When Sandworm Tried to Kill the Lights in Poland: Why the NCSC Is Warning UK Businesses Right Now

Threat Intelligence
Written By Noel Bradford

Pull up a chair, you might need a stiff drink. will I tell you a story.

It starts in the dead of winter. Poland, 29th of December 2025. The country is buried under snowstorms and sub-zero temperatures. Families are huddled in their homes. Nearly half a million households are depending on a single combined heat and power plant to keep their heating running and their pipes from freezing over the New Year.

Somewhere deep inside that plant's network, something is waiting.

It has been there for nine months. Since March. Quietly mapping every server. Stealing every credential. Learning exactly how the plant works: which systems control the heat, which accounts have the keys to the kingdom, which pathways lead from the corporate network into the operational heart of the facility.

The intruder is not a criminal gang looking for a payday. It is Unit 74455 of Russia's GRU military intelligence: the group the cybersecurity world knows as Sandworm. The most destructive state-sponsored hacking operation on the planet.

And December 29th is the day they have chosen to burn it all down.

The Morning Everything Changed

In the early hours of 29 December, across Poland's countryside, the attack begins.

It hits everywhere at once. More than 30 wind farms and solar installations are targeted simultaneously. Not the turbines themselves, but something far more dangerous: the power substations. These are the critical junction points where renewable energy feeds into Poland's national distribution grid. Each one contains RTU controllers that monitor and manage substation operations, HMI screens that let operators see what is happening, protection relays that guard against electrical faults, and the communication equipment that ties it all together.

The attackers have already been inside these systems. They have already done their reconnaissance. Now they execute a partially automated plan of destruction: damaging controller firmware, deleting system files, and deploying custom-built wiper malware designed to destroy everything it touches.

One by one, the substations go dark. Not the power itself, the electricity keeps flowing, but the operators' ability to see it, control it, or manage it vanishes. Thirty-plus renewable energy installations suddenly become invisible to the people responsible for balancing Poland's national grid. During a snowstorm. On a bank holiday weekend.

In grid operations, losing visibility is not an inconvenience. It is the beginning of a catastrophe.

The Weapon: DynoWiper

The malware deployed that morning had never been seen before.

ESET, the security firm that later analysed it, named it DynoWiper. Understanding what it does is important, because it tells you everything about the attackers' intentions.

Ransomware encrypts your files and demands payment. There is a negotiation. There is a key. There is, at least theoretically, a way back.

DynoWiper is not ransomware. It overwrites your files with randomly generated garbage data, then forces the system to reboot to finish the job. There is no decryption key. There is no ransom note. There is no negotiation. Your data is simply, permanently, irreversibly gone.

CERT Polska, Poland's national cyber emergency response team, used a word in their official incident report that I have never seen in a government technical document before: arson. Digital arson. Deliberately timed to cause maximum human suffering during a period of extreme cold.

Nine Months Inside the Walls

Back at the CHP plant, the story gets worse.

CERT Polska's forensic investigation revealed that the attackers first broke into the plant's network in March 2025. For nine months, while the plant's staff went about their daily work, while managers attended meetings and engineers ran maintenance schedules, a unit of Russian military intelligence was living inside their systems.

They were not idle. They spent those nine months conducting reconnaissance, exfiltrating sensitive information about how the facility operated, and systematically compromising privileged accounts. By December, they could move freely through the plant's entire infrastructure. They owned it. The people who actually worked there just did not know it yet.

When the order came on 29 December, the attackers launched DynoWiper across the plant's internal network. The objective: irreversibly destroy every piece of data on every device they could reach. Kill the systems that controlled heat delivery to half a million people. In a snowstorm. Just before New Year.

And then something remarkable happened.

The plant's EDR software caught it.

One security product, doing exactly what it was designed to do, detected DynoWiper's execution and blocked it before it could complete its mission of destruction. One defensive layer. That was all that stood between "incident report" and "national emergency."

Poland's Digital Affairs Minister Krzysztof Gawkowski said the attack came "very close to a blackout." Prime Minister Donald Tusk confirmed that critical infrastructure was ultimately not threatened, but made clear: that was not because the attack was unsophisticated. It was because one defensive measure held.

