SECURITYWEEK reports that the Russian state-sponsored APT known as Sandworm was behind the December 2025 cyberattack targeting Poland’s power grid, according to ESET. Poland’s energy infrastructure, including two combined heat and power plants and a renewable energy management system, was targeted on 29-30 December 2025, with officials blaming Russia for the assault.
ESET described the December incident as the largest cyberattack against Poland in years, though it was thwarted before causing a blackout or disrupting critical infrastructure. The attack followed Sandworm’s established pattern of wiper-style operations, and the malware used was dubbed DynoWiper (Win32/KillFiles[.]NMO); no technical details were released publicly.
Sandworm has been active since at least 2009 and is believed to be associated with Russia’s GRU military unit 74455, with the group also known by several aliases including APT44, BlackEnergy Lite, Seashell Blizzard, Telebots, and Voodoo Bear.