ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025
Estimated reading time: 5 minutes
Key takeaways:
- The Russia-aligned Sandworm APT group targeted Poland’s power grid in late 2025 using a new destructive wiper called DynoWiper.
- A critical VMware vCenter vulnerability (CVE-2024-37079) with a CVSS score of 9.8 is being actively exploited in the wild.
- State-sponsored actors like Konni are now leveraging AI-generated code to develop sophisticated PowerShell backdoors.
- The Ethereum Foundation is transitioning to Post-Quantum security architecture, aiming for implementation by 2026 to resist future quantum attacks.
Table of contents:
- ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025
- Technical Context and Historical Significance
- Analysis of DynoWiper (Win32/KillFiles.NMO)
- Critical Infrastructure Vulnerabilities: The VMware vCenter Flaw
- Adversary Innovation: Konni and AI-Generated Malware
- Encryption Management and Legal Precedents
- The Shift Toward Post-Quantum Security
- Technical Mitigation and Operational Action Points
- Expertise and Security Services
- Frequently Asked Questions
In late 2025, Poland’s national energy infrastructure became the target of a coordinated disruptive operation. Technical analysis conducted by ESET Research identifies the Russia-aligned Advanced Persistent Threat (APT) group Sandworm as the primary actor. This incident involved the deployment of a specialized data-wiping malware, subsequently named DynoWiper. While the operation did not result in a successful widespread blackout, the technical sophistication and historical context of the attack indicate a persistent focus on critical infrastructure within the European theater.
ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025
The attribution of the December 2025 attack to Sandworm is based on a high degree of overlap with previous Tactics, Techniques, and Procedures (TTPs) and malware code similarities observed in earlier Sandworm operations. ESET researchers have categorized the malware involved as Win32/KillFiles.NMO, a data-wiping utility designed to render systems inoperable by destroying file structures. This specific iteration, DynoWiper, represents a continued refinement of the wiper frameworks Sandworm has utilized against Ukrainian targets over the past decade.
Technical Context and Historical Significance
The timing of the operation against Poland’s power grid is noteworthy, as it coincided with the 10th anniversary of the December 2015 attack on the Ukrainian electrical grid. That 2015 operation, which utilized the BlackEnergy malware, resulted in the first recorded malware-induced power outage, affecting approximately 230,000 residents. The 2025 Polish incident demonstrates that Sandworm continues to prioritize the disruption of energy sectors, particularly in nations providing strategic support to Ukraine.
Throughout 2025, Sandworm maintained a high operational tempo, frequently deploying wipers against various critical infrastructure entities. ESET’s APT Activity Report for the period of April to September 2025 documented a consistent pattern of destructive campaigns. The utilization of DynoWiper in Poland suggests an attempt to export these disruptive capabilities beyond the borders of Ukraine, targeting the stability of NATO member states’ essential services.
Analysis of DynoWiper (Win32/KillFiles.NMO)
DynoWiper is designed for rapid execution and maximum data destruction. Unlike ransomware, which encrypts data for financial gain, wipers like DynoWiper are purely destructive. They target master boot records (MBR), partition tables, and specific file extensions to ensure the recovery process is either impossible or requires significant manual effort from disaster recovery teams. The deployment of such malware requires a sophisticated cyber threat intelligence platform to detect early-stage lateral movement before the final destructive payload is executed.
Indicators of Compromise (IoCs) for the Polish campaign include the SHA-1 hash: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6. Security engineers should integrate these indicators into their internal detection logic to identify potential residual footprints or parallel campaigns targeting similar infrastructure.
Critical Infrastructure Vulnerabilities: The VMware vCenter Flaw
The threat to critical infrastructure is exacerbated by the exploitation of zero-day and n-day vulnerabilities in enterprise software. In January 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) catalog. This critical heap overflow vulnerability affects Broadcom VMware vCenter Server and carries a CVSS score of 9.8.
The flaw exists within the implementation of the DCE/RPC protocol. An attacker with network access to a vCenter Server can trigger remote code execution (RCE) by sending a specially crafted network packet. This vulnerability is part of a broader set of flaws, including CVE-2024-37080, CVE-2024-38812, and CVE-2024-38813, which involve heap overflows and privilege escalation. When chained, these vulnerabilities allow an unauthorized actor to gain root access to the vCenter Server and subsequently control managed ESXi hosts.
