A cyberattack on Poland’s power grid (Dec 29–30, 2025) has been attributed to Sandworm, the Russian state-sponsored hacking group notorious for destructive operations against critical infrastructure.
Key Details
- Threat actor: Sandworm (aka UAC-0113, APT44, Seashell Blizzard).
- Affiliation: Believed to be part of Russia’s GRU Military Unit 74455.
- Target:
- Two combined heat and power plants.
- A management system controlling renewable energy sources (wind, solar).
- Malware used:DynoWiper – a destructive data-wiping tool.
- Iterates through filesystems, deletes data.
- Leaves OS unusable, requiring full rebuild or reinstall.
- Detected as Win32/KillFiles.NMO (SHA-1:
4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6).
Historical Context
- 2015 attack on Ukraine’s grid: Sandworm deployed wipers that left 230,000 people without power.
- Pattern: Consistent focus on energy infrastructure to cause disruption and signal geopolitical intent.
Current Incident
- Attack failed to achieve destructive impact, but demonstrated intent.
- Polish Prime Minister Donald Tusk: “Everything indicates that these attacks were prepared by groups directly linked to the Russian services.”
- No public samples of DynoWiper found on VirusTotal, Triage, or Any.Run.
- Breach method and dwell time remain unclear.
Defensive Recommendations
- Review Microsoft’s Feb 2025 Sandworm report for TTPs (recommended by Team Cymru).
- Harden ICS/SCADA systems:
- Isolate management interfaces.
- Apply strict access controls.
- Backup strategy: Maintain offline, immutable backups to recover from wiper attacks.
- Threat hunting: Watch for indicators of DynoWiper and anomalous file deletion activity.
- Incident readiness: Prepare rapid rebuild procedures for critical systems.
Takeaway
Sandworm’s DynoWiper campaign against Poland’s energy grid underscores the group’s continued focus on critical infrastructure disruption. While this attack failed, it highlights the persistent risk of destructive wipers in geopolitical cyber conflict, especially targeting energy systems in Europe.
Leave a Reply