Russian state hackers likely behind wiper malware attack on Poland’s power grid

Steven

Russian state hackers likely behind wiper malware attack on Poland’s power grid

Summary

Researchers at cybersecurity firm ESET attribute a late‑December cyberattack on Poland’s energy sector to Sandworm, a Russia‑linked advanced persistent threat (APT) group. The intrusion deployed a data‑wiping malware dubbed DynoWiper, intended to erase critical files and disable systems. Polish authorities say the attack was stopped before it caused outages, but it could have cut power to up to half a million people if successful.

The incident targeted communications between many smaller renewable sites — solar farms and wind turbines — and distribution operators across wide areas. ESET says the attack shows strong overlap with previous Sandworm wiper operations and describes the attempt as “unprecedented” for Poland in its disruptive intent. The timing was almost exactly ten years after Sandworm’s 2015 Ukraine blackout operation.

Key Points

  • ESET attributes the attack to Sandworm with medium confidence, based on significant overlaps with past wiper activity.
  • The malware, called DynoWiper, is a destructive wiper designed to delete files and render systems unusable.
  • Polish authorities report the intrusion was thwarted before outages occurred; potential impact could have affected up to ~500,000 people.
  • The attack focused on communications between distributed renewable installations (solar and wind) and distribution operators — a shift from previous strikes on large plants or transmission nodes.
  • Timing mirrors Sandworm’s December 2015 blackout in Ukraine, suggesting symbolic or repeat tactics tied to the group’s history.
  • Polish ministers describe signs of coordinated sabotage and warn that similar attacks may recur; Russia has not commented on the attribution.

Context and Relevance

This is a significant escalation in tactics targeting energy infrastructure: instead of concentrating on big centralised plants, the attack hit many smaller distributed energy resources at once. That makes modern, decentralised grids — increasingly reliant on renewables and distributed communications — a growing attack surface. For policymakers, grid operators and security teams, the incident underlines the need to harden communications links between distributed generation and distribution systems, improve incident detection, and prepare rapid response plans for destructive malware.

Author’s take

Punchy and blunt: this wasn’t mere espionage or data theft — it was a sabotage attempt with real‑world blackout potential. If Sandworm did this, it’s a reminder that state‑grade cyber operations are willing to target civilian infrastructure at scale.

Why should I read this

Because this is the sort of attack that could leave hundreds of thousands without power — and it wasn’t aimed at a single big power station but at lots of smaller renewables. If you work in energy, security, or resilience planning, or just care about reliable power, this explains how attackers are changing tactics and why you should care now rather than later.

Source

Source: https://therecord.media/russia-eset-sandworm-poland-hack