Hackers Linked to Russia Target Power Infrastructure in Europe With New Data-Wiping Malware

A state-backed cyberattack attempted to deploy destructive wiper malware against national energy systems, raising fresh concerns over critical infrastructure security.

Overview

Cybersecurity researchers have linked a late-December 2025 cyberattack on Poland’s power infrastructure to Sandworm, a notorious Russian state-sponsored threat group known for destructive cyber operations.

The attackers attempted to deploy a previously unseen data-wiping malware strain dubbed DynoWiper, marking a dangerous escalation in cyber activity targeting European energy systems.

What Happened

The attack occurred between December 29 and 30, 2025, and targeted two combined heat and power plants. It also impacted a centralized management system responsible for controlling electricity generation from renewable energy sources, including wind turbines and solar farms.

Polish authorities confirmed that the intrusion focused on operational technology rather than consumer systems, indicating a deliberate attempt to disrupt energy production.

Who Is Behind the Attack

Security researchers attribute the operation to Sandworm, a Russian state-aligned hacking group active since 2009. The group has a long history of targeting critical infrastructure across Europe.

Nearly a decade earlier, Sandworm carried out a cyberattack on Ukraine’s energy grid that left around 230,000 people without electricity, establishing the group’s reputation for destructive cyber warfare.

Poland’s Prime Minister Donald Tusk publicly stated that evidence strongly suggests the attackers were directly linked to Russian intelligence services.

About DynoWiper

DynoWiper is a destructive malware designed to render systems unusable. Once executed, it systematically deletes files across the filesystem. After completion, affected systems require full restoration from backups or complete reinstallation.

Security firm ESET detects the malware as Win32/KillFiles.NMO. At the time of reporting, no public malware samples had appeared on major analysis platforms, suggesting limited deployment or rapid containment.

Why This Matters

This incident reinforces a growing pattern. State-sponsored cyber operations increasingly target energy infrastructure, especially during geopolitical tension.

Even when attacks fail to cause widespread outages, they demonstrate intent, capability, and reconnaissance of critical systems. That alone poses a significant national security concern.

Ongoing Threat Landscape

Sandworm has also been linked to destructive attacks against Ukraine’s education, government, and agricultural sectors throughout 2025. Analysts warn that similar operations may continue across Europe as hybrid warfare tactics expand beyond traditional battlefields.