Poland officials confirm Russia was behind coordinated attempt to trigger nationwide blackout

Notorious ‘Sandworm’ unit targeted renewables and heating plants with new 'Dynowiper' malware during record cold.

Polish officials and security researchers have confirmed that Russia’s military intelligence agency (the GRU) was behind a massive, coordinated attempt to trigger a nationwide blackout in Poland during the final days of 2025. Described by Digital Affairs Minister Krzysztof Gawkowski as the "largest attack on energy infrastructure in years," the assault utilized a newly discovered data-wiping malware to target the communication systems between power plants and the national grid.

While the attack was successfully repelled, officials revealed on January 13, 2026, that the country came "very close" to a catastrophic failure that could have left over 500,000 people without heat or power in temperatures plummeting below -15°C.

The attack vector: Targeting the 'blinds'

Unlike previous attempts that focused on central transmission lines, this operation targeted the decentralized "edge" of the energy mix.

For the first time, hackers targeted the communication protocols of individual wind turbines and solar farms. By "blinding" operators to the output of these sources, which account for roughly 25% of Poland's energy, the goal was to trigger a frequency collapse.

The hackers also successfully breached systems at two combined heat-and-power (CHP) plants, aiming to cut off heating to residential sectors during the peak of winter.

Researchers at ESET noted the attack took place on December 29, exactly ten years after the same Russian unit caused the world's first malware-induced blackout in Ukraine.

'DynoWiper': A new weapon in the GRU arsenal

Technical analysis conducted by ESET Research attributed the attack with "medium-to-high confidence" to Sandworm (also known as APT28 or BlackEnergy), a notorious hacking unit linked to the GRU.

The primary weapon was a previously undocumented wiper malware codenamed "DynoWiper." Designed to delete or overwrite critical system files, DynoWiper was intended to render grid-management computers inoperable, making it impossible for human operators to stabilize the grid once the disruption began.

"Everything indicates we were dealing with Russian sabotage," Minister Gawkowski said. "This was an attempt to destabilize Poland using 'digital tanks' to cross our borders."

The 'anti-blackout' response

In response to the narrow escape, Prime Minister Donald Tusk announced a major acceleration of the "Anti-Blackout Package," a legislative and technical overhaul of Poland's energy security slated for 2026. Initiatives planned in the package include:

• Grid modernization: €14.2 billion investment in resilient, software-defined grid infrastructure.

• Edge protection: Mandatory cybersecurity certification for all private renewable hardware connected to the grid.

• Enhanced monitoring: Implementation of AI-driven anomaly detection at individual generating sources (PV farms/wind turbines).

• Resilience drills: Nationwide "Live-Fire" cyber exercises involving both public and private energy providers.

While Poland remains the most cyber-attacked nation in the European Union, officials stressed that the successful defense of the grid proves their institutions are "well-prepared" for the ongoing hybrid warfare from the East.