Major Cyber Attack on Poland’s Power System by Sandworm
Background of the Attack
In late December 2025, Poland faced what has been characterized as one of the most significant cyber assaults on its electrical infrastructure. Attributed to the Russian hacking group known as Sandworm, this incident raised considerable alarm over the security of critical systems within the country. Energy Minister Milosz Motyka confirmed that, although the attack did not succeed, it represented a serious threat to the nation’s energy grid.
Unfolding Events
On December 29, 2025, two combined heat and power (CHP) plants and a system managing electricity from renewable sources were specifically targeted. This raised suspicions of a concerted effort by groups linked to Russian state services. Prime Minister Donald Tusk emphasized the seriousness of the incident and announced that additional security measures were forthcoming. This included proposed cybersecurity legislation aimed at tightening regulations around risk management and the protection of both information and operational technology systems.
Technical Details of the Attack
The cybersecurity research firm ESET provided insights into the attack, revealing that it involved a previously unknown wiper malware dubbed DynoWiper. This malware was linked to previous operations by Sandworm, particularly following Russia’s military involvement in Ukraine starting in February 2022. ESET reported that, despite the sophistication of the attack, there was no evidence indicating successful disruption of services.
Historical Context
Interestingly, the timing of this attack coincided with the tenth anniversary of a notorious incident in December 2015 when Sandworm successfully targeted Ukraine’s power grid. That earlier attack, utilizing BlackEnergy malware, caused widespread power outages affecting over 230,000 residents in Ivano-Frankivsk for several hours. Such historical precedents add weight to the ongoing concerns about Sandworm’s persistent threat to critical infrastructure.
A Continued Threat
ESET noted that Sandworm has a well-documented history of launching aggressive cyber operations against Ukraine’s key infrastructure. In June 2025, Cisco Talos reported that a previously unseen malware, termed PathWiper, was used to target a critical infrastructure entity in Ukraine. This malware showed functional similarities to Sandworm’s HermeticWiper, hinting at a growing arsenal of disruptive tools.
Broader Impacts and Reactions
Since June 2025, Sandworm’s activities have extended to various sectors within Ukraine, including government, energy, logistics, and agriculture. Notable cases involved the deployment of several data-wiping malware variants aimed at crippling networks and services essential for these sectors. This trajectory highlights the ongoing risk not just for Poland but for countries with critical infrastructure.
Government Response
In response to this alarming event, the Polish government is committed to enhancing its cybersecurity framework. The impending legislation aims to enforce stricter requirements for risk management and incident response protocols. Such measures are critical as cyber threats continue to evolve, and nations must remain vigilant to protect their essential services.
Conclusion
As new threats emerge in the ever-changing landscape of cybersecurity, the incident involving Sandworm serves as a reminder of the vulnerabilities inherent in critical infrastructure. Continuous adaptation and proactive measures are essential for safeguarding against potential attacks that could have severe consequences for national security and public safety.
