In late December 2025, Poland’s critical energy infrastructure narrowly escaped a crippling cyberattack that targeted its power generation and distribution systems. Security researchers now attribute the attempted disruption to a notorious Russian state-linked hacking unit, marking a concerning escalation in cyber warfare against NATO members.

What Happened?

Between December 29 and 30, threat actors deployed a destructive strain of malware known as DynoWiper against at least two heat and power plants in Poland as well as communication systems managing wind turbines and other renewable energy resources. The malware was designed to erase data and render critical systems inoperable.

According to Polish officials and cybersecurity researchers, the attack was thwarted before any significant damage occurred. However, had it succeeded, the outage could have disrupted electricity and heat services for up to half a million homes in the midst of winter — a scenario Polish authorities describe as “the strongest attack” on their energy infrastructure in years.

Who Was Behind It?

Analysis by Slovakia-based cybersecurity firm ESET linked the malicious activity to the hacking group Sandworm, which is widely understood to be connected to Russia’s military intelligence agency, the GRU. This attribution is made with medium confidence, based on similarities in code structure and operational patterns compared with previous Sandworm attacks.

Sandworm has a long history in offensive cyber operations, including the 2015 cyberattack on Ukraine’s power grid that caused widespread outages, as well as other disruptive campaigns against critical infrastructure.

The Malware: DynoWiper

Wiper malware like DynoWiper is designed not merely to disrupt but to destroy files on targeted systems, effectively making restoration difficult without backups. Unlike ransomware, which holds data hostage, wiper malware permanently deletes the data it touches.

The decision to use such destructive code reflects a shift from espionage or data theft to outright sabotage — a more aggressive posture in cyber conflict that can have real-world consequences on public safety and national security.

Government and Security Response

Poland’s energy minister, Milosz Motyka, confirmed the attack and stated that robust defenses prevented critical infrastructure from being compromised. Prime Minister Donald Tusk echoed this sentiment, underscoring that “at no point was critical infrastructure at risk.”

Nonetheless, officials and industry observers caution that this incident should serve as a wake-up call. The sophistication of the attack and its timing — nearly ten years after a similar strike on Ukraine — highlights persistent vulnerabilities in energy systems across Europe.

Broader Implications

Though the attack failed, its scale and intent raise significant concerns about the evolving nature of state-sponsored cyber threats. Attacks on critical infrastructure — especially in allied nations — threaten not just data, but lives and livelihoods. They also underscore the importance of international cooperation, investment in defensive technologies, and continuous monitoring of energy networks.

As governments and companies bolster their digital defenses, the Poland incident stands as a stark reminder: cyber conflict is not theoretical — it’s happening now, and the stakes couldn’t be higher.