ESET Analysts: Russian Sandworm Group Behind December Attack on Poland’s Energy Sector, Timed to 10th Anniversary of Ukraine Blackout.
Cybersecurity analysts from ESET have disclosed new details about a cyberattack targeting Poland’s energy sector, an incident previously acknowledged by Prime Minister Donald Tusk and Minister of Digital Affairs Krzysztof Gawkowski. According to ESET, the attempted disruption of Poland’s power infrastructure on December 29, 2025, was carried out by Sandworm, a hacking group linked to Russian military intelligence.
Strikingly, the attack was launched exactly on the 10th anniversary of the first-ever power blackout caused by a cyberattack — an operation conducted by the same group against Ukraine in December 2015.
Wiper Malware Used in the Attack
Polish authorities reported that the country’s energy sector became the target of a significant cyber incident toward the end of last year. ESET analysts have now confirmed that a disruptive cyberattack attempt took place on December 29, 2025. The attackers deployed a wiper-type malware designed to irreversibly destroy data and render systems inoperable.
ESET researchers analyzed the malicious software and designated it DynoWiper. According to the company, there is currently no evidence that the attack caused any successful or lasting disruptions to energy supplies or critical systems.
Attribution to Sandworm
Based on malware analysis and associated tactics, techniques, and procedures (TTPs), ESET attributes the attack to Sandworm with moderate confidence. This assessment is grounded in strong similarities to numerous previous Sandworm operations involving destructive wiper malware that ESET has investigated over the years.
Sandworm is widely known for its focus on critical infrastructure and high-impact cyber operations, particularly in the energy sector, often combining technical sabotage with psychological and strategic signaling.
Symbolic Timing and Historical Context
While investigations into the intended impact of the attack are still ongoing, analysts emphasize the symbolic timing of the operation. The attempt occurred in the middle of winter — a period of heightened vulnerability for energy systems — and precisely ten years after Sandworm’s landmark cyberattack on Ukraine’s power grid.
In December 2015, the group infiltrated the control systems of several Ukrainian electrical substations using the BlackEnergy malware family. That operation cut electricity to approximately 230,000 people for several hours, marking the first known instance in history where a power outage was directly caused by malicious software.
A Signal, Not Just an Attack
According to analysts, the December 2025 incident should be viewed not only as a technical operation but also as a strategic message. By choosing such a date, the attackers likely aimed to demonstrate capability, continuity, and intent — reinforcing Sandworm’s long-standing role as a cyber weapon targeting national energy security in Europe.
Although the attack on Poland did not result in visible damage, experts warn that it underscores the persistent threat facing critical infrastructure and the importance of continued vigilance, cross-sector cooperation, and investment in cybersecurity resilience.
