Executive Summary

In December 2025, the Polish energy sector was the target of a highly sophisticated cyberattack attributed to the Russian state-sponsored advanced persistent threat (APT) group Sandworm. The operation leveraged a newly identified data-wiping malware, DynoWiper, with the explicit intent to disrupt critical energy infrastructure, including combined heat and power (CHP) plants and renewable energy management systems. Despite the advanced nature of the attack, Polish authorities and security teams successfully detected and mitigated the threat before any operational impact occurred. This advisory provides a comprehensive technical analysis of the incident, the threat actor’s profile, the tactics, techniques, and procedures (TTPs) employed, and actionable mitigation strategies for organizations operating in critical infrastructure sectors.

Threat Actor Profile

Sandworm is a notorious Russian APT group, also tracked as APT44, UAC-0113, Seashell Blizzard, and Voodoo Bear. The group is widely believed to operate under the auspices of the Russian GRU (Main Intelligence Directorate). Sandworm has a long history of targeting critical infrastructure, particularly in Ukraine and Europe, and is responsible for some of the most disruptive cyberattacks in recent history, including the 2015 and 2016 Ukrainian power grid attacks (using BlackEnergy and Industroyer), the 2017 NotPetya global ransomware/wiper campaign, and multiple wiper attacks during the ongoing Russia-Ukraine conflict. The group is characterized by its use of destructive malware, advanced operational security, and a focus on high-impact, politically motivated operations.

Technical Analysis of Malware/TTPs

The primary malware used in the December 2025 attack was DynoWiper, detected by ESET as Win32/KillFiles.NMO. The sample analyzed (SHA-1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6) is a data-wiping tool designed to irreversibly destroy files and render Windows-based systems inoperable. DynoWiper iterates through the filesystem, deleting files and corrupting system components, effectively bricking the targeted hosts. This approach is consistent with previous Sandworm wiper campaigns, such as KillDisk, HermeticWiper, and CaddyWiper.

The initial access vector for this campaign has not been publicly disclosed. However, based on Sandworm’s historical TTPs, likely methods include spear-phishing, exploitation of public-facing applications, and the use of stolen credentials. Once inside the target environment, the attackers deployed DynoWiper to both operational technology (OT) and information technology (IT) systems, aiming to maximize disruption.

The attack coincided with the 10th anniversary of Sandworm’s 2015 attack on Ukraine’s power grid, suggesting a symbolic intent and a demonstration of ongoing capability.

Key MITRE ATT&CK techniques observed or suspected in this incident include T1485 (Data Destruction), T1561 (Disk Wipe), T1204 (User Execution), T1190 (Exploit Public-Facing Application), and T1078 (Valid Accounts).

Exploitation in the Wild

While the December 2025 attack on Poland’s energy sector was ultimately unsuccessful, it is part of a broader pattern of Sandworm activity targeting European critical infrastructure. Throughout 2025, Sandworm has conducted multiple wiper attacks in Ukraine, deploying malware families such as PathWiper, HermeticWiper, ZEROLOT, and Sting against government, energy, logistics, and agricultural targets. The attempted attack on Poland marks a significant escalation, extending the group’s destructive operations beyond Ukraine and into the European Union.

The Polish incident specifically targeted two CHP plants and a management system for wind and photovoltaic farms. The attack was detected and contained before any operational disruption occurred, thanks to robust monitoring and incident response capabilities within the targeted organizations.

Victimology and Targeting

The primary victims in this campaign were entities within Poland’s energy sector, specifically operators of combined heat and power plants and renewable energy management systems. The selection of these targets aligns with Sandworm’s strategic objective of undermining critical infrastructure to achieve geopolitical aims. The attack’s timing—coinciding with the anniversary of the 2015 Ukrainian blackout—suggests an intent to send a message to both Poland and the broader European community regarding the group’s ongoing capabilities and willingness to escalate.

Historically, Sandworm has focused on Ukraine, but recent campaigns indicate a widening of scope to include other European countries, particularly those supporting Ukraine or perceived as adversaries of Russian interests. The group’s targeting of both traditional and renewable energy assets demonstrates an understanding of the evolving energy landscape and a willingness to disrupt both legacy and modern infrastructure.

Mitigation and Countermeasures

Organizations operating in critical infrastructure sectors should implement a multi-layered defense strategy to mitigate the risk posed by Sandworm and similar threat actors. Key recommendations include:

Network segmentation should be enforced to isolate critical OT and IT systems from business networks and the public internet, reducing the attack surface and limiting lateral movement opportunities for adversaries. Endpoint protection solutions must be deployed and regularly updated to detect and block wiper malware, including signatures for Win32/KillFiles.NMO and related threats. Incident response plans should be reviewed and tested, with specific scenarios for destructive malware and wiper attacks, ensuring rapid containment and recovery capabilities. User awareness training is essential to reduce the risk of spear-phishing and social engineering attacks, which remain common initial access vectors for APT groups. Patch management processes must be rigorous, with prompt application of security updates to all systems, especially those exposed to the internet. Access controls should be tightened, enforcing the principle of least privilege and monitoring for anomalous account activity that could indicate credential compromise.

Organizations are also encouraged to monitor for indicators of compromise (IOCs) associated with DynoWiper and other Sandworm tools, including the SHA-1 hash 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 and the ESET detection name Win32/KillFiles.NMO. Collaboration with national cybersecurity authorities and participation in information sharing initiatives can further enhance situational awareness and collective defense.

References

ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025,The Hacker News: New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector,BleepingComputer: Sandworm hackers linked to failed wiper attack on Poland’s energy systems,MITRE ATT&CK: Sandworm Team (G0034)

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and critical infrastructure. Our advanced threat intelligence and risk management solutions empower clients to proactively defend against emerging threats and ensure operational resilience. For more information about our platform or to discuss how Rescana can support your organization’s cybersecurity strategy, please contact us at ops@rescana.com.