Cyberattack on the Polish energy sector: lessons for IT/OT

At the end of December 2025, Poland’s energy infrastructure became the target of coordinated cyberattacks involving wiper malware. They did not lead to power outages or blackouts. The Polish government confirmed that the defense was successful. The cyberattack took place on December 29, 2025. It targeted multiple wind and solar farms, a private manufacturing company, and a combined heat and power plant supplying heat to nearly half a million customers in Poland. The attack used wiper malware, including DynoWiper (detected as Win32/KillFiles.NMO) and LazyWiper. ESET experts attributed the attack to the Russia-aligned Sandworm APT with medium confidence, while Dragos pointed to the ELECTRUM group. CERT Polska noted overlaps with the Dragonfly / Berserk Bear cluster. The attackers exploited a lack of MFA on VPN gateways to target remote terminal units (RTUs) and communication systems managing distributed energy sources. While electricity production was not disrupted, communication was lost at approximately 30 sites, requiring manual physical intervention by technicians to 'un-brick' devices.