Poland’s power system has just become the latest front line in a grinding cyber conflict that has been building since the first Russian tanks rolled into Ukraine. A destructive wiper attack on the country’s grid operators failed to plunge homes into darkness, but it came close enough that experts now see it as a live-fire test of Moscow’s ability to turn off the lights in a NATO state. Investigators say the tools, targets, and timing all point in the same direction: Russian state hackers, likely the Sandworm unit long tied to some of the most aggressive operations in Europe.
The incident is more than a one-off scare. It shows how quickly offensive techniques honed in Ukraine are being repurposed against Poland, a key logistics hub for Western support to Kyiv and a vocal critic of the Kremlin. It also exposes how fragile critical infrastructure remains, even in a country that has spent years warning about, and preparing for, exactly this kind of strike.
The wiper that went after the lights
Investigators say the attackers did not simply try to steal data or briefly knock systems offline, they deployed a wiper designed to permanently erase machines inside Poland’s power sector. The malicious code, which researchers have dubbed DynoWiper, was aimed at several entities that form part of the country’s energy generation and distribution infrastructure, including operators responsible for moving electricity from plants to consumers across Poland. According to technical analysis, the malware was tailored to sabotage industrial systems, not just office networks, and was capable of corrupting critical files in a way that would have made recovery slow and painful if it had fully executed, a pattern consistent with earlier reporting on a wiper attack on Jan and Poland.
Security teams say the operation unfolded in late December, when demand for electricity and heating was at its peak and any disruption would have been felt immediately by households and hospitals. The attackers reportedly gained access to systems that manage both traditional power plants and renewable sources, then tried to trigger DynoWiper across multiple sites in a coordinated push. Analysts estimate that if the malware had succeeded, it could have cut power and heat to up to 500,000 people, a figure that underscores how close Poland came to a major outage and that aligns with warnings that the targeted infrastructure served hundreds of thousands of customers across the country.
Why experts see Moscow’s hand
From the first forensic clues, specialists who track state-backed hacking groups saw familiar fingerprints. The toolset and techniques matched previous operations attributed to Russian government hackers, and researchers quickly linked DynoWiper to a cluster of activity they associate with Sandworm, a unit that Western governments say sits inside Russia’s Main Intelligence Directorate. One detailed assessment concluded that Russian state hackers were likely behind the attempted sabotage of Poland’s grid, citing overlaps in infrastructure, coding style, and operational tempo with earlier campaigns, and tying the activity to a group that has repeatedly targeted Russian and Poland related interests.
Independent teams reached similar conclusions. Researchers who examined the malware and intrusion paths said the operation bore the hallmarks of Russian government hackers who have been active against Ukraine’s grid since at least 2015, and who have now turned their attention to Poland. One analysis described how the group used DynoWiper, which it calls a new strain, in an attempted power outage that was stopped before it could cause physical damage, reinforcing the view that this was not a criminal ransomware crew but a state-directed effort to test destructive capabilities against a NATO neighbor, as outlined by Researchers and other Russian focused reporting.
Sandworm’s evolving playbook
The group at the center of these findings, widely tracked as Sandworm, has a long record of cyber sabotage that makes its suspected role in Poland especially alarming. Sandworm is a common tracking name for Unit 74455 of Russia’s Main Intelligence Directorate, a military intelligence arm that Western officials have linked to power grid attacks in Ukraine, large-scale malware outbreaks, and operations against the Olympics. Analysts say the same unit has now been tied to the DynoWiper campaign against Poland’s power sector, extending a pattern in which the group refines its tools in one theater before redeploying them elsewhere, a trajectory that aligns with reporting that Sandworm, Unit, Russia, and the Main Intelligence Directorate are central to this activity.
Technical write-ups of DynoWiper describe it as a new addition to Sandworm’s arsenal, deployed in what some experts call an attempted Sandworm attack on the Polish Power Sector that fortunately failed to cause lasting disruption. The malware was engineered to overwrite data on targeted systems and corrupt boot records, a destructive behavior that fits with the group’s history of using wipers rather than extortion-focused ransomware. Analysts note that there is no evidence of successful disruption in this case, but they see the operation as a clear sign that Sandworm is experimenting with fresh code and delivery methods tailored to European grids, a view supported by research into the New Malware Used in the Attempted Sandworm Attack on the Polish Power Sector.
A near miss for Poland’s grid operators
Polish officials and grid operators have described the December incident as the largest cyberattack on the country’s power system to date, a campaign that targeted both transmission infrastructure and renewable energy assets. According to detailed reconstructions, the attackers focused on companies that manage high-voltage lines and wind or solar installations, hoping to create cascading failures that would be difficult to contain. Analysts say the timing, during peak winter demand, and the choice of targets suggest the goal was not just disruption but also psychological pressure on a population already watching war unfold next door, a pattern consistent with reports that the Russia linked APT Sandworm hit Poland in Dec.
What prevented a blackout, according to people familiar with the response, was a mix of luck, preparation, and quick action by defenders. Intrusion detection systems flagged unusual activity early, allowing incident responders to isolate affected segments before DynoWiper could fully execute. Backup procedures and manual controls were activated at several sites, and engineers worked through the night to verify that critical systems were clean before bringing them back online. Local media later reported that the attacks could have left at least half a million households without heat and electricity, but that at no moment was critical infrastructure at risk thanks to these emergency measures, a narrative echoed in accounts that emphasize how close According to local media the country came to a serious outage.
Regional stakes and the road ahead
For Poland and its neighbors, the attempted grid sabotage is part of a broader pattern of Russian cyber pressure that has intensified since the invasion of Ukraine. Security analysts point out that ever since Russian forces crossed into Ukraine, countries in the region, including Poland, have faced a growing barrage of digital intrusions against government agencies, logistics hubs, and energy infrastructure. The latest wiper campaign fits that trend, targeting a state that has become a key transit route for weapons and aid to Kyiv and a vocal supporter of sanctions on Moscow, a dynamic captured in assessments that describe how Ever since the Russian invasion of Ukraine, Poland has been under sustained cyber pressure.
Poland’s experience is also being watched closely in Washington and other Western capitals, where officials worry that similar wiper attacks could be turned against grids, pipelines, and water systems. The Cybersecurity and Infrastructure Security Agency, known as CISA, has been urging operators to harden their defenses, share threat intelligence, and prepare for destructive scenarios that go beyond data theft or temporary outages. In its public guidance, the Cybersecurity and Infrastructure Security Agency stresses that critical infrastructure owners need both technical tools and organizational resources to defend against these threats, a message that aligns with the lessons from Poland’s near miss and is reflected in CISA’s own Cybersecurity and Infrastructure Security Agency advisories.
More from Morning Overview