The Russian nation-state hacking group known as Sandworm carried out what has been described as the “largest cyberattack ever” targeting Poland’s electricity system in the last week of December 2025.
The country’s Energy Minister Miloš Motyka said last week that the attack was unsuccessful.
“The command of the cyberspace forces has diagnosed the strongest attack in years on energy infrastructure in the last days of the year,” Motyka was quoted as saying.
According to a new report from ESET, the attack was the work of Sandworm, which deployed a previously undocumented Wiper malware codename. dinoviper. Sandworm’s links are based on overlap with prior Viper activity linked to a rival, particularly after Russia’s military invasion of Ukraine in February 2022.
The Slovakian cybersecurity company, which identified the use of Viper as part of an attempted disruption attack targeted at the Polish energy sector on December 29, 2025, said there was no evidence of successful disruption.
The Polish government said the attacks, which took place on December 29 and 30, 2025, targeted two combined heat and power (CHP) plants, as well as systems enabling the management of electricity generated from renewable energy sources such as wind turbines and photovoltaic farms.
Prime Minister Donald Tusk said, “Everything indicates that these attacks were prepared by groups directly linked to Russian services.” He said the government is preparing additional security measures, including a major cybersecurity law that will impose strict requirements on risk management, security of information technology (IT) and operational technology (OT) systems and incident response.
It is worth noting that this activity occurred on the tenth anniversary of the Sandworm attack against the Ukrainian power grid in December 2015, which led to the deployment of BlackEnergy malware, plunging parts of Ukraine’s Ivano-Frankivsk region into darkness.
The Trojan, which was used to plant wiper malware called KillDisk, caused a 4-6-hour power outage for about 230,000 people.
“Sandworm has a long history of disruptive cyberattacks, particularly on Ukraine’s critical infrastructure,” ESET said. “Fast forward a decade and Sandworm continues to target entities operating in a variety of critical infrastructure sectors.”
In June 2025, Cisco Talos said that a critical infrastructure unit within Ukraine was targeted by previously undiscovered data wiper malware named PathViper, which shares some level of functional overlap with Sandworm’s HermeticWiper.
The Russian hacking group has also been observed deploying data-wiping malware such as ZeroLoat and Sting into Ukrainian university networks, followed by serving multiple data-wiping malware variants against Ukrainian entities active in the government, energy, logistics and grain sectors between June and September 2025.
