Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sandworm DynoWiper wiper attack on Polish energy infrastructure

Malware Activity
First reported
Last updated
Happening score
H score 36
3 unique sources, 4 articles

Summary

Hide ▲

Sandworm used DynoWiper, a previously undocumented wiper malware, in a failed attack against Poland's energy sector. The activity targeted two combined heat and power plants and a system managing electricity from wind turbines and photovoltaic farms. Polish officials said the attack was unsuccessful and there is no evidence of successful disruption.

Related Happenings

Lotus Wiper destructive campaign targeting Venezuela's energy and utilities sector

Campaign
First: 22.04.2026 13:55 Last: 22.04.2026 13:55 Sources 1

About this happening: The **Lotus Wiper** operation targeted **Venezuela's energy and utilities sector** in a **destructive campaign** spanning the end of **2025** and the start of **2026**, indicating...

Open Happening

Electrum and Kamicite destructive OT/ICS campaign

Campaign
First: 17.02.2026 23:31 Last: 17.02.2026 23:31 Sources 1

About this happening: A **2025 destructive campaign** tied to **Electrum** and **Kamicite** combined **persistent scanning** with attacks that could disrupt industrial and communications infrastructure...

Open Happening

Poland's energy sector hit by network compromise

Incident
First: 17.02.2026 23:31 Last: 17.02.2026 23:31 Sources 1

About this happening: A **wiper attack** hit **Poland's energy sector** on **Dec. 29 and 30, 2025**, damaging OT visibility and firmware across **more than 30 renewable energy farms** and other facilit...

Open Happening

Static Tundra destructive campaign against Polish energy and manufacturing targets

Campaign
First: 31.01.2026 09:05 Last: 31.01.2026 09:05 Sources 1

How related: CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country.

About this happening: The **Static Tundra** operation used **destructive attacks** against **more than 30 wind and photovoltaic farms**, a **manufacturing company**, and a **CHP plant** in **Poland**....

Open Happening

Polish power grid hit by network compromise

Incident
First: 28.01.2026 18:06 Last: 28.01.2026 18:06 Sources 1

How related: The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems.

About this happening: Dragos disclosed a late-December cyberattack on the Polish power grid that disrupted OT communication and control at distributed generation sites. The intrusion affected combined...

Latest development: 29.01.2026 00:14

Dragos says a coordinated cyberattack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. The activity compromised OT systems, damaged key equipment beyond repair, disabled communications equipment at multiple sites, wiped Windows systems, and left power generation uninterrupted while affecting at least 12 confirmed sites, with Dragos estimating about 30. Dragos attributes the activity with moderate confidence to the Russian threat actor Electrum and describes it as distinct from Sandworm (APT44).

Open Happening

Timeline

  1. 29.01.2026 00:14 1 articles · 3mo ago

    Dragos attributes Poland power-grid attack to Electrum

    Attribution Update

    Dragos says the late-December attack on Poland's power grid was carried out by the Russian activity cluster Electrum with moderate confidence, noting overlap with Sandworm (APT44) but treating Electrum as a distinct cluster. The group targeted exposed and vulnerable RTUs, network edge devices, monitoring and control systems, and Windows-based machines at DER sites, disabled communications equipment at multiple sites, and wiped some Windows systems.

    Show sources
    Open in new tab
  2. 24.01.2026 10:21 3 articles · 4mo ago

    Sandworm DynoWiper wiper attack on Polish energy infrastructure

    Initial Disclosure

    The activity first appeared as a late-December 2025 disruptive attempt against **Poland's energy infrastructure** using a new wiper payload. Early assessments indicated the attack did not cause successful disruption.

    Show sources
    Open in new tab