Russian-linked hackers deploy data-wiping malware in rare attack on Polish energy firm
Security researchers say a previously unknown wiper, attributed to the Sandworm group, was used in a failed cyberattack on an energy company in Poland, marking an unusual extension of destructive Russian-aligned activity beyond Ukraine.
A destructive cyberattack attributed to the Russia-aligned Sandworm group targeted an energy company in Poland late last year, according to new findings from Slovak cybersecurity firm ESET, marking an unusual escalation beyond Ukraine.
A previously unknown strain of data-wiping malware was used in an attempted attack on a Polish energy company in December 2025, in what researchers describe as a rare case of a Russia-aligned threat actor deploying destructive tools inside Poland.
ESET said it had identified the malware, dubbed DynoWiper, during an investigation into the incident, which ultimately caused limited damage after being blocked by defensive software.
The company attributes the operation with medium confidence to Sandworm, a hacking group widely linked to Russian military intelligence and known for disruptive cyber operations.
DynoWiper is designed to irreversibly destroy data by overwriting files on fixed and removable drives before forcing a system reboot, rendering machines unusable.
According to ESET, the malware shares distinctive technical features with an earlier wiper called ZOV that was deployed against organisations in Ukraine, including similar file-handling logic and exclusions.
Three variants of DynoWiper were deployed inside the Polish victim’s network on 29 December, possibly after testing in virtual machines, but all attempts failed.
The targeted company has not been named, but ESET said it operates in the energy sector, a frequent focus of Sandworm activity during the war in Ukraine.
The attack focused on IT systems rather than industrial control technology, although researchers cautioned that operational technology capabilities could have featured elsewhere in the intrusion.
ESET said CERT Polska played a key role in analysing the incident.
While Sandworm has a long history of cyber operations in Poland, ESET said the use of destructive malware against a Polish energy company remains highly unusual and strategically significant.
