In late December 2025, the Russian advanced persistent threat (APT) group known as Sandworm launched what has been described as the largest cyber attack against Poland's power sector in recent years. The attack employed a previously undocumented wiper malware named DynoWiper, identified by Slovakian cybersecurity firm ESET. DynoWiper is a destructive malware designed to erase data, rendering systems inoperable. This malware shares functional and code overlaps with prior Sandworm wipers such as HermeticWiper, KillDisk, ZEROLOT, and Sting, which have been used extensively against Ukrainian critical infrastructure since Russia's 2022 invasion. The December 29-30 attacks targeted two combined heat and power (CHP) plants and systems managing electricity from renewable sources like wind and photovoltaic farms. Despite the sophistication and scale, the attack did not succeed in disrupting power supply, as confirmed by Poland's energy minister. The timing coincides with the tenth anniversary of Sandworm's 2015 attack on Ukraine's power grid, underscoring the group's persistent focus on energy infrastructure. The malware's destructive capabilities pose a significant risk to operational technology (OT) environments, potentially causing prolonged outages and equipment damage. The attack required deep access to industrial control systems (ICS) and likely involved complex reconnaissance and lateral movement. Poland is responding by preparing enhanced cybersecurity legislation mandating stringent risk management, IT/OT protection, and incident response protocols. This incident exemplifies the evolving threat landscape where nation-state actors deploy sophisticated wipers to destabilize critical infrastructure, emphasizing the need for robust cyber defenses in energy sectors.

For European organizations, particularly those in the energy sector, the DynoWiper attack underscores the severe risk posed by nation-state actors targeting critical infrastructure with destructive malware. Successful deployment of such wipers can lead to significant operational disruptions, including power outages, damage to physical equipment, and loss of control over energy generation and distribution systems. This can cascade into broader societal and economic impacts, affecting public safety, industrial operations, and national security. The attack on Poland's CHP plants and renewable energy management systems highlights vulnerabilities in both traditional and modern energy assets. European energy operators face increased risk of similar attacks, which could result in prolonged downtime and costly recovery efforts. Additionally, the attack signals a growing trend of geopolitical cyber conflict extending beyond Ukraine, potentially destabilizing energy supply chains across Europe. The incident also stresses the importance of securing OT environments, which often have legacy systems with limited security controls. Failure to mitigate such threats could erode trust in critical infrastructure resilience and complicate compliance with emerging EU cybersecurity regulations.

European energy organizations should implement a multi-layered defense strategy tailored to OT and IT convergence environments. Specific recommendations include: 1) Conduct comprehensive asset inventories and network segmentation to isolate critical OT systems from corporate IT networks, limiting lateral movement opportunities for attackers. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying anomalous behaviors indicative of wiper malware activity, such as unauthorized file deletion or disk wiping commands. 3) Implement strict access controls and multi-factor authentication (MFA) for all remote and privileged access to ICS and supervisory control and data acquisition (SCADA) systems. 4) Regularly update and patch both IT and OT systems, prioritizing vulnerabilities that could enable remote code execution or privilege escalation. 5) Develop and exercise incident response plans specifically addressing destructive malware scenarios, including offline backups and rapid system restoration procedures. 6) Collaborate with national cybersecurity agencies and sector-specific Information Sharing and Analysis Centers (ISACs) to receive timely threat intelligence and alerts. 7) Invest in continuous monitoring of network traffic and logs to detect early indicators of compromise, especially around critical energy assets. 8) Train personnel on recognizing social engineering and spear-phishing tactics that could be used to gain initial access. 9) Evaluate and enhance supply chain security to prevent introduction of malicious components or software. 10) Support and comply with emerging EU cybersecurity legislation mandating risk management and protection measures for critical infrastructure.