Recent investigations have identified the Russia-linked hacking group Sandworm as the culprit behind a December attempt to disrupt Poland's electrical grid using destructive data-wiping malware. While Polish authorities successfully thwarted the operation before any outages occurred, officials warned the attack could have potentially left half a million people without power.
The cybersecurity firm ESET recently revealed that the attempted sabotage involved a specific type of malware known as DynoWiper, which is designed to delete essential files and disable computer systems. Analysts linked the incident to the Russian military intelligence group Sandworm with medium confidence, citing significant similarities to the group’s previous destructive campaigns. Although the attack failed to cause a blackout, experts described the attempt as an unprecedented escalation in the scale and intent of cyber operations targeting Poland.
The timing of the incident appeared to be a deliberate callback to the group's history, occurring almost exactly ten years after Sandworm carried out the first known malware-induced power outage in Ukraine. That 2015 attack successfully cut electricity to hundreds of thousands of people, marking a major milestone in cyber warfare. By targeting Poland late last year, the group demonstrated its continued focus on disrupting critical infrastructure within Europe, particularly in nations supporting Ukraine.
Polish Energy Minister Milosz Motyka characterized the event as the most significant strike against the country's energy infrastructure in several years. The hackers specifically targeted the communication lines between renewable energy sources, such as wind turbines and solar farms, and the regional distribution operators. This strategy differed from typical attacks on massive power plants, focusing instead on a coordinated effort to disrupt numerous smaller energy installations simultaneously across a broad geographic area.
Government officials in Poland noted that the country came dangerously close to a widespread blackout and interpreted the event as a sign of a highly coordinated sabotage campaign. Digital Affairs Minister Krzysztof Gawkowski had previously suspected Russian involvement even before the formal technical reports were released. While Russia has historically denied involvement in such activities, the sophisticated nature of the malware suggests a state-sponsored actor with significant resources and technical expertise.
Sandworm has been active for over a decade and remains one of the most prolific threats to global energy security. The group has been central to Russia’s digital offensive during the war in Ukraine, having targeted nearly twenty energy facilities in that country during 2024 alone. As Poland continues to bolster its defenses, officials expect that this type of aggressive cyber activity will likely recur as geopolitical tensions remain high across the region.
Source: Russian State Hackers Likely Behind Wiper Attack On Polands Power Grid



Solid breakdown of the Sandworm attack. The shift to targeting renewable energy comm lines instead of traditonal power plants is honestly a smart tactical move since smaller distributed systems are harder to defend uniformly. Having worked in infrastructure security briefly, ive seen how grid operators often overlook these peripheral connections. This kind of distributed targeting could become the playbook for future attacks on decentralized energy setups.