A cyberattack targeting Poland’s power grid in late December 2025 has been linked to the Russian state-sponsored hacking group Sandworm, which attempted to deploy a new destructive data-wiping malware dubbed DynoWiper during the attack..

Sandworm (also tracked as UAC-0113, APT44, and Seashell Blizzard) is a Russian nation-state hacking group that has been active since 2009. The group is believed to be part of Russia’s Military Unit 74455 of the Main Intelligence Directorate (GRU) and is known for carrying out disruptive and destructive attacks.

Almost exactly 10 years earlier, Sandworm conducted a destructive data-wiping attack on Ukraine’s energy grid that left approximately 230,000 people without power. 

According to ESET, Sandworm has now been linked to the December 29-30th attack on Poland’s energy infrastructure, which used a data wiper called DynoWiper.

When executed, data wipers iterate through a filesystem, deleting files. When finished, the operating system is left unusable and must be rebuilt from backups or reinstalled. 

In a press statement, Polish officials said the attack targeted two combined heat and power plants as well as a management system used to control electricity generated from renewable sources such as wind turbines and photovoltaic farms.

“Everything indicates that these attacks were prepared by groups directly linked to the Russian services,” Poland’s Prime Minister Donald Tusk said at a press conference.

ESET has not shared many technical details about DynoWiper, only stating that the antivirus company detects it as Win32/KillFiles.NMO and that it has a SHA-1 hash of 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6.

BleepingComputer has not been able to find a sample of the wiper uploaded to VirusTotal, Triage, Any.Run, and other malware submission sites.

While it is unclear how long the threat actors remained within Poland’s systems or how they were breached, Senior Threat Intel Advisor for Team Cymru Will Thomas (aka BushidoToken) recommends that defenders read Microsoft’s February 2025 report on Sandworm.

More recently, Sandworm was linked to destructive data-wiping attacks on Ukraine’s education, government, and the grain sector in June and September 2025.