Sandworm's DynoWiper Targets Poland's Energy Sector in 2025 Cyberattack
Executive Summary
In late December 2025, Poland's energy infrastructure was targeted by a cyberattack involving a data-wiping malware named DynoWiper. The attack aimed to disrupt operations at two combined heat and power plants and several renewable energy facilities. ESET researchers attributed the attack to the Russian state-sponsored group Sandworm, noting similarities to previous incidents involving the group. Fortunately, the malware was intercepted before causing any substantial damage, and no operational disruptions were reported. (welivesecurity.com)
This incident underscores the persistent threat posed by state-sponsored cyber actors to critical infrastructure. The timing, coinciding with the tenth anniversary of Sandworm's first known assault on Ukraine’s power grid in 2015, highlights the group's continued focus on energy sector targets and disruptive operations. (welivesecurity.com)
Why This Matters Now
The attack on Poland's energy infrastructure highlights the ongoing risk of state-sponsored cyber threats to critical infrastructure. The use of destructive malware like DynoWiper demonstrates the evolving tactics of threat actors and the need for robust cybersecurity measures to protect essential services. (welivesecurity.com)
Attack Path Analysis
The Sandworm group initiated the attack by exploiting vulnerabilities in exposed FortiGate firewalls lacking multi-factor authentication, gaining initial access to Poland's energy infrastructure. They escalated privileges by deploying PowerShell scripts to execute commands with elevated rights. Utilizing compromised credentials, they moved laterally across the network to access critical systems. The attackers established command and control channels using compromised servers to maintain persistent access. While exfiltration was not the primary goal, the attackers may have gathered intelligence to facilitate the wiper deployment. Finally, they deployed DynoWiper malware to destroy data and disrupt operations, aiming to render systems inoperable.
Kill Chain Progression
Initial Compromise
Description
The attackers exploited vulnerabilities in exposed FortiGate firewalls lacking multi-factor authentication to gain initial access to the network.
MITRE ATT&CK® Techniques
Disk Wipe: Disk Content Wipe
Software Deployment Tools
Obtain Capabilities: Malware
Develop Capabilities: Malware
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity
Control ID: Pillar 1
ISO/IEC 27001:2022 – Capacity Management
Control ID: A.12.1.3
NIST SP 800-53 Rev. 5 – Software, Firmware, and Information Integrity
Control ID: SI-7
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical sector directly targeted by DynoWiper malware in Poland, facing data destruction threats requiring enhanced egress security and zero trust segmentation controls.
Utilities
High-risk infrastructure sector vulnerable to wiper attacks targeting operational technology systems, demanding multicloud visibility and encrypted traffic protection for grid stability.
Government Administration
Strategic target for nation-state wipers like DynoWiper, requiring comprehensive threat detection and east-west traffic security to prevent lateral movement across systems.
Computer/Network Security
Primary stakeholder sector developing defensive capabilities against wiper malware, leveraging intrusion prevention systems and cloud native security fabric for threat intelligence.
Sources
- DynoWiper update: Technical analysis and attributionhttps://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/Verified
- Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovershttps://www.globenewswire.com/news-release/2026/01/30/3229631/0/en/Russian-Sandworm-group-attacks-energy-company-in-Poland-with-DynoWiper-ESET-Research-discovers.htmlVerified
- Sandworm Hackers Target Polish Power Plants Using DynoWiper Malware - Thailand Computer Emergency Response Team (ThaiCERT)https://www.thaicert.or.th/en/2026/01/26/sandworm-hackers-target-polish-power-plants-using-dynowiper-malware/Verified
- ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and escalate privileges within the network, thereby reducing the overall impact on critical systems.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing Aviatrix CNSF may have constrained unauthorized access by enforcing identity-aware policies, potentially limiting the attacker's ability to exploit firewall vulnerabilities.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could have limited the attacker's ability to escalate privileges by enforcing strict access controls, potentially reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could have restricted lateral movement by monitoring and controlling internal traffic, potentially limiting the attacker's ability to access critical systems.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could have detected and constrained unauthorized command and control channels, potentially limiting the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could have limited unauthorized data exfiltration by enforcing strict outbound traffic policies, potentially reducing the risk of data loss.
While Aviatrix CNSF may not have prevented the initial deployment of DynoWiper, its segmentation and access controls could have limited the malware's spread, potentially reducing the overall impact on operations.
Impact at a Glance
Affected Business Functions
- Energy Generation
- Energy Distribution
- Renewable Energy Management
Estimated downtime: N/A
Estimated loss: N/A
No data exposure reported.
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication on all external-facing systems to prevent unauthorized access.
- • Deploy Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize East-West Traffic Security to monitor and control internal traffic flows.
- • Establish robust Threat Detection & Anomaly Response mechanisms to identify and respond to malicious activities promptly.
- • Regularly update and patch all systems to mitigate known vulnerabilities.
