Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Indicators Reveal Prolonged Engagement by ‘Sandworm’ Military Intelligence Hackers
Recent findings indicate that Russian military intelligence attempted to disrupt Poland’s energy infrastructure using wiper malware just as winter approached. Security experts have linked this operation to the Russia-affiliated Sandworm Advanced Persistent Threat (APT) group.
According to cybersecurity firm Eset, the attributes of the used malware, alongside observed techniques, lead to a “medium confidence” attribution of the attacks to Sandworm. They have designated the data-wiping malware used in this breach as “DynoWiper.”
The targeted operations, which included combined heat and power plants and systems for managing renewable energy sources, took place on December 29 and 30, 2025. Polish Prime Minister Donald Tusk confirmed that the cyberattacks were unsuccessful due to the robustness of Poland’s defenses, assuring that critical infrastructure remained secure.
This incident aligns with a historical pattern observed with Sandworm, a unit notable for its cyber sabotage activities against Western critical infrastructure. The attack’s timing also converged with the anniversary of a December 2015 assault on Ukraine’s power grid, which resulted in the first malware-induced blackout.
The context of these cyberattacks underscores ongoing threats amidst Russia’s continuing military campaign in Ukraine. Experts warn that this escalation demands heightened vigilance from neighboring NATO members, particularly those in proximity to both Russia and Ukraine. As noted by Will Thomas, a senior threat intelligence adviser, the implications of such actions could manifest more broadly across the energy sectors of several countries
In response to the incident, the Polish government is reevaluating its cybersecurity measures and finalizing the National Cybersecurity Certification System, a legislative effort aimed at enhancing defenses in critical sectors. Compliance with the EU’s NIS2 directive, which mandates improved cybersecurity practices for energy operators, is a key component of this initiative.
Despite pledging the law’s implementation by the end of 2025, progress is reportedly hindered by issues related to budget and notification disputes. Meanwhile, Russian cyber operations continue to test the boundaries of NATO allies, raising concerns about future attacks and the robustness of current defenses.
The methods and tactics employed by the Sandworm APT point towards potential adversary behavior recognized in the MITRE ATT&CK framework, particularly regarding initial access, privilege escalation, and lateral movement. As cyber threats evolve, organizations must remain vigilant in enhancing their incident response protocols and overall cybersecurity posture.
As these developments unfold, continued analysis and robust defensive measures will be essential in safeguarding critical infrastructure and mitigating the impact of emerging cyber threats.
