Full Report
The attack involved data-wiping malware that ESET researchers have now analyzed and named DynoWiper
Analysis Summary
# Incident Report: Sandworm Attack on Poland's Power Grid using DynoWiper
## Executive Summary
In late 2025, Poland's energy system was targeted in a significant cyberattack attributed to the Russia-aligned APT group Sandworm. The attack employed a newly analyzed, data-wiping malware named DynoWiper. Although described as the "largest cyberattack" targeting Poland in years, ESET researchers noted that they are **not aware of any successful disruption** occurring as a result of this incident.
## Incident Details
- Discovery Date: January 2026 (Date research/analysis announced by ESET)
- Incident Date: Late 2025 (Specifically, the second half of December 2025)
- Affected Organization: Poland’s power grid/energy system
- Sector: Critical Infrastructure (Energy)
- Geography: Poland
## Timeline of Events
### Initial Access
- Date/Time: Late 2025 (Specific date/time not provided)
- Vector: Not explicitly detailed in the source regarding the initial entry vector, but it was an orchestrated attack.
- Details: Attribute to Sandworm, marking the 10th anniversary of their 2015 attack on the Ukrainian power grid.
### Lateral Movement
- Details: Not specified in the provided text, but implied through the execution of wiper malware.
### Data Exfiltration/Impact
- Details: The attack involved the deployment of data-wiping malware, DynoWiper (detected as Win32/KillFiles.NMO). The *intended* impact was destructive/disruptive wiping. However, ESET noted failure to achieve a full disruption.
### Detection & Response
- Date/Time: Analysis announced on January 23, 2026.
- Details: ESET researchers analyzed the malware (DynoWiper) and attributed the campaign to Sandworm with medium confidence based on TTP overlap. No specific organizational response actions were detailed, other than the observed failure of the attack to cause disruption.
## Attack Methodology
Based on ESET's analysis, the primary technique identified was the use of data-wiping malware:
- Initial Access: Unknown from the provided text.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown, but the malware is designed for destructive impact.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Unknown.
- Exfiltration: Not the primary goal; the use of a wiper suggests destructive action.
- **Impact:** Deployment of **DynoWiper**, a data-wiping payload designed to destroy data structure.
## Impact Assessment
- Financial: Not specified.
- Data Breach: No evidence of successful data exfiltration specified; the focus was on data destruction (wiping).
- Operational: Described as the "largest cyberattack" in years, but **"not aware of any successful disruption occurring."**
- Reputational: Potential negative impact due to the high-profile nature of the target (national power grid).
## Indicators of Compromise
- SHA-1: `4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6`
- File Indicators: Malware named **DynoWiper**.
- Behavioral Indicators: Data-wiping activity focused on critical energy infrastructure.
- Detection Name: **Win32/KillFiles.NMO**
## Response Actions
- Containment measures: Not detailed, but implied by the lack of operational disruption.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed.
*Note: The failure suggests containment/mitigation occurred before the wiping activity achieved its intended effect.*
## Lessons Learned
- Sandworm continues to target critical infrastructure (CI), specifically energy sectors, aligning with long-term geopolitical objectives.
- The attack coincided symbolically with the 10th anniversary of Sandworm's landmark 2015 attack on the Ukrainian grid.
- Data-wiping malware (DynoWiper) remains a high-impact tool in the threat actor's arsenal for CI disruption campaigns.
## Recommendations
- Enhance defenses specifically against known Sandworm TTPs, especially those related to destructive malware payloads like wipers.
- Implement rigorous network segmentation and monitoring tailored for energy sector operational technology (OT) environments known to be targeted by nation-state actors.
- Review and test offline backups and disaster recovery plans designed to counter data-wiping events.