Sandworm’s DynoWiper Attack Targeting Polish Combined Heat and Power and Renewable Energy Management Systems: Incident Analysis and Lessons Learned – Rescana

Executive Summary

In December 2025, the Polish energy sector experienced a sophisticated cyberattack attributed to the Russian state-sponsored advanced persistent threat (APT) group Sandworm. The attack utilized a newly identified data-wiping malware named DynoWiper targeting critical energy infrastructure, including combined heat and power (CHP) plants and renewable energy management systems. Despite the advanced nature of the attack, Polish authorities and security teams successfully detected and mitigated the threat before any operational impact occurred. This report provides a detailed technical analysis of the incident, the threat actor’s profile, their tactics, techniques, and procedures (TTPs), and actionable mitigation strategies for organizations in critical infrastructure sectors. The incident highlights the importance of safeguarding sustainable energy systems, aligning with the United Nations Sustainable Development Goals (SDGs), particularly SDG 7 (Affordable and Clean Energy) and SDG 9 (Industry, Innovation, and Infrastructure).

Threat Actor Profile

Sandworm is a notorious Russian APT group, also known as APT44, UAC-0113, Seashell Blizzard, and Voodoo Bear. Believed to operate under the Russian GRU (Main Intelligence Directorate), Sandworm has a history of targeting critical infrastructure in Ukraine and Europe. Their operations include the 2015 and 2016 Ukrainian power grid attacks using BlackEnergy and Industroyer malware, the 2017 NotPetya ransomware/wiper campaign, and multiple wiper attacks during the ongoing Russia-Ukraine conflict. The group’s focus on destructive malware and high-impact, politically motivated operations poses significant risks to critical infrastructure, threatening SDG 16 (Peace, Justice, and Strong Institutions) by undermining security and stability.

Technical Analysis of Malware and Tactics, Techniques, and Procedures (TTPs)

The primary malware used in the December 2025 attack was DynoWiper, detected by ESET as Win32/KillFiles.NMO. This data-wiping tool irreversibly destroys files and disables Windows-based systems by deleting files and corrupting system components, effectively bricking targeted hosts. This method is consistent with previous Sandworm wiper campaigns such as KillDisk, HermeticWiper, and CaddyWiper.

The initial access vector remains undisclosed; however, based on Sandworm’s historical TTPs, likely methods include spear-phishing, exploitation of public-facing applications, and use of stolen credentials. Once inside, DynoWiper was deployed across operational technology (OT) and information technology (IT) systems to maximize disruption.

The attack coincided with the 10th anniversary of Sandworm’s 2015 attack on Ukraine’s power grid, indicating symbolic intent and a demonstration of ongoing capability.

Key MITRE ATT&CK Techniques Observed or Suspected

1. T1485 – Data Destruction
2. T1561 – Disk Wipe
3. T1204 – User Execution
4. T1190 – Exploit Public-Facing Application
5. T1078 – Valid Accounts

Exploitation in the Wild

The December 2025 attack on Poland’s energy sector was unsuccessful but forms part of a broader pattern of Sandworm activity targeting European critical infrastructure. Throughout 2025, Sandworm conducted multiple wiper attacks in Ukraine using malware families such as PathWiper, HermeticWiper, ZEROLOT, and Sting against government, energy, logistics, and agricultural sectors. The attempted attack on Poland represents a significant escalation, extending destructive operations beyond Ukraine into the European Union.

The Polish incident specifically targeted two CHP plants and a management system for wind and photovoltaic farms. Thanks to robust monitoring and incident response capabilities, the attack was detected and contained before operational disruption occurred. This incident underscores the critical need to protect sustainable energy infrastructure, supporting SDG 7 (Affordable and Clean Energy) and SDG 13 (Climate Action) by ensuring resilience of renewable energy systems.

Victimology and Targeting

The primary victims were entities within Poland’s energy sector, particularly operators of combined heat and power plants and renewable energy management systems. This targeting aligns with Sandworm’s strategic objective to undermine critical infrastructure for geopolitical aims. The timing, coinciding with the anniversary of the 2015 Ukrainian blackout, suggests a message to Poland and the broader European community regarding Sandworm’s capabilities and willingness to escalate.

Historically focused on Ukraine, Sandworm’s recent campaigns indicate an expanded scope to other European countries, especially those supporting Ukraine or opposing Russian interests. Targeting both traditional and renewable energy assets demonstrates an understanding of the evolving energy landscape and a willingness to disrupt legacy and modern infrastructure alike. This poses challenges to achieving SDG 7 (Affordable and Clean Energy) and SDG 9 (Industry, Innovation, and Infrastructure).

