Russian State-Sponsored Group Sandworm Linked to 'DynoWiper' Attack on Poland's Energy Infrastructure

Executive Summary

The notorious Russian state-sponsored threat actor Sandworm was responsible for a significant cyberattack targeting Poland's energy infrastructure in late December 2025. According to Poland's energy minister, the attack was the 'strongest' in years but was ultimately unsuccessful in causing disruption. Security researchers at ESET analyzed the incident and attributed it to Sandworm, revealing the deployment of a new destructive wiper malware dubbed DynoWiper. The use of wiper malware against critical infrastructure is a hallmark of Sandworm, known for its previous attacks on Ukraine's power grid. This event highlights the persistent and evolving threat posed by nation-state actors to critical national infrastructure in Europe.

Threat Overview

This incident represents a direct, state-sponsored attempt to disrupt the critical energy sector of a NATO country. The attack, while failing to achieve its ultimate objective of a power outage, demonstrates the adversary's intent and capability.

Threat Actor: Sandworm

• Attribution: Unit 74455 of Russia's GRU (Main Intelligence Directorate).
• Known For: Highly destructive attacks, particularly against Ukraine, including the 2015 and 2016 power grid attacks and the NotPetya outbreak.
• Primary Objective: Disruption, destruction, and psychological operations, often in support of Russia's military and geopolitical goals.
• TTPs: Specializes in attacks on Industrial Control Systems (ICS) and Operational Technology (OT) environments. Frequently develops and deploys custom wiper malware.

Malware: DynoWiper

• Type: Wiper Malware.
• Function: Designed to destroy data on infected systems, rendering them inoperable and corrupting critical system files to disrupt operations.
• Novelty: A previously undocumented malware family, indicating Sandworm's continued investment in developing new offensive tools.

Technical Analysis

While specific details about DynoWiper's functionality are still emerging, attacks by Sandworm on energy infrastructure typically follow a multi-stage pattern.

Inferred Attack Lifecycle & MITRE ATT&CK Techniques

1. Initial Access: Sandworm often uses phishing campaigns (T1566) or exploits on public-facing applications (T1190) to gain a foothold in the IT network of the target organization.
2. Persistence & Discovery: The group establishes persistence and begins reconnaissance to understand the network architecture, looking for pathways from the IT network to the highly sensitive OT network.
3. Lateral Movement: Attackers move through the network, escalating privileges (T1068) and compromising key systems, such as Human-Machine Interfaces (HMIs) and engineering workstations.
4. Impact: Once in position within the OT network, the final payload is deployed. In this case, DynoWiper would be executed to achieve its destructive goal (T1485 - Data Destruction). For power grids, this could also involve manipulating legitimate ICS protocols and software (T0885 - Inhibit Response Function) to cause a physical disruption.

Impact Assessment

Although the attack was unsuccessful, the potential impact was catastrophic. A successful wiper attack on a national power grid could lead to:

• Widespread Power Outages: Affecting millions of citizens and businesses, crippling daily life and the economy.
• Disruption of Critical Services: Hospitals, water treatment facilities, transportation, and communications systems would all be impacted.
• Economic Damage: Significant financial losses due to business interruption and the high cost of recovery and system restoration.
• National Security Crisis: A successful attack on the critical infrastructure of a NATO member could be considered an act of war, leading to severe geopolitical escalation.

The failure of the attack is a testament to the defensive capabilities of Poland's cybersecurity forces but serves as a stark warning of the adversary's intent.

Cyber Observables for Detection

Hunting for wiper activity requires monitoring for destructive behaviors.

Detection & Response

• Detection: In OT environments, detection must focus on behavioral anomalies. Monitor for any unauthorized access to engineering workstations or HMIs. Use network security monitoring to detect unusual protocols or connections between the IT and OT network segments. On endpoints, look for the precursors to wiper attacks, such as the deletion of backups or shadow copies. D3FEND techniques like D3-PA: Process Analysis are crucial for spotting suspicious command-line activity.
• Response: An OT-specific incident response plan is critical. This includes processes for safely disconnecting affected segments of the OT network to prevent the spread of malware without causing physical instability. Isolate compromised systems and engage national cybersecurity authorities immediately.

Mitigation

Defending critical infrastructure requires a defense-in-depth approach.

1. Network Segmentation: Strictly enforce segmentation between IT and OT networks using a DMZ. All traffic between the two should be inspected and restricted. This is the most critical mitigation, aligning with D3FEND's D3-NI: Network Isolation.
2. Access Control: Implement strict access controls and privileged account management for all systems, especially in the OT environment. Use MFA wherever possible.
3. Resilience and Recovery: Maintain offline, tested backups of critical systems and configurations. A wiper attack's goal is destruction, so the ability to restore from a known-good state is paramount.
4. Endpoint Hardening: Harden all endpoints, particularly critical servers and workstations in the OT network. Disable unnecessary services, implement application allowlisting, and use modern EDR solutions.