WARSAW, Jan 24, 2026, 14:24 (CET)
- ESET links the late-December cyberattacks on Poland’s power grid to the Russia-backed Sandworm group, though no disruptions occurred
- According to the Polish government, two combined heat and power plants and renewable management systems were hit
- Officials say tougher cybersecurity rules are being drafted after the attempted attack
Cybersecurity firm ESET has pointed to hackers tied to Russian military intelligence as the probable source of the cyberattacks targeting Poland’s power grid in late December. The intruders tried to unleash a data-wiping malware known as DynoWiper, though their attempt appears to have failed. The Russian Embassy in Washington has not responded to requests for comment. (Reuters)
The discovery sharpens the spotlight on an incident Polish officials now see as a serious threat to the country’s energy security. The focus has shifted away from data theft toward potential disruption. This development arrives as Warsaw advocates for tougher cyber rules targeting critical infrastructure.
TechCrunch labeled DynoWiper as “wiper” malware designed to delete data and disable computers. (TechCrunch)
Poland’s prime minister said the attacks on December 29-30 hit two combined heat and power plants—these facilities produce both electricity and heat—and also targeted a system managing power from renewables such as wind turbines and solar farms. Donald Tusk stated that “everything indicates” the operation was carried out by groups “directly linked to the Russian services.” (Gov)
Tusk said Poland’s defences remained solid, stressing that “at no point was critical infrastructure threatened.” He confirmed he ordered ministers and special services to work at full capacity and pointed to upcoming steps, including draft legislation for a national cybersecurity system.
ESET linked the attack to Sandworm with “medium confidence,” citing its analysis of both the malware and the attackers’ methods. The firm also noted, “We’re not aware of any successful disruption occurring as a result of this attack.” DynoWiper is a wiper—a kind of malware that deletes or overwrites data to make machines unusable. (We Live Security)
Energy Minister Milosz Motyka told reporters earlier this month that Poland’s cyber defense units detected “the strongest attack on the energy infrastructure in years.” The breach hit communication links between renewable energy facilities and power distribution operators. (Reuters)
Robert Lipovsky, principal threat intelligence researcher at ESET, called the operation “unprecedented” for Poland, pointing out that earlier cyberattacks hadn’t targeted disruption. “Pulling off a disruptive cyberattack against the Polish energy sector is a big deal,” he told journalist Kim Zetter. (ZERO DAY)
Sandworm, infamous for its destructive operations, has been tied by Western officials and experts to attacks on Ukraine’s power infrastructure, including a malware-driven blackout a decade ago. That late-December event in Poland has drawn notice given this background.
Poland’s new cyber law targets tougher risk management and incident response rules for IT networks as well as operational technology—the industrial control systems that run power plants and grid infrastructure.
Cyber attribution rarely produces courtroom-ready proof, and ESET’s findings rely on code and tactic similarities rather than any formal admission. The probe into the intended damage continues, and Polish officials haven’t disclosed how the breach happened—leaving open the chance of another attack using different techniques.
The December incident didn’t cause a blackout—at least, not this time. Still, it shows how fast data-wiping malware can jump from IT systems straight to the power grid. Energy operators are now gearing up for the attack they really dread: the next one.
