Russia-linked hackers with a track record of sabotaging infrastructure operations were behind a failed attempt to disrupt Poland’s power grid late last year, in what Warsaw has described as a deliberate cyberattack on the country’s energy infrastructure.
Poland’s prime minister Donald Tusk said in a statement that systems had blocked cyberattacks on 29 and 30 December targeting parts of the national energy sector, including facilities linked to electricity generation and renewables. In a subsequent technical analysis, security firm ESET attributed the operation to Sandworm, a long-tracked hacking group widely associated with Russian military intelligence.
According to ESET, the attackers deployed a previously undocumented data-wiping malware strain, dubbed DynoWiper, during the campaign.
The firm said the tooling and behaviour observed during the intrusion showed “a strong overlap with numerous previous Sandworm wiper activity,” linking the incident to a pattern of destructive operations previously seen in Ukraine and elsewhere. ESET added that it was “not aware of any successful disruption occurring as a result of this attack.”
ESET noted that the attempted attack occurred almost exactly 10 years after Sandworm’s 2015 cyber operation against Ukraine’s power grid, the first known blackout caused by a cyberattack. That attack, widely attributed to Russian state-backed actors, is now routinely cited in discussions about the risk of cyber sabotage against civilian infrastructure.
Warsaw has been unusually direct about attribution.
“Everything indicates that these attacks were prepared by groups directly linked to the Russian services,” said a statement from Donald Tusk published by the Prime Minister’s Office — signalling that the government views the incident as a state-backed operation, not a run-of-the-mill criminal intrusion.
Tusk further warned that while Poland’s defences held, the attacks posed a serious risk to both energy security and the wider security of the state.
The government said the attempted intrusions targeted two combined heat and power plants, as well as systems used to manage electricity generated from renewable energy sources such as wind and solar. Existing protections prevented any outages or physical damage, officials said, but the attempted attack was still serious enough to be treated as a national security issue.
Tusk said he had instructed ministers and security services to operate at “full capacity” in response, adding that Poland must be prepared for further attempts against critical infrastructure.
The statement also pointed to planned legislative changes, including work on the Act on the National Cybersecurity System, aimed at strengthening protections across both IT and operational technology environments.
The incident adds to a growing list of Russia-linked cyber operations aimed at energy infrastructure, even outside Ukraine. Although Poland avoided disruption, the choice of target, timing, and tooling points to cyber activity being used as a means of strategic pressure on NATO and EU countries.
The incident also comes just weeks after a major power outage in Berlin, where a suspected arson attack on high-voltage cables knocked out electricity for around 45,000 households and more than 2,000 businesses over several days, marking the city’s longest blackout since World War II.
