By ByteBot
Russian state-sponsored hacking group Sandworm deployed never-before-seen DynoWiper wiper malware on December 31, 2025, targeting Poland’s power grid in an attack that could have left 500,000 people without heat during winter. Poland successfully defended against the breach with no blackout or service disruption. Security researchers at ESET publicly disclosed the attack details yesterday (January 24, 2026), attributing it with “medium confidence” to Sandworm—the same Russian GRU unit responsible for Ukraine’s 2015 blackout and the $10 billion NotPetya attack.
Wiper Malware vs Ransomware
DynoWiper is a wiper, not ransomware. Wipers permanently delete data with no recovery option. Ransomware encrypts files for ransom—there’s a path to recovery. Wipers signal geopolitical sabotage, not profit.
When Sandworm deployed NotPetya in 2017—disguised as ransomware but actually a wiper—it caused over $10 billion in global damage, crippling Maersk, Merck, and FedEx. The 2012 Shamoon wiper destroyed 30,000 computers at Saudi Aramco. These aren’t cybercrime operations. They’re cyber warfare.
In 2025 alone, security researchers documented multiple new wiper families—BlueWipe, SewerGoo, PathWiper—targeting critical infrastructure across Ukraine, Israel, and Albania. Consequently, Sandworm’s DynoWiper deployment against Poland marks the first known targeting of a NATO member’s energy grid with destructive malware.
Sandworm’s Decade of Destruction
Sandworm (APT44) is Russia’s GRU military intelligence cyber operations unit, responsible for the most destructive cyberattacks in history. December 23, 2015: first-ever malware-facilitated power grid attack disrupting electricity to 230,000 Ukrainians. December 17, 2016: 20% of Kyiv lost power. June 27, 2017: NotPetya spread globally, causing $10+ billion in damages.
The Poland attack on December 31, 2025—ten years and eight days after that first Ukraine blackout—demonstrates Sandworm’s preference for symbolic timing. Anniversary attacks aren’t accidents. They’re operational signatures designed for psychological impact.
Poland’s Successful Defense
Poland won. The attack was detected and stopped before causing damage—a rare positive outcome worth analyzing. Poland ranks 6th globally in the Cyber Defense Index with a 6.91 rating, and their €1 billion cybersecurity budget for 2026 reflects serious investment. Moreover, the country faces 20-50 cyberattacks daily, creating operational experience most nations lack.
Prime Minister Donald Tusk publicly praised the defense, confirmed zero disruption, and attributed the attack to Russia. The lesson: defense against nation-state threats is possible, but requires investment, real-time monitoring, and intelligence coordination.
Critical Infrastructure Vulnerability
Even failed attacks expose vulnerabilities. DynoWiper targeted two heat-and-power plants plus renewable energy management systems. If successful, 500,000 Polish citizens could have lost heating during winter—potentially lethal.
Large power transformers have 3-5 year replacement lead times and cost millions per unit. They’re multi-ton specialized equipment, not off-the-shelf parts. Furthermore, successful wiper attacks could trigger grid oscillations causing permanent equipment damage. The 2021 Texas blackout—no malware involved—killed 246-702 people and nearly caused a “blackstart scenario” requiring manual grid restart statewide.
Geopolitical Implications
This marks the first known Sandworm attack targeting a NATO member’s critical infrastructure, signaling escalation beyond Ukraine. Poland serves as the primary logistics hub for military and humanitarian support to Ukraine. Therefore, energy disruption would strain both Poland’s domestic capabilities and Ukraine’s reliance on EU energy imports.
The attack raises uncomfortable questions about NATO Article 5: Does a cyberattack on critical infrastructure constitute an armed attack warranting collective defense? The threshold remains unclear. PM Tusk’s public attribution to Russia represents a deliberate diplomatic escalation.
Key Takeaways for Infrastructure Operators
First, wiper malware requires different defenses than ransomware. Traditional backups won’t save you if attackers compromise them. However, immutable backups with air-gapped, write-once-read-many storage become mandatory. Real-time behavioral monitoring to detect mass file deletion is more valuable than perimeter defense.
Second, nation-state attacks are warfare-level threats requiring warfare-level defenses. This isn’t about patch management failures. It’s about defending against adversaries with unlimited resources and years of operational experience targeting industrial control systems.
Finally, Poland’s successful defense proves investment pays dividends. Their €1 billion budget, 6th-place global ranking, and coordinated intelligence response enabled real-time threat detection. The gap between compromise and wiper execution is measured in hours—automated isolation and kill-switch capabilities can prevent catastrophe.
