A previously unknown malware strain named DynoWiper played a central role in a failed cyberattack on Poland’s energy infrastructure in late December 2025. Security researchers at ESET attribute the operation to the Russia-aligned hacking group Sandworm, which has a long history of targeting critical infrastructure across Europe.
Poland’s government confirmed that attackers attempted to disrupt power generation systems, but national defenses blocked the operation before any blackout or operational damage occurred.
DynoWiper Used in Coordinated Infrastructure Attack
ESET researchers analyzed the malware used during the incident and named it DynoWiper. The malware functions as a data-wiping tool designed to destroy files and disable infected systems. ESET security products now detect the threat as Win32/KillFiles.NMO.
Investigators linked the activity to Sandworm based on code behavior and attack techniques that closely match previous wiper campaigns attributed to the group. Sandworm has previously launched destructive attacks against Ukrainian power infrastructure and government networks.
The timing also raised concerns. The incident occurred close to the tenth anniversary of Sandworm’s 2015 power grid attack in Ukraine, which caused the first known malware-driven blackout affecting hundreds of thousands of residents.
What Systems the Attack Targeted
Polish authorities confirmed that attackers focused on multiple energy assets during the December 29–30 operation. The targets included:
- Two combined heat and power (CHP) plants
- Renewable energy management systems, including wind and solar generation platforms
- Communication links between power operators and renewable installations
Officials said the attackers aimed to interfere with energy coordination rather than directly damaging transmission networks. Poland’s cybersecurity teams detected the activity early and isolated affected systems before the malware could cause destruction.
Poland Blocks the Attack Without Power Disruption
Prime Minister Donald Tusk stated that national cybersecurity systems successfully defended against the intrusion. The energy grid remained stable, and citizens experienced no service interruptions.
Government agencies treated the incident as a serious national security event. Poland mobilized security services and accelerated work on additional protective measures for critical infrastructure. Officials also emphasized the need to strengthen protections across both IT systems and operational technology (OT) environments that control industrial equipment.
Despite the attempted attack, Poland recorded a historic peak in energy production shortly afterward, reinforcing confidence in system resilience.
Government Expands Cybersecurity Safeguards
In response to the attack, Poland is preparing new regulatory safeguards under the Act on the National Cybersecurity System. The legislation introduces:
- Stronger risk management requirements
- Mandatory security standards for IT and OT environments
- Enhanced incident response readiness
- Restrictions on high-risk foreign technology in sensitive sectors
Officials stated that these measures aim to improve long-term resilience and reduce exposure to foreign interference in energy and infrastructure systems.
Best Practices to Secure Energy Systems from DynoWiper Malware
While the DynoWiper attack failed, the incident highlights the rising risk to energy operators and industrial networks. Security agencies and vendors recommend several immediate actions:
- Apply security updates promptly across servers, endpoints, and industrial controllers.
- Segment operational networks to prevent malware from moving laterally into control systems.
- Monitor for abnormal file deletion activity, which often signals wiper malware behavior.
- Restrict administrative access and enforce multi-factor authentication on critical systems.
- Test incident response plans regularly, including backup restoration and system isolation drills.
Organizations that manage energy, utilities, or manufacturing systems should also validate that endpoint protection tools recognize DynoWiper signatures and related behaviors.
Why DynoWiper Malware Poses a Growing Threat to Global Infrastructure
Sandworm continues to evolve its malware arsenal and tactics, targeting energy networks beyond active conflict zones. Even unsuccessful attacks provide attackers with intelligence on defenses and response capabilities.
The DynoWiper incident shows how nation-state actors increasingly test the resilience of power grids, renewable systems, and industrial controls. Governments and operators must treat these campaigns as persistent threats rather than isolated events.
As attackers refine destructive malware, early detection, layered security controls, and coordinated national response strategies remain the strongest defenses.
