ESET Links Sandworm APT to Late-2025 Attack on Poland's Power Grid with Novel DynoWiper Malware
ESET Research has attributed a late-2025 cyberattack on Poland's power grid to the Russia-aligned Sandworm APT group, which deployed a new data-wiping malware named DynoWiper on the 10th anniversary of Sandworm's 2015 BlackEnergy attack on Ukraine.
ESET Research has publicly attributed a late-2025 cyberattack on Poland's power grid to the Russia-aligned advanced persistent threat (APT) group known as Sandworm. The attack, which targeted a company in Poland's energy sector, involved a previously unseen data-wiping malware that ESET has named DynoWiper. According to ESET's analysis, the incident occurred in the last week of December 2025 and has been described as the largest cyberattack targeting Poland in years.
The malware, detected by ESET security solutions as Win32/KillFiles.NMO, is a wiper designed to destroy data on infected systems. ESET researchers stated that they attribute the attack to Sandworm with medium confidence, citing a strong overlap in tactics, techniques, and procedures (TTPs) with numerous previous Sandworm wiper campaigns. Crucially, ESET noted that they are not aware of any successful disruption occurring as a result of the attack, suggesting that the wiper may have been contained before causing a blackout.
The timing of the attack is particularly significant: it occurred on the 10th anniversary of Sandworm's infamous 2015 BlackEnergy attack on Ukraine's power grid, which resulted in the first ever malware-facilitated blackout, leaving approximately 230,000 people without electricity. This historical context underscores Sandworm's enduring focus on disrupting critical infrastructure, particularly in Eastern Europe. ESET's latest APT Activity Report, covering April to September 2025, had already noted that Sandworm was conducting wiper attacks against targets in Ukraine on a regular basis.
While the full intended impact of the DynoWiper attack is still under investigation, the incident highlights the persistent threat posed by state-sponsored hacking groups to energy infrastructure. Poland, a key NATO member and neighbor to Ukraine, has been a frequent target of Russian cyber operations. The attack also demonstrates Sandworm's continued evolution, as the group develops new malware arsenal now includes DynoWiper alongside its well-known tools like BlackEnergy and Industroyer.
ESET's findings were published on January 23, 2026, and include indicators of compromise (IoCs), such as the SHA-1 hash of the DynoWiper sample. The research provides critical intelligence for defenders in the energy sector and reinforces the need for robust network segmentation, endpoint detection, and incident response capabilities to counter such targeted wiper attacks.