In the last days of December 2025, Poland suffered what the authorities describe as the most ambitious attempt at cyber destabilization against its electrical system in years. Although the attack failed to interrupt the supply, the episode has ignited the alarms on the sophistication and persistence of the actors that point to critical infrastructure.
According to the Polish government and the research published by the Slovak company ESET, the operation was attributed to the hacking group linked to the Russian state known as Sandworm. ESET analysts identified in that campaign undocumented data deletion malware, which they called DynoWiper and observed technical matches with other destructive tools used by the same actor in the past. You can read the ESET technical report here: ESET - research into the attack on the Polish electricity network.
Polish energy minister Miłosz Motyka reported that, despite the magnitude of the attempt, the defenses prevented significant operational damage. The attacks, which took place between 29 and 30 December 2025, were aimed at two cogeneration plants (CHP) and a system for the management of renewable energy such as wind and solar parks. The official government account and the measures announced can be found in the Prime Minister's office statement: Government of Poland - response to cyber attacks.
The attribution to Sandworm, according to the experts, is not based on a single coincidence, but on a series of overlaps in techniques, tools and procedures that recall previous campaigns attributed to that collective, responsible in 2015 for an attack that left part of the Ivano-Frankivsk region of Ukraine without electricity. That precedent, which combined the BlackEnergy Trojan with the KillDisk wiper, remains an uncomfortable reference to what these operations can cause when they reach their goal: analysis of the anniversary of the blackout in Ukraine.
It is important to understand what a "wiper" or data deletion malware does: unlike a ransomware, whose goal is usually to cipher data to ask for rescue, a wiper seeks to damage or remove information irreversibly and often delete forensic traces. Wipers are designed to cause damage, not profit and when used against industrial control systems (OT) can affect from the availability of services to the ability to recover normal operations without resorting to intact backup.
The end of 2025 campaign fits a trend observed during the year, in which actors like Sandworm have tested variants and families of destructive malware with target in sectors such as energy, transport, logistics and public administration. In June 2025, for example, Cisco Talos researchers reported the emergence of a wiper called PathWiper that affected a critical infrastructure entity in Ukraine, and other reports have documented variants such as ZEROLOT and Sting in attacks directed at university networks and key sectors during the same period. For those who want to deepen the work of Talos and its alerts, the blog of Cisco Talos is a good starting point: Cisco Talos - blog.
In the face of this reality, the Polish authorities have announced legal and technical reinforcements. Prime Minister Donald Tusk has pointed out the need to tighten standards on risk management, protection of both IT and OT systems, and incident response protocols, measures that aim to raise resilience to upcoming campaigns. Reuters covered the minister's statement and the diagnosis of the failed attempt: Reuters - incident coverage.
For infrastructure companies and operators, this type of attack offers several practical lessons. Maintaining OT and IT networks segmented, validating and protecting backup (preferably with air- gapped replicas), implementing behavior-based early detection and enriching threat intelligence with previous campaign indicators are measures that can make the difference between a rapid recovery and a prolonged crisis. International cooperation and intelligence exchange between cyber security companies and governments They are also critical because adversaries do not respect borders and often re-use known tools and tactics.
Beyond technique, the Polish episode highlights a geopolitical issue: when operations are attributed to groups with state ties, the responses are not only technical but also diplomatic and strategic. Penalties, public accusations and defensive reinforcements are often part of the repertoire, but long-term prevention requires constant investment in talent, infrastructure and public policies that raise the deterrent threshold.
In short, what happened in Poland at the end of December 2025 is a reminder that power networks and systems that manage the energy transition are attractive targets for actors with sophisticated capabilities. Reactive defences are not enough: comprehensive, up-to-date and coordinated strategies are needed to protect what, today more than ever, has become critical infrastructure for daily life and collective security.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...