Executive Summary
In late 2025, a highly targeted cyberattack attributed to the Sandworm group struck Poland's national power grid. Using custom data-wiping malware identified as DynoWiper, the attackers infiltrated critical infrastructure networks, demonstrating sophisticated knowledge of operational technology environments. The initial compromise involved lateral movement through segmented OT/IT networks, facilitated by exploitation of unprotected east-west traffic and weak segmentation controls. The subsequent deployment of DynoWiper caused destructive impacts, including service outages and loss of operational data across several regional substations, with cascading effects on grid stability and dependent sectors. Immediate containment was complicated by attacker persistence and the rapid spread of the wiper.
This incident underscores the rising trend of advanced, nation-state wiper malware targeting critical infrastructure, reflecting a shift from espionage to destructive tactics. Organizations face elevated urgency to harden network segmentation, implement robust egress security, and adopt zero trust operational models in light of these evolving threats.
Why This Matters Now
Wiper attacks on critical infrastructure represent a significant escalation in cyber risk, threatening not only business continuity but national security and societal stability. Proactive defenses against data-wiping operations, especially in essential sectors, are urgently needed as geopolitical tensions and targeting of vital services intensify.
Attack Path Analysis
The attack on Poland's power grid began with the adversary, likely Sandworm, establishing an initial foothold through a network vulnerability or misconfiguration. They escalated privileges within the cloud and data center environment, enabling broader access. Attackers then moved laterally across internal infrastructure to reach critical systems. Command & Control was set up via covert outbound connections to remotely issue wiper malware commands. While mass data exfiltration was not the primary goal, some outbound communication for tooling or staging may have occurred. Finally, the DynoWiper malware executed destructive payloads, wiping key systems and disrupting operational technology of the power grid.
Kill Chain Progression
Initial Compromise
Description
Adversaries gained an initial foothold, likely exploiting a cloud service misconfiguration, vulnerable middleware, or public-facing system.
Related CVEs
CVE-2024-7344
CVSS 8.2A vulnerability in UEFI Secure Boot allows attackers to bypass security features, potentially leading to unauthorized code execution.
Affected Products:
Multiple UEFI Firmware – Various
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
ATT&CK techniques selected for rapid filtering based on common ICS/data-wiper adversary behavior; further enrichment via STIX/TAXII available in future versions.
Data Destruction
Disk Wipe
User Execution
Windows Management Instrumentation
Valid Accounts
Obfuscated Files or Information
Data from Local System
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Ensuring business continuity and crisis management
Control ID: Art. 21(2)(d)
DORA (Digital Operational Resilience Act) – ICT Security and Resilience
Control ID: Art. 10(1)
PCI DSS 4.0 – Implement and test incident response procedures
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Business Continuity and Disaster Recovery Plan
Control ID: 500.16
CISA ZTMM 2.0 – Resilience and Recovery
Control ID: ZT-06
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure directly targeted by Sandworm's DynoWiper attack on Poland's power grid, requiring enhanced segmentation and egress security controls.
Government Administration
High-value target for nation-state actors using data wipers, necessitating zero trust segmentation and encrypted traffic protection for sensitive operations.
Defense/Space
Strategic sector vulnerable to APT groups deploying destructive malware, requiring multicloud visibility and threat detection capabilities for mission-critical systems.
Oil/Energy/Solar/Greentech
Energy infrastructure faces similar attack vectors as power grid incident, demanding robust east-west traffic security and anomaly detection systems.
Sources
- ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/Verified
- New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sectorhttps://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.htmlVerified
- Researchers say Russian government hackers were behind attempted Poland power outagehttps://techcrunch.com/2026/01/23/researchers-say-russian-government-hackers-were-behind-attempted-poland-power-outage/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, privileged access restrictions, east-west traffic controls, and robust egress filtering would have disrupted adversary privilege escalation, lateral movement, and remote command activity—severely limiting the attack's ability to reach and destroy operational assets.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline controls block known malicious payloads and reduce external attack surface.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation and least privilege access limit privilege escalation scope.
Control: East-West Traffic Security
Mitigation: Internal traffic is tightly controlled to prevent unauthorized lateral movement.
Control: Multicloud Visibility & Control
Mitigation: Anomalous C2 communications are detected and policy-enforced.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound and exfil channels are blocked and logged.
Early anomalies or destructive actions are rapidly detected for response.
Impact at a Glance
Affected Business Functions
- Energy Distribution
- Power Generation
Estimated downtime: N/A
Estimated loss: N/A
No data exposure reported.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce identity-based microsegmentation and least privilege to prevent privilege escalation and lateral movement between critical workloads.
- • Implement egress filtering and centralized outbound policy enforcement to disrupt C2 and exfiltration attempts from all workloads and zones.
- • Deploy inline intrusion prevention and distributed inspection to block exploit traffic and detect known wiper/ransomware payloads at the earliest stages.
- • Enhance real-time network visibility and anomaly detection, including internal east-west traffic monitoring, to rapidly uncover attacker movement and destructive actions.
- • Regularly update and audit Zero Trust segmentation, encryption, and policy enforcement across multicloud and hybrid cloud environments in line with CNSF best practices.
