A late-December 2025 cyberattack on Poland’s power grid has been linked to the Russian state-sponsored group Sandworm, which attempted to deploy a new destructive wiper called DynoWiper. ESET identifies the wiper as Win32/KillFiles.NMO (SHA-1 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6), but public samples have not been found and officials say the attack hit CHP plants and a renewables management system. #Sandworm #DynoWiper
Keypoints
- The December 29–30, 2025 attack on Poland’s energy infrastructure is attributed to Sandworm.
- Threat actors attempted to deploy a destructive data wiper dubbed DynoWiper that can render systems unusable.
- Targets included two combined heat-and-power plants and a management system for wind and photovoltaic generation.
- ESET detects the wiper as Win32/KillFiles.NMO with SHA-1 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6, yet no sample uploads have been located.
- Analysts point to Sandworm’s prior disruptive attacks and recommend reviewing Microsoft’s February 2025 Sandworm report for defensive guidance.