Full Report
A major cyberattack that nearly cut electricity to half-a-million people in Poland last year was reportedly carried out by the Russia-linked hacking group Sandworm, which likely attempted to knock out systems using wiper malware.
Analysis Summary
# Incident Report: Sandworm Wiper Attack on Polish Energy Infrastructure
## Executive Summary
In late December of last year, a major cyberattack attributed with medium confidence to the Russia-linked Sandworm APT group targeted Poland’s energy sector. The threat actors deployed the DynoWiper malware, attempting to cause widespread operational disruption by targeting communications between numerous renewable energy sources and electricity distribution operators. Although Polish authorities successfully thwarted the attack before power outages occurred, it was deemed the largest attack on energy infrastructure in years, potentially affecting up to half-a-million people.
## Incident Details
- Discovery Date: Early January (when Polish authorities disclosed the incident; specific ESET discovery date not provided)
- Incident Date: Late December [Last Year]
- Affected Organization: Unspecified Polish Electricity Distribution Operators and Renewable Energy Installations (Solar Farms, Wind Turbines)
- Sector: Energy / Utilities
- Geography: Poland
## Timeline of Events
### Initial Access
- Date/Time: Late December [Last Year] (Timing was symbolic, coinciding with the 10th anniversary of Sandworm's 2015 Ukraine grid attack)
- Vector: Unknown (Focus was on disrupting control communications)
- Details: Attackers targeted communications linking renewable energy installations (solar, wind) to distribution operators across large parts of the country.
### Lateral Movement
- Details: Not explicitly detailed, but required to reach and deploy wiper malware across the distributed energy network.
### Data Exfiltration/Impact
- Impact: Attempted destruction of critical files using DynoWiper malware, aimed at rendering systems unusable and potentially causing a massive power blackout affecting up to 500,000 people.
- Outcome: The attack was thwarted before causing service disruption.
### Detection & Response
- Detection: Polish authorities identified the intrusion in early January.
- Response actions taken: The incident was reportedly thwarted before successful mass disruption.
## Attack Methodology
- Initial Access: Not explicitly detailed.
- Persistence: Not explicitly detailed.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Not explicitly detailed.
- Credential Access: Not explicitly detailed.
- Discovery: Unknown, but likely reconnaissance mapped the communication pathways between distributed energy assets.
- Lateral Movement: Likely focused on moving between OT/IT networks to reach diverse, smaller power sources.
- Collection: Not the primary goal, as the intent was destruction.
- Exfiltration: Not mentioned as a primary component.
- Impact: **Destructive (Wiper Malware)**. Deployment of DynoWiper, designed to destroy critical files and disable systems to cause an outage.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Not explicitly the focus; the intent was operational disruption/destruction.
- Operational: Potential for blackout affecting up to 500,000 people. **Actual operational impact was successfully prevented.**
- Reputational: Significant public disclosure highlighting vulnerability of national critical infrastructure.
## Indicators of Compromise
- Network indicators: *Not provided/Defanged*
- File indicators: DynoWiper malware (a wiper)
- Behavioral indicators: Coordinated sabotage attempt targeting distributed renewable energy control systems.
## Response Actions
- Containment measures: Not detailed, but Polish authorities acted to foil the attack before the wiper executed successfully or broadly.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed, as full impact was averted.
## Lessons Learned
- The attack highlights a shift in tactics, focusing on numerous smaller, distributed renewable energy sources simultaneously rather than older, centralized power plants.
- The attack was "unprecedented" in its disruptive nature compared to previous intrusions in Poland.
- The timing suggests a deliberate, politically motivated campaign linked to the anniversary of the 2015 Ukraine grid attack.
- Expectation exists that this type of coordinated sabotage attack will happen again.
## Recommendations
- Enhance network segmentation between IT and Operational Technology (OT) environments controlling renewable energy assets.
- Implement stringent monitoring on communication protocols governing SCADA/ICS systems integrating disparate, distributed energy sources.
- Review and test disaster recovery and malware response plans specifically for wiper scenarios across the energy sector.