46/69 Monday, January 26, 2026
In late December 2025, a cyberattack targeted Poland’s energy infrastructure. According to an investigation by ESET, the operation has been attributed to the state-sponsored Sandworm group, also known as APT44, UAC-0113, and Seashell Blizzard. What makes this incident particularly notable is the use of a newly identified data-wiping malware called DynoWiper, as well as its timing-nearly coinciding with the 10th anniversary of Sandworm’s attack on Ukraine’s power grid, which caused widespread blackouts affecting more than 230,000 people.
Polish authorities disclosed that the attack specifically targeted two thermal power plants, along with electricity management systems for renewable energy sources, including wind turbines and solar farms. Polish Prime Minister Donald Tusk stated that the evidence clearly indicates the operation was prepared by actors linked to Russian state entities. DynoWiper is designed purely for destruction, systematically deleting files until the operating system becomes permanently unusable, forcing victims to restore systems from backups or perform complete reinstallation.
From a technical perspective, ESET detects this malware as Win32/KillFiles.NMO (SHA-1 hash: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6). As of now, no samples of DynoWiper have been uploaded to public malware repositories. Threat intelligence experts urge organizations to remain highly vigilant, as even though the attack may not have fully achieved its objectives, Sandworm remains highly active. Earlier in mid- and late-2025, the group conducted destructive cyberattacks against Ukraine’s education, government, and agricultural sectors, demonstrating its continued operational momentum.
