Researchers and Polish officials say that a late-December attempt to knock out large portions of Poland’s energy grid was carried out by Russian government–linked hackers using destructive “wiper” malware known as DynoWiper. The Slovakian cybersecurity firm ESET analyzed the malicious code and found similarities to past campaigns by the Sandworm unit of Russia’s GRU military intelligence, concluding the attack was most likely state-sponsored. Polish authorities described the incident as the strongest cyberattack on their infrastructure in years and said it targeted two combined heat and power plants as well as systems managing communications with renewable energy sources. Despite the sophistication and timing near the tenth anniversary of a similar Sandworm attack on Ukraine’s grid, robust defenses thwarted the effort, and no blackout occurred. Polish leaders, including Prime Minister Donald Tusk, have blamed Moscow for the intrusion and underlined the need for enhanced cybersecurity measures moving forward.
Sources:
https://techcrunch.com/2026/01/23/researchers-say-russian-government-hackers-were-behind-attempted-poland-power-outage/
https://www.reuters.com/technology/russian-military-intelligence-hackers-likely-behind-december-cyberattacks-polish-2026-01-23/
https://www.zetter-zeroday.com/cyberattack-targeting-polands-energy-grid-used-a-wiper/
Key Takeaways
• Cybersecurity firm ESET linked the late-December cyberattack on Polish energy infrastructure to Russia’s Sandworm hacking unit through analysis of DynoWiper malware.
• The attack aimed to disrupt combined heat and power plants and renewable energy communications but was stopped before causing a blackout.
• Polish officials have publicly blamed Russian military intelligence and are pushing for stronger national cybersecurity defenses.
In-Depth
In late December 2025, Poland’s energy infrastructure came under a significant cyberattack that could have had serious consequences for citizens in the dead of winter. According to cybersecurity analysts and government officials, the operation was attributed to Sandworm, a Russian military intelligence–linked hacking group that has been implicated in some of the most disruptive cyber incidents of the past decade. Security firm ESET, which examined the malware used in the attack, identified a destructive class of software called DynoWiper, designed not to steal data or hold systems hostage but to irreversibly erase files and cripple critical systems. This type of malware presents a direct threat to operational infrastructure, rather than financial gain, marking a worrying development in hostile cyber operations targeting allied nations’ grids.
Details from multiple independent investigations show that the attackers attempted to breach two combined heat and power plants and sever the digital communication links that tie distributed renewable energy sources—such as wind turbines and solar installations—into the broader power network. By disrupting both centralized plants and the increasingly interconnected renewable management systems, the operation had the potential to cause significant outages across large swaths of the country. Local reporting suggested that as many as half a million homes might have lost power or heat if the attack had succeeded, underscoring the gravity of the threat and the timing, which came during a period of severe winter weather.
Despite the sophistication and potential severity, Polish cybersecurity defenses and international cooperation thwarted the attackers before any widespread outages occurred. Polish Prime Minister Donald Tusk publicly affirmed that at no point was critical infrastructure truly compromised, a point echoed by ESET researchers who noted that they are “not aware of any successful disruption” resulting from the incident. Still, officials in Warsaw have been forthright in assigning responsibility to Russian state actors and have stressed the need for robust, updated digital defenses.
The attack’s linkage to Sandworm is significant because that group has a nearly decade-long history of high-impact cyber warfare, including notorious operations against Ukraine’s energy grid that resulted in real blackouts. The timing of this attempt—almost exactly ten years after a similar operation against Ukraine—has raised alarms in security circles and among NATO members. It serves as a stark reminder that cyber warfare is not an abstract threat but a strategic tool that can be wielded to target allies’ essential services. In response, Poland has signaled its intention to enhance national cybersecurity legislation and invest in stronger protective measures to guard against future incursions from hostile nation-state actors. As energy grids grow more complex and integrated, particularly with renewable and IoT-connected systems, the potential attack surface expands, making heightened preparedness and resilience an urgent priority for governments and private operators alike. The ability to attribute these attacks quickly and accurately will remain critical for deterrence, international cooperation, and the development of effective defensive postures in an age where cyber conflict increasingly parallels traditional military confrontation on the geopolitical stage.