Russia-Linked Sandworm APT Targets Poland’s Power Grid in Major Cyberattack
On December 29, 2025, cybersecurity firm ESET uncovered a sophisticated cyberattack targeting Poland’s energy sector, attributed with medium confidence to the Russia-linked Sandworm APT group. The attack involved DynoWiper, a destructive malware designed to erase data, though no confirmed disruptions to the power grid were reported.
The timing of the attack was notable occurring during peak winter demand and coinciding with the 10-year anniversary of Sandworm’s 2015 cyberattack on Ukraine’s power grid, which caused the first malware-induced blackout, leaving approximately 230,000 people without electricity. ESET’s analysis revealed strong overlaps in tactics, techniques, and procedures (TTPs) with previous Sandworm wiper campaigns, reinforcing the attribution.
Sandworm, also known as BlackEnergy, UAC-0082, and Voodoo Bear, has been active since 2000 and operates under Russia’s GRU Unit 74455. The group is responsible for high-profile attacks, including the 2017 NotPetya ransomware outbreak and multiple wiper campaigns against Ukraine in 2022, such as CaddyWiper and Industroyer2.
ESET shared indicators of compromise (IoCs) with subscribers to aid detection and response, though the full technical details remain restricted to private threat intelligence reports. The incident underscores Sandworm’s continued focus on critical infrastructure, particularly in regions with geopolitical tensions.
Volta Polska cybersecurity rating report: https://www.rankiteo.com/company/volta-polska
"id": "VOL1769417811",
"linkid": "volta-polska",
"type": "Cyber Attack",
"date": "6/2000",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Energy',
'location': 'Poland',
'name': 'Poland’s energy sector (unspecified '
'companies)',
'type': 'Critical infrastructure'}],
'attack_vector': 'Destructive malware (DynoWiper)',
'date_detected': '2025-12-29',
'description': 'On December 29, 2025, cybersecurity firm ESET uncovered a '
'sophisticated cyberattack targeting Poland’s energy sector, '
'attributed with medium confidence to the Russia-linked '
'Sandworm APT group. The attack involved *DynoWiper*, a '
'destructive malware designed to erase data, though no '
'confirmed disruptions to the power grid were reported. The '
'timing of the attack was notable occurring during peak winter '
'demand and coinciding with the 10-year anniversary of '
'Sandworm’s 2015 cyberattack on Ukraine’s power grid, which '
'caused the first malware-induced blackout, leaving '
'approximately 230,000 people without electricity. ESET’s '
'analysis revealed strong overlaps in tactics, techniques, and '
'procedures (TTPs) with previous Sandworm wiper campaigns, '
'reinforcing the attribution.',
'impact': {'data_compromised': 'Data erasure (potential)',
'operational_impact': 'No confirmed disruptions to power grid '
'reported',
'systems_affected': 'Poland’s energy sector (power grid)'},
'investigation_status': 'Ongoing (indicators of compromise shared with '
'subscribers)',
'motivation': 'Geopolitical tensions, disruption of critical infrastructure',
'post_incident_analysis': {'root_causes': 'Strong overlaps in TTPs with '
'previous Sandworm wiper campaigns'},
'references': [{'source': 'ESET'}],
'response': {'third_party_assistance': 'ESET (cybersecurity firm)'},
'threat_actor': 'Sandworm APT (BlackEnergy, UAC-0082, Voodoo Bear)',
'title': 'Russia-Linked Sandworm APT Targets Poland’s Power Grid in Major '
'Cyberattack',
'type': 'Cyberattack'}