RESEARCHERS attributed the destructive Dec 2025 wiper attack on Poland’s energy grid to the Russian APT Sandworm, a group long associated with disruption of critical infrastructure. Attackers targeted two combined heat and power plants and a system enabling the management of electricity generated from renewables on 29 and 30 December 2025, according to an announcement on Prime Minister Donald Tusk’s website.
The government said the attack failed and there was no blackout or other negative consequences, and while it did not name Sandworm in that statement, it pointed to the Russian government as the likely party responsible. On 23 January 2026, security firm ESET attributed the incident to Sandworm with medium confidence, describing “a strong overlap with numerous previous Sandworm wiper activity” and naming the malware DynoWiper, which ESET security solutions detect as Win32/KillFiles[.]NMO.
The report notes that the December attack occurred on the 10th anniversary of Sandworm’s BlackEnergy operation against Ukraine’s power grid. according to ESET, DynoWiper was involved, though Dark Reading has sought additional technical details.