DynoWiper is a sophisticated data-wiping malware recently analyzed by ESET researchers following an incident targeting a Polish energy company. The malware is attributed with medium confidence to Sandworm, a Russia-aligned threat actor known for destructive cyber operations against critical infrastructure, including energy providers. DynoWiper’s tactics, techniques, and procedures (TTPs) closely resemble those used in the earlier ZOV wiper attacks in Ukraine, suggesting a shared development lineage or operational strategy. Unlike some previous attacks that targeted OT environments, DynoWiper focuses exclusively on the IT environment, aiming to destroy data and disrupt business continuity. The attackers also deployed auxiliary tools and leveraged SOCKS5 proxies to mask command and control communications, complicating detection and attribution. The malware’s destructive payload irreversibly deletes data, undermining system integrity and availability. No CVEs or known exploits are associated with DynoWiper, indicating it may rely on prior access or compromised credentials for deployment. This attack represents a rare but significant escalation of destructive cyberattacks against European energy infrastructure by state-aligned actors. The incident underscores the importance of robust cyber defenses and incident response capabilities tailored to wiper malware and advanced persistent threat (APT) tactics.

For European organizations, especially in the energy sector, DynoWiper poses a critical threat to data integrity and operational continuity. The malware’s destructive nature can lead to irreversible data loss, prolonged downtime, and significant recovery costs. Disruption of IT systems in energy companies can cascade into broader service interruptions affecting supply and national security. Given Sandworm’s history, there is a risk of further attacks targeting other critical infrastructure sectors across Europe. The use of proxies and additional tools by attackers complicates detection and response, increasing the likelihood of successful infiltration and damage. The psychological and reputational impact on affected organizations can also be substantial. For Poland, the direct victim, the attack highlights vulnerabilities in critical infrastructure cybersecurity. Neighboring countries with similar energy infrastructure and geopolitical tensions with Russia may face elevated risks. The incident may also prompt regulatory scrutiny and increased investment in cybersecurity resilience across European energy providers.

European energy organizations should implement advanced endpoint detection and response (EDR) solutions capable of identifying wiper malware behaviors such as mass file deletion and unauthorized disk access. Network monitoring should include detection of anomalous SOCKS5 proxy usage and unusual outbound connections to suspicious IPs or domains like those identified (e.g., 31.172.71.5, progamevl.ru). Segmentation between IT and OT networks must be enforced to limit lateral movement and contain potential damage. Regular, immutable backups stored offline or in air-gapped environments are critical to enable recovery from destructive attacks. Incident response plans should be updated to include wiper malware scenarios, emphasizing rapid containment and forensic analysis. Threat intelligence sharing within European energy sector Information Sharing and Analysis Centers (ISACs) should be enhanced to disseminate indicators of compromise (IOCs) and TTPs related to DynoWiper and Sandworm. Multi-factor authentication (MFA) and strict access controls can reduce the risk of initial compromise. Finally, organizations should conduct regular red team exercises simulating destructive malware attacks to test detection and response capabilities.