Researchers Say Russian Government Hackers Were Behind the Attempted Poland Power Outage

A failed attempt in December to disrupt parts of Poland’s energy grid was carried out by Russian government-backed hackers with a history of targeting power infrastructure, according to findings from a cybersecurity firm that analysed the incident.

Poland’s energy minister, Milosz Motyka, told reporters last week that the cyberattack, which took place on December 29 and 30, involved hackers targeting two combined heat and power plants. The attackers also attempted to interfere with communication links between renewable energy installations — including wind turbines — and power distribution operators.

Motyka described the incident as the most serious cyberattack on Poland’s energy infrastructure in years. The Polish government publicly blamed Moscow for the operation. At the same time, local media reported that the attack could have cut heat and electricity to as many as half a million households nationwide.

On Friday, cybersecurity firm ESET said it had obtained a sample of the destructive malware used in the attempted attack. The company has named the malware DynoWiper. This category of malicious software, commonly referred to as “wiper” malware, is designed to erase data on infected systems, rendering them unusable permanently.

ESET attributed the malware with “medium confidence” to Sandworm, a well-known hacking group linked to Russia’s military intelligence service, the GRU. The attribution was based on what ESET described as a substantial overlap between DynoWiper and previously documented Sandworm tools, including malware the group has used in past attacks on Ukraine’s energy sector.

Independent journalist Kim Zetter first reported the findings.

As Zetter noted, the attempted cyberattack on Poland comes almost exactly ten years after Sandworm’s first publicly known operation against Ukraine’s energy infrastructure in 2015. That attack caused widespread power outages affecting more than 230,000 homes around Kyiv. A similar cyber operation targeted Ukraine’s power systems again the following year.

Following the December incident, Poland’s prime minister, Donald Tusk, said the country’s cybersecurity defences functioned as intended and emphasised that “at no point was critical infrastructure threatened.”