Russian state hackers likely behind wiper malware attack on Poland’s power grid

A major cyberattack that nearly cut electricity to hundreds of thousands of people in Poland late last year was reportedly carried out by Sandworm, a Russia-linked hacking group known for targeting power grids, researchers have determined.

The attack in late December involved data-wiping malware dubbed DynoWiper, the analysts at cybersecurity firm ESET said. Wipers are designed to destroy critical files and render systems unusable.

“We attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activities we analyzed,” ESET wrote in a report, adding that it was not aware of any successful disruption resulting from the attack.

Polish authorities said earlier in January that the incident was thwarted before it caused power outages, but warned that, if successful, it could have cut electricity to as many as half-a-million people.

In a comment to American cybersecurity journalist Kim Zetter, ESET said the attempted attack on Poland was “unprecedented,” noting that previous cyber incidents targeting the country had not been disruptive “in nature or intent.”

The timing of the attack was also symbolic. Researchers said the incident took place almost exactly a decade after Sandworm’s December 2015 cyberattack on Ukraine’s power grid — the first known blackout caused by malware — which left around 230,000 people without electricity.

Polish Energy Minister Miłosz Motyka, who called the incident “the largest attack on energy infrastructure in years,” said the hackers targeted communications between renewable energy installations — including solar farms and wind turbines — and electricity distribution operators across large parts of the country.

Unlike earlier cyber incidents focused on large power plants or transmission networks, the attack appeared to strike many smaller power sources at once. According to Motyka, Poland has not seen this type of attack before but expects it to happen again.

Digital Affairs Minister Krzysztof Gawkowski said the incident came “very close to a blackout” and showed signs of a coordinated sabotage campaign. He had earlier pointed to suspected Russian involvement, even before ESET released its findings. Russia has not commented on the attribution but has previously denied such accusations.

Sandworm, which researchers have linked to Russia’s military intelligence, has been active since at least 2013 and is responsible for some of Moscow’s most high-profile destructive cyberattacks. The group has played a central role in cyber operations linked to Russia’s war in Ukraine, including attacks on nearly 20 Ukrainian energy facilities in 2024, Kyiv said.