Executive Summary
In May 2024, cyber researchers reported a high-profile attack attempt targeting Poland’s power grid infrastructure. The operation was attributed to Sandworm, a Russian APT group notorious for wiper malware and sabotage against critical national infrastructure. Attackers leveraged custom malware designed to disrupt grid operations, but strong detection and security controls reportedly thwarted the attempt, preventing widespread outages. The incident highlighted Sandworm’s persistent focus on critical infrastructure in Central Europe and their evolving tactics for sabotaging operational technology environments.
This case underscores a larger trend of state-aligned threat actors targeting energy and critical infrastructure in Europe, leveraging specialized wiper tools and lateral movement techniques. It also emphasizes increasing cross-border cyber risk as geopolitical tensions escalate and underscores new regulatory scrutiny for critical sectors.
Why This Matters Now
Attacks on power grids and essential services by advanced threat actors are increasing, with wipers and destructive malware now common tools for state-aligned groups. This incident is a warning for critical infrastructure operators globally to reassess cybersecurity programs, invest in resilience, and address compliance gaps to mitigate potentially catastrophic disruption.
Attack Path Analysis
Sandworm initiated their attack by exploiting a vulnerable or misconfigured service to gain a foothold in the OT environment (Initial Compromise), followed by attempts to escalate privileges by targeting local or domain accounts (Privilege Escalation). With elevated access, they moved laterally through east-west communications in the network, seeking additional critical systems (Lateral Movement). The attackers then established command and control using covert or anomalous outbound channels to maintain persistence (Command & Control). Exfiltration attempts were possibly made, but network controls may have limited data loss (Exfiltration). Ultimately, their objective was to execute wiper malware to disrupt or destroy operational systems controlling the power grid (Impact).
Kill Chain Progression
Initial Compromise
Description
Adversaries gained access via exploitation of a vulnerable service or misconfiguration in the power grid’s connected infrastructure.
Related CVEs
CVE-2022-23176
CVSS 9.8A privilege escalation vulnerability in WatchGuard Firebox and XTM appliances allows remote attackers to execute arbitrary code.
Affected Products:
WatchGuard Firebox and XTM appliances – 12.5.9 and earlier
Exploit Status:
exploited in the wildCVE-2014-4114
CVSS 9.3A vulnerability in Windows OLE allows remote attackers to execute arbitrary code via crafted Microsoft Office files.
Affected Products:
Microsoft Windows – Vista, 7, 8, 8.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques selected for high-level incident filtering; further STIX/TAXII enrichment and sub-technique details may be added based on deeper investigation.
Disk Wipe
Data Destruction
Supply Chain Compromise
Phishing
Valid Accounts
Obfuscated Files or Information
Command and Scripting Interpreter
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan Implementation
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Device Monitoring and Response
Control ID: Pillar: Devices / Detection & Response
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure faces devastating wiper attacks from Sandworm APT, requiring enhanced east-west traffic security and zero trust segmentation for power grid protection.
Oil/Energy/Solar/Greentech
Energy sector vulnerable to Russian state-sponsored wiper attacks targeting operational technology, necessitating encrypted traffic monitoring and egress security policy enforcement.
Government Administration
Government entities face heightened risk from Sandworm's infrastructure-focused wiper campaigns, requiring multicloud visibility and threat detection capabilities for national security.
Computer/Network Security
Cybersecurity organizations must enhance threat detection and anomaly response capabilities to counter sophisticated APT wiper attacks on critical infrastructure clients.
Sources
- Sandworm Blamed for Wiper Attack on Poland Power Gridhttps://www.darkreading.com/threat-intelligence/sandworm-wiper-attack-poland-power-gridVerified
- ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/Verified
- Russian Sandworm Hackers Blamed for Cyberattack on Polish Power Gridhttps://www.securityweek.com/russian-sandworm-hackers-blamed-for-cyberattack-on-polish-power-grid/Verified
- New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sectorhttps://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Segmentation, east-west traffic security, inline prevention, and rigorous egress controls would have significantly increased barriers at each kill chain stage, isolating workloads, constraining lateral movement, and restricting both command & control and data exfiltration channels. These controls, as validated, are instrumental in defending cloud-connected critical infrastructure against advanced wiper attacks.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Real-time inline inspection would block known exploit patterns at the perimeter.
Control: Zero Trust Segmentation
Mitigation: Identity-based segmentation would impede privilege escalation beyond initial ingress point.
Control: East-West Traffic Security
Mitigation: Microsegmentation controls block unauthorized east-west connections.
Control: Multicloud Visibility & Control
Mitigation: Anomalous or unauthorized outbound traffic patterns are detected and can be rapidly responded to.
Control: Egress Security & Policy Enforcement
Mitigation: Strict egress filtering blocks data exfiltration to unauthorized destinations.
Isolation of sensitive OT workloads minimizes scope and effect of destructive malware.
Impact at a Glance
Affected Business Functions
- Energy Distribution
- Renewable Energy Management
Estimated downtime: N/A
Estimated loss: N/A
No data exposure reported.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and microsegmentation to reduce lateral movement opportunities within critical OT and cloud environments.
- • Enforce robust east-west traffic controls and visibility to rapidly detect and block unauthorized workload-to-workload communication.
- • Deploy egress filtering and policy enforcement to ensure only sanctioned outbound communications and prevent both command & control and data exfiltration.
- • Integrate Cloud Native Security Fabric capabilities, including real-time inline inspection and distributed policy, to interrupt initial exploits and privilege escalation attempts.
- • Continuously monitor and respond to anomalous behaviors using centralized multicloud observability and incident response automation.
