high_confidence

2025 Poland Wiper Attacks

[2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063) is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, [DynoWiper](https://attack.mitre.org/software/S9038), a Windows-based wiper and [LazyWiper](https://attack.mitre.org/software/S9039), a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group [Dragonfly](https://attack.mitre.org/groups/G0035), also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)

Start date

1 March 2025

End date

1 December 2025

Techniques

Attributed actors

Sandworm Team· primary

Techniques (53)

collection6

T1114.002Remote Email Collection

T1602.002Network Device Configuration Dump

T1530Data from Cloud Storage

T1074.001Local Data Staging

T1113Screen Capture

T1560.001Archive via Utility

command-and-control5

T1102.002Bidirectional Communication

T1090Proxy

T1105Ingress Tool Transfer

T1571Non-Standard Port

T1090.003Multi-hop Proxy

credential-access7

T1110.002Password Cracking

T1003.001LSASS Memory

T1558Steal or Forge Kerberos Tickets

T1003.002Security Account Manager

T1555Credentials from Password Stores

T1556.006Multi-Factor Authentication

T1003.003NTDS

defense-impairment3

T1484.001Group Policy Modification

T1686.002Network Device Firewall

T1556.006Multi-Factor Authentication

discovery5

T1049System Network Connections Discovery

T1046Network Service Discovery

T1057Process Discovery

T1083File and Directory Discovery

T1016System Network Configuration Discovery

execution4

T1059.003Windows Command Shell

T1059.008Network Device CLI

T1053Scheduled Task/Job

T1059.004Unix Shell

exfiltration2

T1567.004Exfiltration Over Webhook

T1048.003Exfiltration Over Unencrypted Non-C2 Protocol

impact4

T1529System Shutdown/Reboot

T1485Data Destruction

T1490Inhibit System Recovery

T1495Firmware Corruption

initial-access3

T1133External Remote Services

T1078.004Cloud Accounts

T1078.002Domain Accounts

lateral-movement3

T1021.001Remote Desktop Protocol

T1570Lateral Tool Transfer

T1550.002Pass the Hash

persistence5

T1053Scheduled Task/Job

T1133External Remote Services

T1078.004Cloud Accounts

T1078.002Domain Accounts

T1556.006Multi-Factor Authentication

privilege-escalation4

T1053Scheduled Task/Job

T1078.004Cloud Accounts

T1484.001Group Policy Modification

T1078.002Domain Accounts

reconnaissance1

T1590.006Network Security Appliances

resource-development7

T1587.001Malware

T1584.008Network Devices

T1584.003Virtual Private Server

T1583.006Web Services

T1588.007Artificial Intelligence

T1584.001Domains

T1608.002Upload Tool

stealth6

T1036.005Match Legitimate Resource Name or Location

T1140Deobfuscate/Decode Files or Information

T1006Direct Volume Access

T1078.004Cloud Accounts

T1078.002Domain Accounts

T1027.013Encrypted/Encoded File

Indicators of compromise

No IOCs linked to this campaign yet.