Mitigation and Countermeasures

Organizations operating in critical infrastructure sectors should adopt a multi-layered defense strategy to mitigate risks posed by Sandworm and similar threat actors. Key recommendations include:

• Network Segmentation: Isolate critical OT and IT systems from business networks and the public internet to reduce attack surfaces and limit lateral movement.
• Endpoint Protection: Deploy and regularly update endpoint protection solutions to detect and block wiper malware, including signatures for Win32/KillFiles.NMO and related threats.
• Incident Response Planning: Review and test incident response plans with specific scenarios for destructive malware and wiper attacks to ensure rapid containment and recovery.
• User Awareness Training: Conduct training to reduce risks from spear-phishing and social engineering, common initial access vectors for APT groups.
• Patch Management: Implement rigorous patch management with prompt application of security updates, especially for internet-exposed systems.
• Access Controls: Enforce least privilege principles and monitor for anomalous account activity indicating credential compromise.

Additionally, organizations should monitor for indicators of compromise (IOCs) associated with DynoWiper and other Sandworm tools, including the SHA-1 hash 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 and the ESET detection name Win32/KillFiles.NMO. Collaboration with national cybersecurity authorities and participation in information sharing initiatives can enhance situational awareness and collective defense. These measures contribute to SDG 16 (Peace, Justice, and Strong Institutions) by strengthening institutional resilience and security.

References

Technical and threat intelligence sources related to this report are available upon request.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chains and critical infrastructure. Our advanced threat intelligence and risk management solutions empower clients to proactively defend against emerging threats and ensure operational resilience. This commitment supports multiple Sustainable Development Goals by promoting secure, resilient, and sustainable infrastructure.

For more information about our platform or to discuss how Rescana can support your organization’s cybersecurity strategy, please contact us at ops@rescana.com.

1. Sustainable Development Goals (SDGs) Addressed or Connected

1. SDG 7: Affordable and Clean Energy
   • The article discusses attacks on Poland’s combined heat and power (CHP) plants and renewable energy management systems, highlighting the importance of protecting clean energy infrastructure.
2. SDG 9: Industry, Innovation, and Infrastructure
   • The focus on critical infrastructure protection, cybersecurity, and resilience of energy systems aligns with SDG 9’s goal to build resilient infrastructure and foster innovation.
3. SDG 16: Peace, Justice, and Strong Institutions
   • The article addresses cyberattacks by a state-sponsored group, emphasizing the need for strong institutions, cybersecurity governance, and conflict prevention.
4. SDG 17: Partnerships for the Goals
   • Collaboration with national cybersecurity authorities and information sharing initiatives mentioned in the article reflect the importance of partnerships to strengthen cybersecurity and resilience.

2. Specific Targets Under Those SDGs Identified

1. SDG 7: Affordable and Clean Energy
   • Target 7.2: Increase substantially the share of renewable energy in the global energy mix.
   • Target 7.a: Enhance international cooperation to facilitate access to clean energy research and technology.
2. SDG 9: Industry, Innovation, and Infrastructure
   • Target 9.1: Develop quality, reliable, sustainable, and resilient infrastructure.
   • Target 9.c: Increase access to information and communications technology and strive to provide universal and affordable access to the Internet.
3. SDG 16: Peace, Justice, and Strong Institutions
   • Target 16.6: Develop effective, accountable, and transparent institutions at all levels.
   • Target 16.b: Promote and enforce non-discriminatory laws and policies for sustainable development.
4. SDG 17: Partnerships for the Goals
   • Target 17.16: Enhance the global partnership for sustainable development, complemented by multi-stakeholder partnerships.
   • Target 17.17: Encourage and promote effective public, public-private, and civil society partnerships.

3. Indicators Mentioned or Implied to Measure Progress

1. Indicators related to SDG 7
   • Share of renewable energy in total final energy consumption (implied by focus on renewable energy management systems).
   • Number of energy infrastructure facilities protected against cyber threats (implied by mitigation and monitoring efforts).
2. Indicators related to SDG 9
   • Proportion of infrastructure that is resilient to cyberattacks and operational disruptions (implied by successful detection and mitigation of attacks).
   • Access to cybersecurity technologies and implementation of network segmentation and endpoint protection (implied by recommended countermeasures).
3. Indicators related to SDG 16
   • Number of institutions with established cybersecurity incident response plans and user awareness training programs (implied by mitigation strategies).
   • Frequency and effectiveness of collaboration between national cybersecurity authorities and organizations (implied by information sharing initiatives).
4. Indicators related to SDG 17
   • Number and quality of partnerships established for cybersecurity information sharing and collective defense (implied by collaboration efforts).

4. Table of SDGs, Targets, and Indicators

Source: rescana.com