Full Report
The Russian nation-state hacking group known as Sandworm has been attributed to what has been described as the "largest cyber attack" targeting Poland's power system in the last week of December 2025. The attack was unsuccessful, the country's energy minister, Milosz Motyka, said last week. "The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on
Analysis Summary
# Threat Actor: Sandworm
## Attribution & Identity
**Identification:** Russian nation-state hacking group.
**Aliases/Associations:** Directly linked to Russian services; historically associated with attacks utilizing BlackEnergy, KillDisk, PathWiper, HermeticWiper, ZEROLOT, and Sting malware families.
## Activity Summary
Sandworm was attributed to the "largest cyber attack" targeting Poland's power system in the last week of December 2025, specifically on December 29 and 30, 2025. The attack was ultimately unsuccessful. This activity occurred on the tenth anniversary of Sandworm's major attack against the Ukrainian power grid in December 2015.
## Tactics, Techniques & Procedures
- Deployment of a previously undocumented wiper malware codenamed **DynoWiper**.
- Overlaps with prior wiper activity associated with the adversary (linked to post-February 2022 invasion of Ukraine activity).
- History of disruptive cyberattacks, specifically on critical infrastructure.
- Use of data-wiping malware (e.g., ZEROLOT, Sting, PathWiper, KillDisk) in other recent activities (June–September 2025).
- *Note: Specific MITRE ATT&CK IDs were not provided in the text.*
## Targeting
- **Sectors:** Energy/Power system (critical infrastructure), Combined Heat and Power (CHP) plants, systems managing electricity from renewable energy sources (wind turbines, photovoltaic farms).
- **Geography:** Poland (recent target); Ukraine (historical target).
- **Victims:** Two combined heat and power (CHP) plants and renewable energy management systems in Poland.
## Tools & Infrastructure
- **Malware Families Used:** DynoWiper (newly identified), BlackEnergy, KillDisk, PathWiper, HermeticWiper, ZEROLOT, Sting.
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided text.
## Implications
The attack against Poland's energy sector confirms Sandworm's continued focus on critical infrastructure, aiming for disruptive or destructive outcomes. The deployment of a new wiper (DynoWiper) indicates ongoing development of destructive capabilities. The timing of the attack (near the anniversary of the 2015 BlackEnergy attack on Ukraine) suggests deliberate operational signaling.
## Mitigations
- Increased vigilance and deployment of enhanced safeguards focused on IT and OT systems.
- Implementation of strict requirements for risk management and incident response related to cybersecurity legislation (as noted by the Polish Prime Minister).
- Defending against wiper malware deployment, based on historical patterns involving BlackEnergy/KillDisk/DynoWiper variants.