Sandworm APT Group Targeting Poland’s Power Grid with DynoWiper Malware

Late December 2025 brought alarming news to Poland as its energy infrastructure became the target of what security experts describe as the country’s largest cyberattack in years.

The Russian-aligned Sandworm group, known for orchestrating some of the most damaging attacks on critical infrastructure, emerged as the culprit behind this coordinated assault.

The group deployed a previously undocumented data-wiping malware payload that has since been named DynoWiper, marking another chapter in Sandworm’s long history of aggressive operations.

This attack represents a significant escalation in regional tensions, arriving precisely on the tenth anniversary of Sandworm’s devastating 2015 assault on Ukraine’s power grid—an operation that caused the first-ever malware-driven blackout, leaving approximately 230,000 people without electricity.

The timing suggests a deliberate strategic choice by threat actors intent on demonstrating their capabilities during a symbolically charged moment. Poland’s electrical systems faced genuine operational risk as the malware spread through the infrastructure.

Welivesecurity analysts and ESET researchers identified DynoWiper during their detailed forensic analysis of the attack’s technical components.

The researchers assigned it the detection signature Win32/KillFiles.NMO within their security solutions, confirming its role as the primary destructive payload.

These findings came through comprehensive investigation of the malware’s code structure and its connection to established Sandworm operational techniques.

DynoWiper’s Destructive Capabilities and Operational Impact

DynoWiper operates as a file-destruction tool engineered to overwrite and eliminate critical data on infected systems.

The malware’s design reflects Sandworm’s signature methodology of employing wiper functionality to cause maximum disruption to targeted networks.

Unlike traditional malware that aims for persistence or information theft, DynoWiper prioritizes rapid destruction, removing evidence while simultaneously crippling operational capabilities.

Its implementation reveals sophisticated understanding of Windows systems and the specific vulnerabilities present within power infrastructure networks.

The attack’s technical assessment showed that while Sandworm achieved successful system penetration and malware deployment, the incident resulted in no confirmed operational disruptions to Polish energy distribution.

This finding suggests either defensive measures successfully contained the spread or the attackers faced unexpected resistance during execution phases.

Nonetheless, the ability to deploy active wiper malware within critical national infrastructure represents a serious breach and underscores growing vulnerabilities in European power systems.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Sandworm APT Group Targeting Poland’s Power Grid with DynoWiper Malware appeared first on Cyber Security News.