In late December 2025, Poland faced a serious cyber threat when coordinated attacks attempted to disrupt segments of its national power grid. Subsequent investigations by cybersecurity agencies and independent researchers have now attributed these attacks to Sandworm, a highly sophisticated advanced persistent threat (APT) group widely linked to Russia’s military intelligence agency, the GRU.
Who is Sandworm?
Sandworm is one of the most notorious state-linked cyber threat groups globally. Active for over a decade, it has been associated with some of the most destructive cyberattacks on critical infrastructure, including Ukraine’s power grid disruptions (2015–2016), the NotPetya wiper attack, and multiple operations targeting energy, transport, and government systems across Europe. The group is known for blending espionage with sabotage, often deploying wiper malwaredesigned to permanently destroy systems rather than steal data.
Nature of the Poland Attacks
The December 2025 incidents targeted organizations connected to Poland’s electricity transmission and distribution ecosystem. While no nationwide blackout occurred, investigators confirmed attempted deployment of wiper malware, a class of malicious code engineered to erase disks, corrupt firmware, and render systems inoperable.
Unlike ransomware, which seeks financial gain, wiper malware is intended to cause disruption, economic damage, and psychological impact. Analysts believe the attackers sought to test access, mapping operational technology (OT) environments and demonstrating capability rather than triggering a full-scale outage.
The attacks come amid heightened geopolitical tensions between Russia and NATO, with Poland playing a central role as a regional security and logistics hub. Targeting energy infrastructure aligns with Sandworm’s historical playbook: using cyber operations as an extension of state power to signal deterrence, sow uncertainty, and undermine public confidence.
Implications for Critical Infrastructure Security
This incident underscores the growing vulnerability of power grids and other critical infrastructure to state-sponsored cyber operations. Even limited or failed attacks force operators to divert resources, shut down systems for investigation, and reassess operational resilience.
For European nations, the Poland case reinforces the need for:
-
Stronger segmentation between IT and OT networks
-
Continuous monitoring for destructive malware
-
Cross-border intelligence sharing and rapid incident response coordination
The attribution of the Poland power grid attacks to Sandworm highlights a clear and ongoing threat from state-backed cyber actors willing to use destructive tools against civilian infrastructure. While immediate damage was contained, the incident serves as a warning: cyber warfare targeting energy systems is no longer theoretical but an active element of modern geopolitical conflict.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
