Sandworm Deploys New 'DynoWiper' Malware in Failed Attack on Polish Power Grid
Russian State-Sponsored Group Sandworm Linked to 'DynoWiper' Attack on Poland's Energy Infrastructure
Full Report
Executive Summary
The notorious Russian state-sponsored threat actor Sandworm was responsible for a significant cyberattack targeting Poland's energy infrastructure in late December 2025. According to Poland's energy minister, the attack was the 'strongest' in years but was ultimately unsuccessful in causing disruption. Security researchers at ESET analyzed the incident and attributed it to Sandworm, revealing the deployment of a new destructive wiper malware dubbed DynoWiper. The use of wiper malware against critical infrastructure is a hallmark of Sandworm, known for its previous attacks on Ukraine's power grid. This event highlights the persistent and evolving threat posed by nation-state actors to critical national infrastructure in Europe.
Threat Overview
This incident represents a direct, state-sponsored attempt to disrupt the critical energy sector of a NATO country. The attack, while failing to achieve its ultimate objective of a power outage, demonstrates the adversary's intent and capability.
Threat Actor: Sandworm
- Attribution: Unit 74455 of Russia's GRU (Main Intelligence Directorate).
- Known For: Highly destructive attacks, particularly against Ukraine, including the 2015 and 2016 power grid attacks and the NotPetya outbreak.
- Primary Objective: Disruption, destruction, and psychological operations, often in support of Russia's military and geopolitical goals.
- TTPs: Specializes in attacks on Industrial Control Systems (ICS) and Operational Technology (OT) environments. Frequently develops and deploys custom wiper malware.
Malware: DynoWiper
- Type: Wiper Malware.
- Function: Designed to destroy data on infected systems, rendering them inoperable and corrupting critical system files to disrupt operations.
- Novelty: A previously undocumented malware family, indicating Sandworm's continued investment in developing new offensive tools.
Technical Analysis
While specific details about DynoWiper's functionality are still emerging, attacks by Sandworm on energy infrastructure typically follow a multi-stage pattern.
Inferred Attack Lifecycle & MITRE ATT&CK Techniques
- Initial Access: Sandworm often uses phishing campaigns (
T1566) or exploits on public-facing applications (T1190) to gain a foothold in the IT network of the target organization. - Persistence & Discovery: The group establishes persistence and begins reconnaissance to understand the network architecture, looking for pathways from the IT network to the highly sensitive OT network.
- Lateral Movement: Attackers move through the network, escalating privileges (
T1068) and compromising key systems, such as Human-Machine Interfaces (HMIs) and engineering workstations. - Impact: Once in position within the OT network, the final payload is deployed. In this case, DynoWiper would be executed to achieve its destructive goal (
T1485 - Data Destruction). For power grids, this could also involve manipulating legitimate ICS protocols and software (T0885 - Inhibit Response Function) to cause a physical disruption.
Impact Assessment
Although the attack was unsuccessful, the potential impact was catastrophic. A successful wiper attack on a national power grid could lead to:
- Widespread Power Outages: Affecting millions of citizens and businesses, crippling daily life and the economy.
- Disruption of Critical Services: Hospitals, water treatment facilities, transportation, and communications systems would all be impacted.
- Economic Damage: Significant financial losses due to business interruption and the high cost of recovery and system restoration.
- National Security Crisis: A successful attack on the critical infrastructure of a NATO member could be considered an act of war, leading to severe geopolitical escalation.
The failure of the attack is a testament to the defensive capabilities of Poland's cybersecurity forces but serves as a stark warning of the adversary's intent.
