT system protection | Segmentation requirements |
| Incident response capabilities | Rapid response mandates |
| Critical infrastructure standards | Elevated security baselines |
Enforcement
Arrests of individuals suspected of involvement in Russian espionage rings have followed the attack.
Expert assessment
Dragos warning
“An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it.”
The timing—late December in Poland—maximized potential harm to civilian populations dependent on heating during winter.
Polish government response
“The systems we have in Poland today proved effective. At no point was critical infrastructure threatened, meaning the transmission networks and everything that determines the safety of the entire system.” — Prime Minister Donald Tusk
Implications for energy sector
For grid operators
| Priority | Action |
|---|---|
| Critical | Assess DER security posture—smaller facilities are proven targets |
| Critical | Audit internet exposure—RTUs and communication systems shouldn’t be directly accessible |
| High | Implement IT/OT segmentation—wiper malware on IT shouldn’t affect operations |
| High | Plan for recovery without IT—attackers specifically targeted recovery capabilities |
| High | Coordinate with national authorities—state-sponsored attacks require government response |
For policy makers
The Poland attack demonstrates:
| Finding | Implication |
|---|---|
| DERs expand attack surface | Renewable deployment increases grid vulnerability |
| State actors target civilians | Winter attacks maximize harm potential |
| Physical damage possible | Cyber can destroy equipment permanently |
| Investment gap | DER security hasn’t kept pace with deployment |
Detection indicators
| Indicator | Meaning |
|---|---|
| DynoWiper file operations | Active wiper deployment |
| Win32/KillFiles.NMO detection | ESET signature match |
| Forced reboots after file operations | Wiper completing destruction cycle |
| RTU communication anomalies | Compromised remote terminal units |
| Unexpected IT system failures | Potential wiper activity |
Recommendations
For energy infrastructure operators
| Priority | Action |
|---|---|
| Critical | Segment DER facilities from central grid management |
| Critical | Remove direct internet exposure from OT systems |
| High | Implement offline backup and recovery capabilities |
| High | Deploy wiper-specific detection signatures |
| High | Conduct tabletop exercises for destructive attacks |
| Ongoing | Coordinate with national cyber defense agencies |
For governments
| Priority | Action |
|---|---|
| Critical | Mandate security standards for DER facilities |
| High | Provide threat intelligence to energy sector |
| High | Fund security improvements for renewable infrastructure |
| Ongoing | International coordination on state-sponsored threats |
Context
Sandworm’s targeting of Poland—a NATO member actively supporting Ukraine—fits the pattern of Russian cyber operations against nations opposing Russian interests. The attack’s timing on the anniversary of the 2015 Ukraine blackout appears deliberate.
The Poland attack represents a significant escalation: the first major cyberattack targeting distributed energy resources, with confirmed physical damage to equipment. As grids worldwide add wind, solar, and distributed generation, this attack surface will only grow.
Energy infrastructure worldwide should assume similar attacks are possible and plan accordingly. The combination of wiper malware, OT targeting, and winter timing demonstrates that state-sponsored actors are willing to risk civilian harm to achieve strategic objectives.