Sandworm Suspected in December Attacks on Polish Grid

01/25/2026
russian hacker
  • Researchers at Slovakia‑based ESET attribute late‑December cyberattacks on Poland’s power system to the Russian military intelligence group known as Sandworm.
  • The attackers attempted to deploy destructive malware called DynoWiper, but investigators and Polish officials report no confirmed operational disruption.
  • The timing and code overlaps with past incidents have raised concerns about a pattern of destructive operations tied to the same actor.
  • Attribution and malware

ESET researchers said their analysis of the malware used in the December incidents points to Sandworm, a unit long linked to Russian military intelligence. Their assessment rests on operational patterns and code overlaps with previous destructive campaigns attributed to the group. DynoWiper, the strain identified in the attack, is designed to erase files and render systems inoperable if executed successfully. Polish officials and the researchers both reported that they are not aware of any successful disruption resulting from the attempted deployment.

Scope and impact

Sandworm has been publicly tied by U.S. and U.K. authorities to a series of high‑profile destructive cyberattacks over more than a decade. The December operation targeted components of Poland’s energy infrastructure and was described by the country’s energy minister as the strongest such assault in years. ESET noted the attack coincided with the tenth anniversary of a Sandworm‑linked malware blackout in Ukraine, a milestone that underlines the group’s history of targeting power systems. No immediate comment was available from the Russian Embassy in Washington.

Context and response

Attribution to a state‑linked actor raises geopolitical as well as technical questions about intent and escalation in cyberspace. Researchers emphasized that code similarities and tactics do not by themselves prove motive, but they do help map a consistent operational profile across incidents. The Polish government has publicly framed the December events as unsuccessful in terms of causing outages, while investigators continue to examine forensic traces. Governments and utilities in the region are reviewing defensive measures and incident response plans in light of the findings.

Historical precedent shows that attacks on energy infrastructure can have cascading effects beyond immediate outages, affecting communications and emergency services. Some analysts warn that the recurrence of destructive tools like DynoWiper increases the urgency for coordinated public‑private cyber defences. Security teams are likely to focus on segmentation, backups and rapid recovery capabilities to reduce the risk of file‑wiping malware achieving its aims. Further forensic work and international information‑sharing will be needed to clarify the full scope and origin of the December campaign.

 

More Stories

russian hacker

Russian-Linked Hackers Target Secure Messaging Apps

03/10/2026
FBI Cyber Action Team

FBI probes suspected China‑linked network breach

03/08/2026
Baad Saba

Cyberattacks Hit Iran Amid Regional Tensions

03/03/2026

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Sensirion Debrecen

Sensirion’s Debrecen Expansion Earns Industry Recognition

03/13/2026
sheep

Ancient Sheep Sheds Light on a Prehistoric Plague

03/12/2026
Meta - Facebook

Dutch Court Backs Chronological Feed Rule for Meta

03/12/2026
magnetar

Unraveling the Mystery Behind a Super‑Bright Supernova

03/12/2026
European unio

EU Push for Sovereign Search Infrastructure

03/12/2026