Cybersecurity firm ESET has reported a new data-wiping virus targeting Polish power plants, with Prime Minister Donald Tusk confirming that the attack was successfully thwarted, avoiding any loss of public power.
Poland has narrowly escaped a potential energy crisis following what has been described as one of the most significant cyberattacks on its infrastructure in years. Between December 29 and 30, 2025, hackers aimed to infiltrate the country’s energy sector, specifically focusing on two combined heat and power (CHP) plants and systems responsible for managing renewable energy sources like wind and solar.
These facilities are crucial, as they not only supply electricity but also deliver heat to local homes and businesses. ESET’s investigation has linked this cyber intrusion to the infamous Russian hacking group Sandworm, also known by the designations APT44 and Seashell Blizzard. Sandworm is believed to operate under Unit 74455, a division of Russia’s military intelligence service, the GRU (Main Intelligence Directorate).
A Dangerous New Tool
Findings from this incident indicate that the attackers did not merely aim to gather intelligence; their objective appeared to be destructive in nature. They deployed a new variant of wiper malware, a malicious tool designed to obliterate data and render computer systems inoperable. ESET’s lead researcher, Robert Lipovsky, has specifically termed this malware DynoWiper.
According to ESET’s research, while the hackers succeeded in infiltrating the systems, they were ultimately unsuccessful in causing any damage. Prime Minister Tusk has stated that Poland’s security protocols held firm, ensuring there was no risk to the public power supply during the incident.
“The evidence suggests that these attacks were orchestrated by groups closely linked to Russian state services,” PM Tusk remarked during a press conference. “Had the attack been successful, it could have left around half a million individuals without power or heating in the depths of winter.”
History Repeating Itself?
The timing of this offensive raises suspicions regarding its intent. Notably, this incident coincides with the tenth anniversary of Sandworm’s successful cyber intrusion into Ukraine’s power grid in December 2015, where the use of the BlackEnergy virus resulted in 230,000 people being deprived of electricity.
Throughout 2025, Sandworm has been persistently active, frequently targeting Ukrainian water and heating infrastructures with various wipers, including Zerolot and Sting. By shifting focus to Poland, the group demonstrates its willingness to extend its reach beyond immediate conflict zones.
In response to these threats, the Polish government is expediting the National Cybersecurity System Act, underscoring its commitment to strengthening cyber defenses. PM Tusk emphasized the necessity of readiness: “I have mobilized my ministers and special services to operate at full capacity. We must be prepared for any eventuality.”
This new legislation will impose stricter security requirements on energy providers, aiming to prevent foreign interference in the country’s critical services and safeguard against future cyber threats.
