In late-December 2025, the Polish energy sector was targeted by a coordinated series of destructive cyberattacks using a new malware tracked as DynoWiper [1]. The operation affected over 30 renewable energy sites and a major combined heat and power plant during a period of extreme cold.
Key Technical Observations:
- DynoWiper is a destructive tool designed to overwrite or delete data. It shares significant code overlaps with the “ZOV” wiper previously used in Ukraine [2].
- The attack focused on the distributed edge, specifically targeting Remote Terminal Units (RTUs) at wind and solar farms. Attackers damaged firmware to disable remote communication with the grid operator.
- In several instances, access was gained via internet-exposed edge devices lacking multi-factor authentication (MFA).
Attribution Discrepancy
A fairly uncommon disagreement exists between private industry and Polish officials regarding the actor:
- Sandworm (GRU): Linked by ESET and Dragos due to technical malware lineage and the 10th anniversary of the 2015 Ukraine blackout [3].
- Dragonfly/Berserk Bear (FSB): Formally attributed by CERT.PL based on specific C2 infrastructure overlaps with current FSB espionage operations [4].
The evidence suggests a collaborative model or shared contractor network. One agency likely provided the initial access/infrastructure while the other provided the specialized destructive tradecraft. The targeting of Polish critical infrastructure is a shift for FSB-aligned actors from long-term pre-positioning to active destruction against NATO critical infrastructure.
References
[1] https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/
[3] https://pylos.co/2026/01/31/attributive-questions-in-high-profile-incidents/
[4] https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/
The Security Brief 