top of page
Search

New DynoWiper Malware Targets Polish Power Sector in Sandworm Attack

  • Jan 24
  • 2 min read

Key Findings


  • The Russian nation-state hacking group known as Sandworm attempted a significant cyber attack targeting Poland's power sector in late December 2025.

  • The attack involved the deployment of a previously undocumented wiper malware called DynoWiper.

  • The attack was ultimately unsuccessful, with no evidence of successful disruption to Poland's energy infrastructure.

  • This activity occurred on the 10th anniversary of Sandworm's 2015 attack against the Ukrainian power grid, which deployed the BlackEnergy malware.

  • Sandworm has a long history of disruptive cyber attacks, especially targeting critical infrastructure in Ukraine.


Background


  • In June 2025, Cisco Talos reported that a critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, which shared some functional overlap with Sandworm's HermeticWiper.

  • Sandworm has also been observed deploying data-wiping malware, such as ZEROLOT and Sting, in a Ukrainian university network, followed by serving multiple data-wiping malware variants against Ukrainian entities active in the governmental, energy, logistics, and grain sectors between June and September 2025.


The DynoWiper Attack on Poland


  • The attack on Poland's power sector occurred on December 29 and 30, 2025, targeting two combined heat and power (CHP) plants, as well as a system enabling the management of electricity generated from renewable energy sources.

  • The attack was identified by the Slovakian cybersecurity company ESET as the work of Sandworm, based on overlaps with prior wiper activity associated with the adversary.

  • Polish Prime Minister Donald Tusk stated that "Everything indicates that these attacks were prepared by groups directly linked to the Russian services" and that the government is readying extra cybersecurity measures, including new legislation.


Significance and Implications


  • The failed attack on Poland's power sector highlights Sandworm's persistent targeting of critical infrastructure, particularly in the aftermath of Russia's military invasion of Ukraine in 2022.

  • The deployment of a new, previously undocumented wiper malware called DynoWiper demonstrates Sandworm's continued evolution and capability to develop new tools for disruptive operations.

  • The timing of the attack, coinciding with the 10th anniversary of Sandworm's 2015 attack on the Ukrainian power grid, suggests the group's desire to maintain its reputation for high-impact critical infrastructure attacks.

  • The Polish government's response, including new cybersecurity legislation, highlights the ongoing efforts to bolster the resilience of critical systems against state-sponsored cyber threats.


Sources


  • https://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.html

  • https://x.com/TheCyberSecHub/status/2014980565305589862

  • https://www.reddit.com/r/pwnhub/comments/1qlpikt/sandworms_dynowiper_malware_targets_polish_power/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page