Russian Hackers Target Poland's Power Grid in Failed December Attack
Warsaw, Sunday, 25 January 2026.
Cybersecurity firm ESET has linked December’s cyberattack on Polish energy infrastructure to Russia’s notorious Sandworm hacking group, revealing a sophisticated attempt to deploy destructive DynoWiper malware that could have left 500,000 people without heat. The attack, which occurred exactly ten years after Sandworm’s first successful strike on Ukraine’s power grid, targeted two combined heat and power plants and renewable energy management systems but was ultimately thwarted by Poland’s cybersecurity defenses, highlighting both the escalating cyber warfare threats facing European energy infrastructure and the critical importance of robust protective measures.
ESET Links Attack to Russia’s Elite Hacking Unit
Slovak cybersecurity firm ESET has attributed the December 29-30, 2025 cyberattack on Polish energy infrastructure to Russia’s Sandworm group with medium confidence, based on analysis of the malicious software and associated tactics, techniques, and procedures used in the assault [1]. The attack employed a new destructive data-wiping malware called DynoWiper, detected by ESET as Win32/KillFiles.NMO with SHA-1 hash 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 [1]. Sandworm, also tracked as UAC-0113, APT44, and Seashell Blizzard, is a Russian state-sponsored hacking group that has been active since 2009 and is believed to be part of Russia’s Military Unit 74455 of the Main Intelligence Directorate (GRU) [1].
Strategic Timing Echoes Historical Precedent
The timing of the Polish attack appears deliberate, occurring exactly ten years after Sandworm’s first successful cyberattack on Ukraine’s power grid, which left approximately 230,000 people without power [1][4]. That landmark 2015 assault marked the first documented case of a power outage caused by malicious software, when hackers used the BlackEnergy virus to gain access to key systems in several electrical substations [4]. The group has maintained its focus on energy infrastructure, conducting destructive data-wiping attacks on Ukraine’s education, government, and grain sectors in June and September 2025 [1]. The December attack on Poland was conducted in the middle of winter, maximizing potential impact on heating systems critical for public safety [3][4].
Polish Officials Confirm Scope and Response
Polish Prime Minister Donald Tusk revealed on January 15, 2026 that the attacks targeted two combined heat and power plants and a management system controlling electricity from renewable sources [1][2]. Tusk stated that “everything indicates that these attacks were prepared by groups directly linked to the Russian services” and emphasized that had the attack succeeded, up to 500,000 people could have been deprived of heat [2][3][4]. Minister of Energy Miłosz Motyka confirmed on January 20, 2026 that the attack attempted to disrupt communication between generation plants and grid operators, specifically targeting combined heat and power plants and renewable energy sources [2]. Deputy Prime Minister and Minister of Digitization Krzysztof Gawkowski characterized the incident as “Russian sabotage” aimed at destabilizing the situation in Poland [4].
Cybersecurity Defense Systems Prove Effective
Despite the sophisticated nature of the attack, Poland’s cybersecurity systems successfully prevented any meaningful disruption to the energy grid. Prime Minister Tusk emphasized that “Poland defended itself against attempts at destabilization and at no point was critical infrastructure responsible for energy security threatened” [2]. The Premier noted that the defense systems currently in place in Poland proved effective, with the attack practically causing no negative consequences [2]. ESET researchers confirmed they have no information about any successful disruption resulting from the attack, though they noted that the malware’s construction clearly indicates destructive intentions [3][4]. This successful defense demonstrates the importance of robust cybersecurity measures for protecting critical energy infrastructure from state-sponsored cyber warfare targeting European nations.