Sandworm hackers linked to failed wiper attack on Poland’s energy systems

Recorded: Jan. 24, 2026, 11 p.m.

Original

News

Featured
Latest

Fortinet confirms critical FortiCloud auth bypass not fully patched

Okta SSO accounts targeted in vishing-based data theft attacks

Hackers exploit critical telnetd auth bypass flaw to get root

Hackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive 2026

Sandworm hackers linked to failed wiper attack on Poland’s energy systems

Konni hackers target blockchain engineers with AI-built malware

A lifetime of multi-device ad blocking is just $40 in this deal

ShinyHunters claim to be behind SSO-account data theft attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecuritySandworm hackers linked to failed wiper attack on Poland’s energy systems

Sandworm hackers linked to failed wiper attack on Poland’s energy systems

By Lawrence Abrams

January 24, 2026
04:58 PM
0

A cyberattack targeting Poland’s power grid in late December 2025 has been linked to the Russian state-sponsored hacking group Sandworm, which attempted to deploy a new destructive data-wiping malware dubbed DynoWiper during the attack..
Sandworm (also tracked as UAC-0113, APT44, and Seashell Blizzard) is a Russian nation-state hacking group that has been active since 2009. The group is believed to be part of Russia's Military Unit 74455 of the Main Intelligence Directorate (GRU) and is known for carrying out disruptive and destructive attacks.
Almost exactly 10 years earlier, Sandworm conducted a destructive data-wiping attack on Ukraine's energy grid that left approximately 230,000 people without power.

According to ESET, Sandworm has now been linked to the December 29-30th attack on Poland's energy infrastructure, which used a data wiper called DynoWiper.
When executed, data wipers iterate through a filesystem, deleting files. When finished, the operating system is left unusable and must be rebuilt from backups or reinstalled.
In a press statement, Polish officials said the attack targeted two combined heat and power plants as well as a management system used to control electricity generated from renewable sources such as wind turbines and photovoltaic farms.
"Everything indicates that these attacks were prepared by groups directly linked to the Russian services," Poland's Prime Minister Donald Tusk said at a press conference.
ESET has not shared many technical details about DynoWiper, only stating that the antivirus company detects it as Win32/KillFiles.NMO and that it has a SHA-1 hash of 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6.
BleepingComputer has not been able to find a sample of the wiper uploaded to VirusTotal, Triage, Any.Run, and other malware submission sites.
While it is unclear how long the threat actors remained within Poland's systems or how they were breached, Senior Threat Intel Advisor for Team Cymru Will Thomas (aka BushidoToken) recommends that defenders read Microsoft's February 2025 report on Sandworm.
More recently, Sandworm was linked to destructive data-wiping attacks on Ukraine's education, government, and the grain sector in June and September 2025.

Secrets Security Cheat Sheet: From Sprawl to Control
Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
Download Now

Related Articles:
Russian Sandworm hackers pose as hacktivists in water utility breachesAmazon disrupts Russian GRU hackers attacking edge network devicesUkraine's army targeted in new charity-themed malware campaignDenmark blames Russia for destructive cyberattack on water utilityUkrainian hacker charged with helping Russian hacktivist groups

Data Wiper
DynoWiper
Hacking Group
Poland
Russia
Sandworm
State-Sponsored

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers breach Fortinet FortiGate devices, steal firewall configs

Zendesk ticket systems hijacked in massive global spam wave

Sponsor Posts

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Discover how phishing kits are sold and deployed. Download the full research report.

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Overdue a password health-check? Audit your Active Directory for free

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The December 2025 cyberattack targeting Poland’s energy infrastructure has been definitively linked to the Russian state-sponsored hacking group, Sandworm, also known by designations such as UAC-0113, APT44, and Seashell Blizzard. This group, active since 2009, is recognized for its disruptive and destructive operations, notably demonstrated in a prior 2015 attack against Ukraine’s energy grid. The attack utilized a data-wiping malware dubbed DynoWiper.

DynoWiper operated by iterating through a file system, deleting files, rendering the affected operating system unusable and necessitating a rebuild or reinstall. Polish authorities implicated the attack as originating from groups directly connected to Russia’s Military Unit 74455 (GRU). The initial target included two combined heat and power plants, alongside a management system controlling renewable energy sources like wind turbines and photovoltaic farms.

ESET, the cybersecurity firm that identified the malware, has limited technical details available, categorizing DynoWiper as Win32/KillFiles.NMO and providing a SHA-1 hash (4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6). Currently, a sample of the malware has not been submitted to widely used malware analysis platforms like VirusTotal, Triage, or Any.Run, hindering comprehensive analysis.

According to Will Thomas (a.k.a. BushidoToken), Senior Threat Intel Advisor for Team Cymru, organizations should review Microsoft’s February 2025 report concerning Sandworm’s activities. Sandworm’s activities extend beyond this attack, having been attributed to destructive data-wiping incidents against Ukraine's educational, government, and grain sectors in June and September 2025. This latest attack highlights the ongoing threat posed by state-sponsored actors and reinforces the need for robust cybersecurity defenses.