Sandworm's DynoWiper Targets Poland's Energy Sector in 2025 Cyberattack
Executive Summary
In late December 2025, Poland's energy infrastructure was targeted by a coordinated cyberattack deploying a novel data-wiping malware named DynoWiper. The attack aimed to disrupt operations across multiple renewable energy facilities, including wind and solar farms, as well as a major combined heat and power plant serving approximately 500,000 customers. ESET researchers attributed the attack to the Russian state-sponsored group Sandworm with medium confidence, noting similarities to previous incidents involving wiper malware. Fortunately, the attack was intercepted before causing significant operational disruptions. (eset.com)
This incident underscores the evolving threat landscape where state-sponsored actors increasingly target critical infrastructure with destructive malware. The timing, coinciding with the 10th anniversary of Sandworm's 2015 attack on Ukraine's power grid, highlights the symbolic nature of such operations and the persistent risk to energy sectors globally. (welivesecurity.com)
Why This Matters Now
The DynoWiper attack on Poland's energy sector highlights the escalating threat of state-sponsored cyberattacks targeting critical infrastructure. As geopolitical tensions rise, the energy industry must bolster defenses against sophisticated malware designed to disrupt essential services.
Attack Path Analysis
The adversary initiated the attack by exploiting exposed FortiGate firewalls and VPNs lacking multi-factor authentication, using default or weak credentials to gain initial access. They then escalated privileges by obtaining domain administrator rights, enabling the deployment of wiper malware across the network. Utilizing the compromised credentials, the attackers moved laterally to various energy infrastructure systems, including wind farms, solar installations, and a combined heat and power plant. They established command and control channels using tools like Rubeus and rsocx to maintain access and control over the compromised systems. While the primary objective was data destruction, there is no evidence of data exfiltration in this attack. The attackers deployed DynoWiper malware to overwrite and delete critical files, leading to system reboots and rendering systems inoperable, aiming to disrupt energy services.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited exposed FortiGate firewalls and VPNs without multi-factor authentication, using default or weak credentials to gain initial access to the network.
MITRE ATT&CK® Techniques
File and Directory Discovery
Windows File and Directory Permissions Modification
Access Token Manipulation
Data Destruction
System Shutdown/Reboot
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Software, Firmware, and Information Integrity
Control ID: SI-7
PCI DSS 4.0 – Protect all systems and networks from malicious software
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
DynoWiper's targeting of Polish energy infrastructure by Russian APT Sandworm demonstrates critical vulnerability to state-sponsored wiper attacks destroying operational data and systems.
Utilities
Utilities face severe disruption risk from DynoWiper's file corruption and system shutdown capabilities, threatening SCADA systems and critical infrastructure operational continuity.
Government Administration
Government systems vulnerable to DynoWiper's data destruction tactics, requiring enhanced east-west traffic security and zero trust segmentation against state-sponsored attacks.
Computer/Network Security
Security providers must address DynoWiper's evasion techniques and develop countermeasures for wiper malware targeting critical infrastructure through lateral movement prevention.
Sources
- Under the Hood of DynoWiper, (Thu, Feb 19th)https://isc.sans.edu/diary/rss/32730Verified
- DynoWiper update: Technical analysis and attributionhttps://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/Verified
- Energy Sector Incident Report – 29 Decemberhttps://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdfVerified
- Wiper malware targeted Poland energy grid, but failed to knock out electricityhttps://arstechnica.com/security/2026/01/wiper-malware-targeted-poland-energy-grid-but-failed-to-knock-out-electricity/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the attacker's ability to move laterally and escalate privileges within the network, thereby reducing the overall impact on critical energy infrastructure systems.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access would likely have been constrained, limiting their ability to exploit exposed firewalls and VPNs lacking multi-factor authentication.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely have been limited, reducing their capacity to deploy malware across the network.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely have been constrained, reducing their ability to access multiple energy infrastructure systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels would likely have been detected and disrupted, limiting their ability to maintain control over compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: Any potential data exfiltration attempts would likely have been identified and blocked, reducing the risk of data loss.
The overall impact on energy services would likely have been reduced, limiting the extent of system inoperability and service disruption.
Impact at a Glance
Affected Business Functions
- Energy Distribution Monitoring
- Remote Substation Control
- Grid Management Systems
Estimated downtime: N/A
Estimated loss: N/A
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication (MFA) on all remote access points, including VPNs and firewalls, to prevent unauthorized access.
- • Enforce strong password policies and regularly audit credentials to eliminate default or weak passwords.
- • Deploy Zero Trust Segmentation to restrict lateral movement within the network, limiting attackers' ability to access critical systems.
- • Utilize East-West Traffic Security controls to monitor and control internal traffic, detecting and preventing unauthorized communications.
- • Establish comprehensive Threat Detection & Anomaly Response mechanisms to identify and respond to malicious activities promptly.
