Sandworm attacks Polish energy: the new threshold of cyberconflict

In late December 2025, an attack directed at Poland's energy infrastructure made it clear that the war in cyberspace continues to climb beyond the furnaces and missiles: the offensive was linked to Sandworm, the cyber attack group associated with Russian services that has for years demonstrated its ability to cause physical and logistical damage through malicious software.

Sandworm - also traced by some analysts such as UAC-0113, APT44 or Seashell Blizzard - is a collective that the intelligence community and several security firms associate with the Russian military unit known as the GRU's 74455. Since its public break-up in 2009, it has been a major and sometimes deliberately destructive campaign against civil and state objectives. His record includes the sabotage of electricity supply in Ukraine a decade ago, an incident that left hundreds of thousands of people without electricity and marked a before and after in the perception of the risk on industrial control systems.

In the Polish case, the authorities pointed out that the actions were concentrated on two cogeneration plants and a renewable energy management system, responsible for coordinating resources such as wind and photovoltaic parks. Official sources noted that "everything points" to the involvement of actors linked to the Russian services; the Polish Government's statement reflects the seriousness of the attack and the measures taken to contain it and protect the networks concerned. The official communiqué is available on the Polish Government's website: Poland projects cyberattacks on energy infrastructure.

The analysts of the ESET firm attributed the campaign to Sandworm and noted the use of a new draft data program named by the industry as DynoWiper. The so-called "wipers" are tools designed to travel file systems and to remove information in a massive way; their execution not only destroys data, but usually leaves the operating system unserviceable, forcing complete recoveries from backup or reinstallation. ESET identifies DynoWiper with the Win32 / KillFiles.NMO detection and has published an associated SHA-1 hash, which helps response teams compare artifacts; ESET's main page offers context on their analysis: ESET.

The concrete sample of this draft has not yet appeared in the usual public repositories, according to reports of journalistic research. malware sending sites such as VirusTotal, Any.Run or Triage do not show, at least publicly, an indexed sample of DynoWiper related to this incident, a detail that complicates open analysis and independent verification by the technical community; BleepingComputer has covered these limitations in its follow-up to the news: BleepingComputer.

The shadow of previous experience in Eastern Europe makes this operation particularly disturbing. In December 2015 Sandworm was held responsible for an attack that left about 230,000 consumers without electricity in Ukraine, a precedent that showed that the risk is no longer theoretical: the cyber attack can result in blackouts and essential service interruptions. This lesson highlights why critical services should prioritize resilience, from network segmentation strategies to valid recovery plans and disconnected backup.

Beyond the attribution and signature of malware, one of the technical questions that remains to be answered is how long the attackers remained within the compromised environments before activating the draft and what was the initial intrusion path: exploitation of vulnerabilities, speed-phishing emails, access through accounts with stolen credentials or side movements from an independent gap are plausible scenarios. For security teams seeking to strengthen defenses, experts recommend reviewing recent research into the activity of Sandworm and its subgroups; Microsoft published in February 2025 a comprehensive report on related campaigns that can serve as a guide for identifying relevant commitment indicators and tactics: Microsoft: The BadPilot Campaign.

By 2025, analysts had already followed Sandworm's powers towards destructive incidents in Ukraine that affected sectors such as education, public administration and agricultural logistics at different times of the year. This operational continuity shows a pattern of repetition and evolution in tools, from easily recoverable to more aggressive or more difficult variants to publicly analyse, which embodies international mitigation and accountability.

The Polish episode replaces political and technical issues on the table simultaneously. At the political level, linking an attack to a state actor raises questions about multilateral response and deterrence at the cyberlevel. At the technical level, it recalls three practical priorities: to check and test back-up to ensure that they are recoverable; to strengthen segmentation and access to industrial control networks to minimize side movements; and to increase the visibility of telemetry to detect unusual activities before they become mass data destruction.

For security officials and critical infrastructure operators the conclusion is strong: the threats are persistent, sophisticated and, in the hands of actors with state capacity, are not limited to espionage or exfiltration, but can become attacks that paralyse services. The combination of shared intelligence, coordinated response between companies and states, and robust technical measures is the best practical defense today. Those interested in deepening the tactics, techniques and indicators associated with Sandworm have in the analysis of cybersecurity companies and in the public reports of large manufacturers a basis for updating protocols and detections; in addition to the above-mentioned Microsoft report, following national response centres and private laboratories allows to keep up with and share lessons in real time.

The history of the attack on Poland is not just another note in the security press: it is a reminder that modern infrastructures, especially those that integrate distributed generation and cloud or local management systems, require constant monitoring and cooperation between sectors. In a world where cyberconflict transcends borders, the resilience of essential services is a collective responsibility that does not allow postponement.