Adversary Innovation: Konni and AI-Generated Malware
While Sandworm focuses on infrastructure disruption, other state-sponsored actors, such as the North Korean group Konni (also tracked as Opal Sleet or TA406), are refining their malware development processes using artificial intelligence. Recent campaigns targeting blockchain engineers in the Asia-Pacific region demonstrate the use of AI-generated PowerShell backdoors.
Check Point researchers identified that the malware used by Konni contained specific markers characteristic of Large Language Model (LLM) output. These markers include structured documentation within the script, modular layouts, and the presence of placeholders like # <- your permanent project UUID. Such comments are typical of code generated by AI assistants to instruct human users on customization.
Encryption Management and Legal Precedents
A Guam court case involving a $2 million COVID-19 relief fraud investigation has brought the management of BitLocker recovery keys into focus. Federal agents, unable to bypass BitLocker encryption on seized laptops, obtained the 48-digit recovery codes directly from Microsoft via a search warrant. When users configure Windows, the system often defaults to backing up BitLocker recovery keys to the user’s Microsoft account. This cloud-based escrow allows Microsoft to comply with legal requests for encryption bypass.
The Shift Toward Post-Quantum Security
As the threat of quantum computing to traditional cryptography becomes more tangible, the Ethereum Foundation has established a dedicated Post-Quantum (PQ) team. The initiative aims to transition the Ethereum network to a post-quantum secure architecture by 2026. The strategy centers on LeanVM, a cryptographic framework designed to replace elliptic-curve cryptography, which is vulnerable to quantum-based attacks.
Technical Mitigation and Operational Action Points
Based on the current threat landscape, the following technical actions are necessary for organizational defense:
- Immediate Patching of VMware vCenter: Organizations must update vCenter Server to the latest versions to mitigate CVE-2024-37079.
- Wiper Detection Logic: SOCs should deploy detection rules for the DynoWiper SHA-1 hash and monitor for unauthorized calls to the DCE/RPC protocol.
- Local BitLocker Management: Move BitLocker recovery keys from cloud-based accounts to offline, hardware-encrypted storage.
- Network Segmentation: Isolate critical energy management systems (EMS) from general corporate networks to prevent lateral movement.
Expertise and Security Services
The complexity of the Sandworm campaign and the rapid exploitation of critical vulnerabilities require a proactive security posture. PurpleOps provides specialized services designed to detect and mitigate the advanced threats identified in recent research.
- Red Team Operations: We simulate advanced adversary campaigns, including wiper deployment scenarios. PurpleOps Red Team Operations
- Penetration Testing: Our assessments identify vulnerabilities like the VMware heap overflow before exploitation. PurpleOps Penetration Testing
- Supply Chain Security: We analyze the security of your vendor ecosystem to mitigate risks. PurpleOps Supply Chain Information Security
- Ransomware Protection: Our frameworks provide controls to prevent data destruction. PurpleOps Protect Ransomware
- Threat Intelligence Services: Gain access to real-time data on APT activity. PurpleOps Cyber Threat Intelligence
To secure your environment against advanced persistent threats, explore the PurpleOps Platform or review our full range of Cybersecurity Services. Detailed monitoring for leaked assets is available through our Dark Web Monitoring solutions.
Frequently Asked Questions
What is DynoWiper?
DynoWiper is a destructive data-wiping malware attributed to the Sandworm APT group. It is designed to destroy file structures and render systems inoperable rather than encrypting them for ransom.
How does the VMware vCenter flaw (CVE-2024-37079) affect security?
It is a critical heap overflow vulnerability that allows remote code execution. Attackers can gain root access to vCenter Servers and take control of managed ESXi hosts.
How is AI being used in malware development?
State-sponsored groups like Konni use Large Language Models (LLMs) to generate structured, modular PowerShell scripts, speeding up the creation of backdoors and evasion tools.
Why is Ethereum moving to post-quantum security?
The Ethereum Foundation aims to protect the network against future quantum computers capable of breaking current elliptic-curve cryptography, ensuring long-term security for digital assets.
