Full Report
ESET researchers present technical details on a recent data destruction incident affecting a company in Poland’s energy sector
Analysis Summary
# Incident Report: DynoWiper Data Destruction Attack on Polish Energy Sector
## Executive Summary
ESET researchers detailed a data destruction incident involving novel malware named **DynoWiper** targeting an energy sector company in Poland. The attack exhibits TTPs closely aligned with the Sandworm threat group, similar to an earlier ZOV wiper incident in Ukraine. The primary impact was data destruction, executed via scheduled tasks following network staging and credential access attempts.
## Incident Details
- Discovery Date: Late 2025 (Implied, based on previous report context and current analysis date of Jan 30, 2026)
- Incident Date: Late 2025 (Inferred)
- Affected Organization: A company in Poland’s energy sector
- Sector: Energy
- Geography: Poland
## Timeline of Events
*Note: Specific dates are not provided in the source article for this specific incident, so timeline progression is based on observed attacker stages.*
### Initial Access
- Date/Time: Unknown
- Vector: Not explicitly detailed for DynoWiper access, but subsequent activity suggests remote staging.
- Details: Attacker activity strongly suggests preparation for destructive action.
### Lateral Movement
- Vector: Not explicitly detailed, but the use of tools like Rubeus and rsocx implies established command and control (C2) and reconnaissance.
- Details: Attackers attempted to download tools (Rubeus, rsocx) potentially to facilitate internal reconnaissance and establish proxies.
### Data Exfiltration/Impact
- Vector: Deployment of DynoWiper malware.
- Details: DynoWiper overwrote the contents of files across local storage and initiated system reboots after the wiping process was complete, leading to data destruction.
### Detection & Response
- Date/Time: Unknown (Detection post-analysis by ESET researchers)
- Vector: Undiscovered initially or reported after the destructive event.
- Details: ESET researchers identified the new malware (DynoWiper) and provided technical details. Response actions taken by the victim entity are not detailed in this summary.
## Attack Methodology
| MITRE ATT&CK Phase | Technique Implemented | Details |
| :--- | :--- | :--- |
| **Initial Access** | (Not specified) | Related activity suggests potential staged access leveraging C2 infrastructure. |
| **Persistence** | T1053.005 (Scheduled Task/Job) | DynoWiper was executed using Windows scheduled tasks. |
| **Privilege Escalation** | (Not specified) | Implied, necessary to execute core wiper functions. |
| **Defense Evasion** | (Implied) | Sandworm routinely modifies malware to avoid existing detections. |
| **Credential Access** | T1003.001 (OS Credential Dumping: LSASS Memory) | Attackers attempted to dump LSASS process memory using Task Manager. |
| **Discovery** | T1083 (File and Directory Discovery), T1680 (Local Storage Discovery), T1082 (System Info Discovery), T1124 (System Time Discovery) | Used to locate and identify files/directories and additional disks for wiping, and gather system version/time. |
| **Lateral Movement** | (Implied via C2 setup) | Inferred from tool transfers; similar to ZOV wiper using shell commands via cmd.exe. |
| **Collection** | T1083 (File and Directory Discovery) | Searching for target files and directories to wipe. |
| **Exfiltration** | (Not explicitly used for data theft, but C2 setup was present) | T1090.002 (Proxy: External Proxy) via `rsocx` attempted external connection. |
| **Impact** | T1561.001 (Disk Wipe: Disk Content Wipe), T1529 (System Shutdown/Reboot) | Overwriting file contents and forcing system reboots. |
## Impact Assessment
- Financial: Not quantified in the source.
- Data Breach: Data destruction occurred; specific types/volume unknown, but operational systems targeted.
- Operational: Significant disruption expected due to data wiping and mandatory system reboots in critical energy infrastructure.
- Reputational: Potentially high, given the targeting of critical infrastructure in Poland.
## Indicators of Compromise
*Note: No specific, defanged IoCs (IPs, domains, hashes) were provided in the excerpt, only generalized techniques.*
- Network indicators: Attempted connection with an external proxy using `rsocx`.
- File indicators: DynoWiper malware, PowerShell scripts used for deployment.
- Behavioral indicators: Execution via scheduled tasks (T1053.005), LSASS memory dumping attempts.
## Response Actions
- Containment: Not specified by the victim.
- Eradication: Not specified by the victim.
- Recovery: Not specified by the victim, but implies restoration from backups following data destruction.
## Lessons Learned
- Replication of Adversary Behavior: The TTPs closely resemble known Sandworm activity (e.g., ZOV wiper), indicating consistent tradecraft used by the actor group.
- Malware Diversity: Sandworm frequently evolves its destructive toolset (switching from Industroyer to DynoWiper/ZOV) to evade security solutions.
## Recommendations
- Enhance protective measures against known Sandworm TTPs, specifically focusing on hardening execution environments against PowerShell and scheduled task abuse.
- Review and test offline, verified backups immediately following any signs of intrusion, especially in critical infrastructure, given the high probability of intentional data destruction.
- Proactively monitor for credential dumping activities targeting LSASS memory.