The cyberattack on Poland's power grid in late 2025 has been attributed with medium confidence to Sandworm, a Russia-aligned advanced persistent threat (APT) group known for targeting critical infrastructure. The attack involved the deployment of DynoWiper, a destructive malware variant classified as Win32/KillFiles.NMO, designed to irreversibly wipe data from infected systems. This malware's destructive nature aims to disrupt operational continuity by erasing critical files and system components, thereby impacting both data integrity and availability. The timing of the attack aligns with the 10th anniversary of Sandworm's 2015 cyberattack on Ukraine's power grid, suggesting a symbolic and strategic motive. Sandworm's tactics, techniques, and procedures (TTPs) in this campaign include the use of wiper malware, lateral movement, and system disruption techniques consistent with MITRE ATT&CK IDs T1561 (Disk Wipe), T1489 (Service Stop), T1565 (Data Manipulation), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery). Although the full scope of the attack's impact is still under investigation, the campaign underscores Sandworm's persistent targeting of energy sector infrastructure in Eastern Europe. No known public exploits or patches are currently available for DynoWiper, complicating mitigation efforts. The attack demonstrates the evolving threat landscape where destructive cyber operations threaten national critical infrastructure, emphasizing the need for robust detection, incident response, and resilience strategies. The malware hash indicator (4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6) has been shared for detection purposes. This incident highlights the ongoing geopolitical cyber conflict involving Russia-aligned actors and European critical infrastructure.

The attack on Poland's power grid by Sandworm using DynoWiper poses significant risks to the confidentiality, integrity, and availability of critical energy infrastructure systems. The destructive nature of the wiper malware can cause prolonged outages by erasing essential system files and data, potentially leading to blackouts or degraded power delivery. For European organizations, especially those in the energy sector, this represents a direct threat to operational continuity and national security. Disruption of power grids can cascade into other critical services such as healthcare, transportation, and communications, amplifying societal and economic impacts. The attack also signals a heightened risk of similar campaigns targeting other European countries with interconnected or similarly structured energy systems. Furthermore, the use of sophisticated APT tactics complicates detection and response, increasing the likelihood of successful infiltration and damage. The geopolitical context, with Russia-aligned actors focusing on Eastern Europe, elevates the threat level for countries in proximity or with strategic ties to Poland and Ukraine. This incident may also erode trust in digital infrastructure and necessitate increased investment in cybersecurity resilience across European critical sectors.

1. Implement advanced endpoint detection and response (EDR) solutions capable of identifying wiper malware behaviors, including unusual file deletion and disk wiping activities. 2. Conduct regular and immutable backups of critical systems and data, ensuring offline or air-gapped storage to enable recovery from destructive attacks. 3. Harden network segmentation within energy infrastructure to limit lateral movement opportunities for attackers. 4. Deploy strict access controls and multi-factor authentication (MFA) for all operational technology (OT) and IT systems to reduce the risk of credential compromise. 5. Monitor for indicators of compromise (IOCs) such as the known DynoWiper hash (4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6) and related TTPs aligned with Sandworm activity. 6. Establish and regularly test incident response plans specifically addressing wiper malware scenarios and critical infrastructure disruptions. 7. Collaborate with national cybersecurity centers and share threat intelligence to stay updated on emerging threats and mitigation strategies. 8. Conduct threat hunting exercises focusing on MITRE ATT&CK techniques used by Sandworm, including T1561, T1489, T1565, T1486, and T1490. 9. Ensure OT systems have the latest security patches and firmware updates where applicable, despite no known public exploits, to reduce attack surface. 10. Increase employee awareness and training on spear-phishing and social engineering tactics commonly used by APT groups to gain initial access.