At the end of December 2025, Poland’s energy infrastructure became the target of coordinated cyberattacks involving wiper malware. They did not lead to power outages or blackouts.

The Polish government confirmed that the defense was successful. Still, the incident raises a hard question: how do we keep defenses effective over time and protect against similar threats, not only in critical sectors of the economy?

Someone tried to turn the lights off in Poland. What actually happened?

The cyberattack took place on December 29, 2025. It targeted multiple wind and solar farms, a private manufacturing company, and a combined heat and power plant supplying heat to nearly half a million customers in Poland. According to official statements, the aim was to disrupt operations and destabilize the affected systems. However, the plan was thwarted.

It was the first such large-scale and coordinated attack on distributed energy sources in Poland. CERT Polska published a detailed report on the incident. Below, we summarize the most important points.

Silent sabotage with wipers

The attack used wiper malware, which permanently destroys data and system code. New variants were used: DynoWiper (detected as Win32/KillFiles.NMO) and LazyWiper.

Unlike ransomware, which aims at extortion, wipers leave no room for negotiation. Their primary function is to destroy devices in ways that often cannot be reversed remotely.

In IT, this means permanent loss of data on servers and workstations. In OT, where physical processes are managed, the consequences can be even more serious. Deleting configuration or monitoring data can block remote control, prevent rapid recovery, and undermine operators’ trust in production data. This, in turn, leads to poor decisions and difficulties in managing the entire system.

In OT systems, recovery is much more complex than in IT. It requires synchronization with industrial processes and strict compliance with equipment safety rules.

The December attacks on Poland’s renewable energy infrastructure are a turning point that we must interpret correctly. The attackers, using DynoWiper malware, were not looking for profit but paralysis. The goal was not to encrypt data for ransom but to permanently damage the software of RTU devices and control systems.

For admins and security leaders, this is an alarm signal: when faced with a wiper, there is no room for negotiation. There is no decryption key to fight for. Disaster recovery becomes the only line of defense.

– Łukasz Nowatkowski / Cybersecurity Advocate, Xopero Software

Who is behind this?

Polish Prime Minister Donald Tusk diplomatically suggested that “people associated with a foreign power” may be behind the attack.

ESET experts were more specific:

Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed.

Dragos, which was involved in handling one of the incidents, attributed responsibility with moderate confidence to the ELECTRUM group, which is technically and operationally very similar to Sandworm.

It is also worth noting that the incident took place on the 10th anniversary of the Sandworm cyberattack on the Ukrainian power grid using malware called BlackEnergy. It was the first publicly confirmed successful cyberattack on a power grid. It deprived around 225,000 people of access to electricity for several hours.

In its report, CERT Polska stated that the network infrastructure (servers, VPN) overlaps with the Dragonfly / Berserk Bear cluster (also known as “Static Tundra”). Although DynoWiper shows some features seen in Sandworm tooling, CERT Polska does not attribute this attack unequivocally to Sandworm, pointing instead to Dragonfly-linked infrastructure.

Regardless of the final attribution, one point is clear: this was a capable, disciplined adversary. The actor targeted critical infrastructure and showed familiarity with energy environments, including how to achieve operational impact rather than just disruption.

This is a painful lesson: in cybersecurity, “it will be fine” no longer works. The CERT Polska report shows that we were not dealing with a magic zero-day attack, but with the exploitation of a basic oversight: the lack of MFA on VPN gateways. The group did not have to break down the door, because it entered through an open window straight into the control systems at renewable energy farms.

The effective use of a wiper on this equipment is more than just an IT failure. It is logistical paralysis. In the middle of winter, with snowstorms raging, the digital incident forced technicians to physically travel to each snow-covered container with a laptop and service cable to manually “un-brick” devices. You can’t fix that with a click sitting in a warm office. This proves that offline backups and MFA are not optional but necessary

– Łukasz Nowatkowski adds.

New target: distributed energy

Unlike in Ukraine, where attacks mainly targeted distribution control centers and transmission substations, this time the attackers focused on distributed network endpoints. The targets were remote terminal units (RTUs) and communication systems managing smaller energy generation facilities (renewable energy sources, RES). 

According to Drago’s analysis, the attackers gained access to systems providing operational visibility and, in some cases, remote control capabilities. This included management terminals, network devices supporting telemetry, and infrastructure connecting facilities with control centers.

Although the attack did not disrupt electricity production, CERT Polska reported that it caused a breakdown in communication between affected facilities and distribution system operators. Control and communication systems at approximately 30 sites, mainly wind and solar farms, were reportedly compromised.

Conclusions for the future: 7 actions worth implementing today

The lack of serious damage should not lull us into complacency. The incident should be treated as a boundary test and an impetus for actions focused on three priorities of operational resilience: limiting the scope, shortening detection time, and ensuring effective recovery.

Here are the basic steps to increase resilience to wiper attacks:

  1. Use immutable backups and repositories separated from production environments.
  2. Follow the 3-2-1-1-0 rule: 3 copies of data, 2 different media, 1 copy in a different location, 1 copy disconnected from the network (Air Gap), 0 errors in recovery tests.
  3. Regularly test data recovery in IT and OT, also simulating destructive scenarios.
  4. Separate backup accounts from administrative accounts. Use MFA and apply the principle of least privilege.
  5. Monitor mass file deletion or overwriting operations and unusual logins.
  6. Segment the OT network to limit the spread of malware beyond critical areas.
  7. Develop and test incident response scenarios, with an emphasis on wiper threats and IT/OT team collaboration.

What next?

The December incident shows that wiper attacks on IT and OT are a real threat, not only to the energy sector in Poland. For example, as early as August 2025, FedTech Magazine warned of the rising tide of wiper malware targeting U.S. federal security operations.

However, we don’t have to feel powerless. A well-secured infrastructure, regularly tested recovery mechanisms, and trained teams can determine whether the next attack will go up in smoke. To help you take the first step, we have prepared a PDF with questions to support your internal audit of IT and OT systems, to be used independently or as a starting point for discussion with your team.

How did you like the article?

Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0

You may also like

Comments are closed.