Russia-Linked Hackers Target Poland’s Power Grid With New Wiper Malware

Researchers disclosed on Friday that the attack likely originated with Russian state-backed hackers and targeted components of Poland’s electricity infrastructure. The timing alone raised alarms. The malware surfaced in the final week of December, exactly ten years after Russia carried out its first successful cyber-induced blackout against Ukraine.

According to Reuters, the operation aimed to sever communications between renewable energy installations and power distribution operators. The attempt failed, and officials have not explained why. Still, the incident underscores how modern energy systems, increasingly digitised and interconnected, remain attractive targets during periods of geopolitical tension.

Security firm ESET identified the malware as a wiper, a destructive class of code engineered to permanently erase data on servers and storage devices. Unlike ransomware, which seeks leverage through extortion, wipers aim for irreversible damage. Once deployed successfully, recovery often proves impossible.

After analysing the attack’s tactics, techniques and procedures, ESET researchers linked the operation to Sandworm, a Russian government-aligned hacking group notorious for targeting critical infrastructure.

“Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analysed,” said ESET researchers. “We’re not aware of any successful disruption occurring as a result of this attack.”

Sandworm’s record explains why analysts moved quickly to sound the alarm. The group has repeatedly acted as a cyber weapon for the Kremlin, favouring attacks that send unmistakable political signals. Its most infamous operation unfolded in December 2015, when hackers cut power to parts of Ukraine during winter, leaving roughly 230,000 people without electricity for six hours.

That attack relied on BlackEnergy malware to breach power companies’ supervisory control and data acquisition systems. From inside, the attackers used legitimate system functions to shut down electricity distribution. It marked the first confirmed blackout caused directly by malware, reshaping how governments assess cyber risk to physical infrastructure.

ESET said the Poland incident occurred on the anniversary of that milestone attack. Beyond confirming the date and naming the malware DynoWiper, the firm shared few technical specifics, a reminder of how sensitive and incomplete public disclosures around infrastructure attacks often remain.

Custom-built wipers have become a recurring feature of Russian cyber campaigns. In 2022, attackers deployed AcidRain to disable roughly 270,000 satellite modems in Ukraine, disrupting communications at a critical moment. That marked the seventh distinct wiper Russia had used since launching its invasion. ESET later reported that Sandworm also deployed multiple wipers against Ukrainian universities and critical infrastructure.

The most notorious example remains NotPetya. Released in 2017, the worm initially targeted Ukraine but rapidly spread worldwide, crippling networks at multinational companies and government agencies. Damage estimates reached $10 billion, making it one of the costliest cyberattacks ever recorded. Many victims never fully recovered their systems.

Why DynoWiper failed in Poland remains unclear. Analysts see two plausible explanations. Cyber defences may have detected or neutralised the malware before it executed. Alternatively, Russia may have calibrated the attack to demonstrate capability without triggering a broader response from Poland’s allies.

Either scenario highlights a sobering reality for energy operators and policymakers.

Even unsuccessful attacks carry strategic weight. What happens if the next attempt lands differently? And how many critical systems worldwide rely on defences that have never been tested under real-world pressure? For executives overseeing infrastructure, the lesson mirrors decisions leaders face every day: prepare for the outcome you hope never arrives. In cyber conflict, resilience often matters as much as deterrence.

Author: George Nathan Dulnuan