Sandworm Attacks Poland's Power Grid: Europe's Wake-Up Call

Summary

In the final days of 2025, the Russian state-sponsored hacking group Sandworm attempted to cripple Poland's energy network. The coordinated attack struck more than 30 solar and wind farms and combined heat and power plants, deploying a previously unknown piece of malware called DynoWiper, designed to permanently destroy systems rather than simply disrupt them. Had the attack succeeded fully, up to 500,000 people could have been left without electricity and heating in the middle of one of the coldest winters in recent years. Poland repelled the attack - but security researchers are clear: this was not an isolated incident. It was the most serious escalation of Russian cyberattacks on EU soil to date. This article explains what happened, why it matters for all of Europe, and what individuals and organizations can do.

Introduction 

December 29, 2025 was a bitterly cold day in Poland. While most people were enjoying the holiday period, a silent operation was unfolding inside the servers and control centers of the Polish energy grid. Attackers had burrowed into the systems months earlier - and were now exploiting the window of reduced staffing and lower alertness that comes with the holiday season.
Poland's Energy Minister Milosz Motyka later described it as the most powerful cyberattack on the Polish power grid in years. More than 30 sites of distributed energy producers were hit simultaneously - solar farms, wind turbines, combined heat and power plants. The goal was to sever communications between these installations and the national grid, permanently damage control systems, and ideally trigger a blackout. According to Polish authorities, a fully successful attack could have cut electricity and heating for up to 500,000 people - at temperatures well below freezing.

Who is behind it - and why Poland?

Security researchers at Slovak company ESET and US-based OT security firm Dragos have attributed the attack with medium-to-high confidence to the Russian state-sponsored hacking group Sandworm, also tracked as APT44 and Seashell Blizzard. Sandworm is not an ordinary criminal organization. It operates under the Russian military intelligence service GRU and has previously knocked out Ukraine's energy infrastructure on multiple occasions - most notably in December 2015, when an attack left 230,000 Ukrainians without power for several hours.
The timing of the Poland attack was deliberate: it came almost exactly ten years after that first blackout in Ukraine. The message was unmistakable.
The malware deployed in the attack was analyzed by ESET researchers and named DynoWiper. It differs fundamentally from classic ransomware: where ransomware encrypts data and demands payment, a wiper permanently deletes data and system configurations. Some devices, according to Dragos, were damaged beyond repair. The objective is not money. It is destruction.
Dragos describes the attack as a division-of-labor operation between two specialized groups. One group - internally tracked as KAMACITE - quietly infiltrates industrial systems over months using stolen credentials or software vulnerabilities, then waits. The actual destruction is carried out by a second group called ELECTRUM, which targets industrial control systems directly. This separation of roles makes the attacks particularly dangerous: organizations can be compromised for months without knowing it. In this case, KAMACITE had been inside one of the targeted systems since March 2025 - nine months before anyone noticed.

Why does this matter for the rest of Europe?

Poland was not chosen at random. The country is one of Ukraine's most important allies, supplying electricity to its neighbor and serving as a logistics hub for Western military aid. Destabilizing Poland's energy grid is an indirect attack on the infrastructure supporting Ukraine. Russia has been conducting what experts call hybrid warfare for years - a combination of military, political, and digital operations designed to stay below the threshold of a formal act of war.
ESET researcher Robert Lipovsky described the attack as unprecedented for Poland: previous Russian cyber operations in the country had been covert and not aimed at physical disruption. This time, destruction was the explicit goal. ESET researchers also note that Sandworm is, to their current knowledge, the only known threat actor to have deployed wiper attacks against EU member states.
For the rest of Europe, this is a directly relevant warning. Critical infrastructure - power grids, water supplies, hospitals, telecommunications - is built similarly across many EU countries. Distributed renewable energy sources offer greater resilience against a single centralized strike, but they also create thousands of new attack points at the edges of the network.

What can businesses and individuals do now?

Even though this attack targeted energy operators and industrial facilities, the lessons it offers apply broadly. State-sponsored cyberattacks do not only harm the direct targets - they can cause supply disruptions, communication outages, and economic ripple effects that reach every household and business.
For operators of critical infrastructure and industrial companies, the priorities are clear. Network segmentation between IT office systems and OT operational technology systems is not optional - it is essential. An attacker who gains access to office systems must not automatically gain access to industrial controls. All internet-connected industrial devices need regular checks for known vulnerabilities and timely updates. And time is critical: KAMACITE was reportedly active inside one of the targeted systems since March 2025 - nine months before the attack was triggered.
For everyone else, basic preparedness is sensible. A simple emergency plan - a flashlight, a charged power bank, a water reserve, and important documents kept accessible - is not alarmism. It is reasonable precaution in an environment where infrastructure disruptions are no longer hypothetical. Anyone with remote access to critical systems should ensure that connections are protected by strong multi-factor authentication and that access credentials are rotated regularly.

Conclusion

The attack on Poland's power grid is more than an isolated security event. It is evidence that Europe's critical infrastructure is actively being targeted by state-sponsored actors - actors who are patient, precise, and increasingly willing to cause permanent damage. Poland repelled this attack. Whether the next country to be targeted will be as fortunate is far from certain. Europe must protect its energy networks, water systems, and digital infrastructure now - not after the next near-blackout.
ESET Research: Sandworm behind cyberattack on Poland's power grid in late 2025, 23. Januar 2026
https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/
The Hacker News / Dragos: Russia-Aligned ELECTRUM Tied to December 2025 Cyber Attack on Polish Power Grid, 28. Januar 2026
https://thehackernews.com/2026/01/russian-electrum-tied-to-december-2025.html
Notes From Poland: Poland suffers major cyberattack on power grid, says Russia likely responsible, 14. Januar 2026
https://notesfrompoland.com/2026/01/14/poland-suffers-major-cyberattack-on-power-grid-says-russia-likely-responsible/
ASIS Online: PM Confirms Poland Stopped Major Cyberattack Targeting its Energy Grid in December 2025, 16. Januar 2026
https://www.asisonline.org/security-management-magazine/latest-news/today-in-security/2026/january/Poland-Stops-Cyberattack-On-Energy-Grid/
The Hacker News / CERT Polska: Poland Attributes December Cyber Attack - DynoWiper Details, Februar 2026
https://thehackernews.com/2026/01/poland-attributes-december-cyber.html
Zetter Zero Day: Cyberattack Targeting Poland's Energy Grid Used a Wiper, Januar 2026
https://www.zetter-zeroday.com/cyberattack-targeting-polands-energy-grid-used-a-wiper/
Created with