Alexander Culafi , Senior News Writer , Dark Reading January 26, 2026 4 Min Read Source: Pawel Chrzaszcz via Alamy Stock Photo UPDATE A destructive cyberattack against Poland's power grid last month has been attributed to Russia's Sandworm advanced persistent threat (APT) group. Poland last month was targeted in a wiper attack against its energy grid that Minister of Energy Miłosz Motyka called one of the strongest the country had seen in years. Attackers on Dec. 29 and 30 targeted two combined heat and power plants, as well as "a system enabling the management of electricity generated from renewables (RES), i.e., renewable energy sources such as wind turbines and photovoltaic farms," according to an announcement on Prime Minister Donald Tusk's website. The announcement added that the attack failed and that "there was no blackout or other negative consequences." Although Tusk did not name Sandworm in the Jan. 15 announcement, he pointed a finger at the Russian government as the likely party responsible. Researchers from security firm ESET on Jan. 23 attributed the attack to the infamous Russian threat group with medium confidence. Similarly, ESET said in its blog post that it was "not aware of any successful disruption occurring as a result of this attack." Still, any potential offensive cyber action between nations is notable. While the exact motivations of a Russian attack against Poland are unclear, Poland is a NATO member state as well as a strategic ally of Ukraine. Russia has a history targeting nations allied with Ukraine since the former's invasion of the latter began a few years ago; Russia has also allegedly targeted Poland in cyberattacks as recently as last summer . Regarding the December attack, ESET saw what it described as "a strong overlap with numerous previous Sandworm wiper activity we analyzed," based on observed malware, as well as tactics, techniques, and procedures. "Sandworm has a long history of disruptive cyberattacks, especially on Ukraine's critical infrastructure," ESET's blog read. "Meanwhile, the attack on Poland’s power grid in the last week of December involved data-wiping malware that ESET has now analyzed and named DynoWiper. ESET security solutions detect DynoWiper as Win32/KillFiles.NMO." ESET on Jan. 30 published a second blog post further noting that the threat actor's tactics, techniques, and procedures "closely resemble those seen earlier this year in an incident involving the ZOV wiper in Ukraine: Z, O, and V are Russian military symbols." ESET attributed the ZOV wiper attack to Sandworm with high confidence. "Although Sandworm has previously targeted companies in Poland, it typically did so covertly – either for cyberespionage purposes only or by disguising its data-wiping activity as a ransomware attack, such as in the Prestige ransomware incidents," ESET wrote in the newest blog. "It is worth noting that we only attribute the data-wiping component of this activity to Sandworm with medium confidence. We do not have visibility into the initial access method used in this incident and therefore cannot assess how or by whom the first steps were carried out. In particular, the preparatory stages leading up to the destructive activity may have been conducted by another threat actor group collaborating with Sandworm." Sandworm APT's Destructive Cyberattack Past Sandworm is a notorious APT group, previously credited with some of the most infamous cyberattacks of all time. In 2015, it deployed BlackEnergy malware to disrupt the Ukraine power grid and leave hundreds of thousands without electricity for several hours. ESET researchers observed that this recent attack against Poland occurred on the 10th anniversary of the BlackEnergy attack. In 2017, Sandworm targeted organizations in Ukraine and more than 60 other countries with NotPetya , a destructive data wiping malware based on Petya ransomware. Threat activity once again ramped up following Russia's invasion of Ukraine in early 2022. Sandworm launched regular wiper attacks against Ukraine both early in the initial invasion as well as more recently. According to an ESET report from September , Sandworm targeted Ukrainian governmental, energy, logistics, and grain sector organizations over the summer with wiper attacks. Researchers at the time noted, "Considering that grain export remains one of Ukraine’s main sources of revenue, such targeting likely reflects an attempt to weaken the country's war economy." Though Sandworm has been credited with espionage-related activity in the past, it is best known as a force for destruction and disruption in accordance with Russian geopolitical goals. In addition to aforementioned malware, Sandworm has also been spotted with other wiper strains like Industroyer (also known as CrashOverride). Industroyer, in particular, also used against Ukraine, was one of the more prominent cases of industrial control system/operational technology-focused malware observed since Stuxnet. Enter DynoWiper, the malware used in last month's attack against Poland. Where DynoWiper differs from Sandworm favorite Industroyer is that while the latter focuses on OT environments, observed DynoWiper samples focused solely on the IT environment. Other factors also drifted beyond Sandworm's typical MO, hence the medium confidence attribution. This article was updated on January 30, 2026 at 1:30 p.m. ET, with ESET's publishing of additional technical and attribution details. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi