Threat Overview

In late 2025, Poland’s energy system endured what analysts are calling the country’s largest cyberattack in recent memory. The assault, which unfolded during the final week of December, targeted critical power infrastructure and was traced back to the Russia‑aligned Advanced Persistent Threat (APT) group Sandworm. The incident was documented in a threat report released by AlienVault on 23 January 2026, drawing on forensic evidence collected by ESET Research.

Actor Profile

Sandworm, also known as TeleBots, has a long history of disruptive operations against critical infrastructure, particularly in Ukraine. The group is believed to be state‑backed, with a focus on political objectives and information warfare. Their toolkit frequently includes destructive wipers, command‑and‑control frameworks, and zero‑day exploits that enable lateral movement within industrial control systems.

Attack Timeline and Methodology

The Polish attack began on 31 December 2025, coinciding with the 10th anniversary of the 2015 Sandworm‑led blackout in Ukraine. Initial intrusion vectors appeared to be spear‑phishing emails and compromised supply‑chain components, granting the adversary foothold in control‑system networks. From there, the malware—later identified as DynoWiper—propagated through the network, wiping critical configuration files and rendering substations inoperable.

Malware Analysis – DynoWiper

ESET researchers classified DynoWiper as Win32/KillFiles.NMO. The wiper is designed to overwrite system files, delete registry entries, and erase logs, thereby crippling recovery efforts. Unlike earlier Sandworm wipers, DynoWiper also includes a self‑destruct routine that erases its own code after execution, complicating forensic analysis.

Tactics, Techniques, and Procedures (TTPs)

Key TTPs identified in the Polish incident mirror those documented in Sandworm’s 2025 APT Activity Report. These include:

• Initial Access: Spear‑phishing with malicious attachments.
• Lateral Movement: Exploitation of SMB shares and Windows Admin Shares.
• Privilege Escalation: Abuse of local administrative credentials.
• Defense Evasion: Use of encrypted C2 channels and process injection.
• Impact: Data‑wiping and denial‑of‑service via network segmentation disruption.

Impact Assessment

While the Polish grid did not suffer a sustained outage, the attack forced operators to shut down affected substations temporarily, triggering a cascade of load‑balancing adjustments. The incident highlighted the vulnerability of legacy SCADA systems to destructive malware. No evidence suggests that Sandworm achieved long‑term persistence or exfiltration of operational data, but the disruption underscored the potential for future attacks to cause widespread blackouts.

Reliability and Confidence

The report carries a confidence level of 100% and a reliability rating of “A – Completely reliable.” This assessment is based on corroborated indicators of compromise (IOCs) from ESET’s malware samples, network traffic logs, and historical Sandworm activity. The alignment of TTPs with known Sandworm patterns further strengthens attribution.

Recommendations for Security Analysts

1. Implement Network Segmentation: Isolate critical control‑system networks from corporate IT to limit lateral movement.
2. Deploy Endpoint Detection and Response (EDR): Ensure real‑time monitoring of SCADA endpoints, with capabilities to detect file‑system tampering.
3. Enforce Least‑Privilege Access: Restrict administrative credentials and enforce multi‑factor authentication for privileged accounts.
4. Maintain Redundant Backup Systems: Store immutable backups of configuration files in air‑gapped storage to facilitate rapid restoration.
5. Conduct Regular Red‑Team Exercises: Simulate wiper attacks to validate incident‑response plans and recovery procedures.
6. Update Threat Intelligence Feeds: Subscribe to AlienVault OTX and ESET threat feeds to receive real‑time IOCs related to Sandworm and DynoWiper.
7. Strengthen Email Security: Deploy advanced phishing detection, sandboxing, and user training to mitigate spear‑phishing vectors.
8. Implement Immutable Logging: Use tamper‑proof logging solutions to preserve forensic evidence even if the system is compromised.

Conclusion

The Polish power‑grid incident serves as a stark reminder that state‑aligned APT groups like Sandworm continue to evolve their destructive capabilities. By combining sophisticated wipers with precise operational tactics, they can inflict significant disruption on critical infrastructure. Security analysts must remain vigilant, continuously refine defensive controls, and collaborate across sectors to detect and neutralize such threats before they can materialize into catastrophic outages.

For more detailed technical information, refer to the original AlienVault pulse and ESET research pages: AlienVault Pulse and ESET Research Report.