Cyber Observables for Detection
Hunting for wiper activity requires monitoring for destructive behaviors.
| Type | Value | Description |
|---|---|---|
| process_name | vssadmin.exe delete shadows /all /quiet |
Command used to delete Volume Shadow Copies to prevent system recovery. A key precursor to wiper execution. |
| file_name | mbr.bin |
Wiper malware often carries a payload to overwrite the Master Boot Record (MBR). |
| command_line_pattern | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
Command to prevent the system from entering automatic recovery, ensuring the destructive payload runs. |
| log_source | OT Network Logs | Monitor for unusual commands or connections to PLCs, RTUs, or other ICS/SCADA devices from non-standard workstations. |
Detection & Response
- Detection: In OT environments, detection must focus on behavioral anomalies. Monitor for any unauthorized access to engineering workstations or HMIs. Use network security monitoring to detect unusual protocols or connections between the IT and OT network segments. On endpoints, look for the precursors to wiper attacks, such as the deletion of backups or shadow copies. D3FEND techniques like
D3-PA: Process Analysisare crucial for spotting suspicious command-line activity. - Response: An OT-specific incident response plan is critical. This includes processes for safely disconnecting affected segments of the OT network to prevent the spread of malware without causing physical instability. Isolate compromised systems and engage national cybersecurity authorities immediately.
Mitigation
Defending critical infrastructure requires a defense-in-depth approach.
- Network Segmentation: Strictly enforce segmentation between IT and OT networks using a DMZ. All traffic between the two should be inspected and restricted. This is the most critical mitigation, aligning with D3FEND's
D3-NI: Network Isolation. - Access Control: Implement strict access controls and privileged account management for all systems, especially in the OT environment. Use MFA wherever possible.
- Resilience and Recovery: Maintain offline, tested backups of critical systems and configurations. A wiper attack's goal is destruction, so the ability to restore from a known-good state is paramount.
- Endpoint Hardening: Harden all endpoints, particularly critical servers and workstations in the OT network. Disable unnecessary services, implement application allowlisting, and use modern EDR solutions.
Timeline of Events
MITRE ATT&CK Mitigations
Network Segmentation
Crucial for protecting OT environments by preventing lateral movement from IT networks.
Data Backup
Essential for recovery from a destructive wiper attack. Backups must be isolated and immutable.
Continuously monitor traffic between IT and OT segments to detect anomalous and unauthorized activity.
On critical OT systems, only allow known-good applications to execute, preventing the execution of wiper malware.
D3FEND Defensive Countermeasures
The primary defense against attacks targeting OT systems like Poland's power grid is strict network isolation and segmentation. Implement a robust Purdue Model architecture, using a demilitarized zone (DMZ) to separate the corporate IT network from the sensitive OT network. All communication between IT and OT must be explicitly brokered through the DMZ, with traffic inspected by firewalls that enforce a 'default-deny' rule set. This prevents threat actors like Sandworm, who typically gain initial access in the IT environment, from easily moving laterally to compromise critical control systems. By creating this chokepoint, defenders can heavily monitor the limited allowed traffic for anomalies and block unauthorized protocols like SMB or RDP from ever reaching the OT side.
Given that the goal of DynoWiper is destruction, a resilient backup and recovery strategy is non-negotiable. Maintain regular, tested, and offline backups for all critical systems in the OT environment, including HMI configurations, PLC logic, and engineering workstation images. These backups must be 'air-gapped' or stored on immutable storage to protect them from being deleted or encrypted by the attacker as part of the attack chain (e.g., T1490 - Inhibit System Recovery). A robust recovery plan allows the organization to restore operations from a known-good state, transforming a potentially catastrophic, months-long outage into a more manageable recovery event. This is the ultimate safety net against destructive attacks.
On critical OT endpoints like engineering workstations and HMIs, which typically have a static and predictable set of required software, implement application allowlisting. This control prevents any unauthorized executable, such as the DynoWiper payload, from running. By defining a strict list of approved applications and scripts, the attack surface is dramatically reduced. Even if an attacker manages to drop the malware onto the system, it will be blocked from executing. This is a powerful hardening technique that is highly effective in the stable, controlled environments characteristic of industrial control systems.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats