The Russian state-sponsored APT named Sandworm was behind the December 2025 cyberattack targeting Poland’s power grid, cybersecurity firm ESET reports.
Poland’s energy infrastructure, including two combined heat and power (CHP) plants and a renewable energy management system, was targeted by hackers on December 29-30, and Polish officials blamed Russia for the assault.
Said to have been the largest cyberattack against Poland in years, the December 2025 incident was thwarted before it could cause a blackout or compromise critical infrastructure, the country’s officials said earlier this month.
The attack occurred 10 years after Sandworm used the BlackEnergy malware in a disruptive attack against Ukraine’s power grid, resulting in multiple blackouts in the Ivano-Frankivsk region.
Active since at least 2009, the threat actor is believed to be associated with Russia’s General Staff Main Intelligence Directorate (GRU) military unit 74455.
Also known as APT44, BlackEnergy Lite, Seashell Blizzard, Telebots, and Voodoo Bear, Sandworm has become notorious for its espionage and information operations, as well as cyber disruptions.
According to ESET, the APT was most likely behind the December 2025 cyberattack on the Polish power grid, based on the employed malware and associated TTPs.
The cybersecurity firm said that Sandworm deployed a new data wiper in the attack, but did not cause disruptions. The intended impact of the assault has yet to be determined.
“We’re not aware of any successful disruption occurring as a result of this attack,” ESET said.
The malware, dubbed DynoWiper (Win32/KillFiles.NMO), aligns with previous Sandworm wiper attacks, the cybersecurity firm noted. No technical details on the threat have been published.
Underlining the link between the Polish assault and the anniversary of Sandworm’s attack on Ukraine’s power grid, ESET pointed out that the APT continues to regularly mount wiper attacks against Ukrainian targets.
“Fast forward a decade and Sandworm continues to target entities operating in various critical infrastructure sectors, especially in Ukraine,” ESET said.
Related: Russia’s APT28 Targeting Energy Research, Defense Collaboration Entities
Related: Pro-Russian Hackers Claim Cyberattack on French Postal Service
Related: Denmark Blames Russia for Cyberattacks Ahead of Elections and on Water Utility
Related: Amazon: Russian Hackers Now Favor Misconfigurations in Critical Infrastructure Attacks