Think about that for a moment. A nine-month operation by one of the world's most capable military hacking units, targeting a NATO ally's power grid during the worst possible weather conditions, was stopped by a single piece of endpoint detection software. If that EDR had been misconfigured, out of date, or simply not installed, this would be a very different story.

The Front Door Was Wide Open

Now here is the part that should make you properly angry.

How did Russia's military intelligence get into systems protecting a NATO ally's national power grid? Through some brilliant zero-day exploit? Through quantum computing or AI-powered attack tools?

No.

They walked in through Fortinet FortiGate VPN endpoints that were exposed to the public internet without multi-factor authentication.

I need you to sit with that for a moment. Critical national infrastructure. A power grid serving hundreds of thousands of people. Protected by VPN endpoints that anyone could reach from the internet, secured with nothing more than a username and a password.

CERT Polska confirmed that in every affected facility, the Fortinet devices served as both VPN concentrators and firewalls, and in every case the VPN interface had been left exposed with authentication enabled to local accounts without MFA.

Not a supply chain compromise. Not an insider threat. Not some exotic attack vector that only nation-states can exploit. A missing tick-box on a configuration screen. That is what gave the GRU their way in.

CISA's alert, published today, did not mince words: the attack highlighted the threats from vulnerable edge devices to operational technology and industrial control systems. Last week, CISA issued a binding operational directive ordering US federal agencies to strip unsupported edge devices from their networks entirely. They can see where this is heading. Can you?

Sandworm: A Decade of Destruction

For those who do not follow threat intelligence, some context on who we are dealing with.

Sandworm is not a criminal gang. It is not hacktivists with a grudge. It is a dedicated military unit within Russia's GRU, designated Unit 74455, with a decade-long track record of the most destructive cyber operations ever attributed to a nation-state.

December 2015: Sandworm knocked out Ukraine's power grid using BlackEnergy malware, leaving 230,000 people without electricity for up to six hours. It was the first confirmed cyber attack to cause a power blackout.

June 2017: Sandworm deployed NotPetya, a wiper disguised as ransomware that spread globally and caused an estimated $10 billion in damage. Maersk, the world's largest shipping company, lost $300 million alone. FedEx lost $400 million. Merck lost $870 million. Companies that had nothing to do with Ukraine were devastated because the malware spread through supply chain connections.

2022 onwards: Following Russia's invasion of Ukraine, Sandworm launched relentless destructive operations against Ukrainian critical infrastructure. ESET investigated more than 10 destructive malware incidents attributed to Sandworm in 2025 alone, almost all targeting Ukraine.

The Poland attack fell almost exactly on the tenth anniversary of that first Ukrainian grid attack. That timing was not coincidental. And ESET's attribution to Sandworm, based on strong code-level overlaps between DynoWiper and the ZOV wiper deployed against Ukrainian targets, carries medium confidence: not definitive, but serious enough that both the NCSC and CISA are treating it as a credible escalation.

CERT Polska's own analysis identified significant infrastructure overlap with the threat cluster known as Static Tundra (Cisco), Berserk Bear (CrowdStrike), Ghost Blizzard (Microsoft), and Dragonfly (Symantec). Critically, this is the first publicly documented destructive operation ever attributed to this particular cluster. They have been watching energy companies for years. Now they have started trying to destroy them.

The NCSC Warning: "Act Now"

The response from the UK's National Cyber Security Centre was not wrapped in diplomatic language.

Jonathon Ellison, NCSC director for national resilience, stated that operators of UK critical national infrastructure "must not only take note but, as we have said before, act now."

He pointed organisations to the NCSC's Cyber Assessment Framework and newly published guidance on preparing for severe cyber threats. His words were stark: "These actions require careful preparation and forethought; they cannot be improvised under pressure."

The UK's Cyber Security and Resilience Bill is currently progressing through Parliament after its Second Reading in the House of Commons. It contains measures to strengthen the regulatory framework for critical infrastructure operators, datacentres, and utilities. But legislation moves slowly, and Sandworm, clearly, does not.

Why This Changes Everything

Dragos, the industrial cybersecurity firm that specialises in operational technology, called this attack a watershed moment. Their analysis described it as the first major cyber attack targeting distributed energy resources: the smaller wind, solar, and CHP facilities being connected to grids worldwide.

Previous grid attacks in Ukraine targeted big, centralised power stations. This was different. This went after the distributed edge of the grid, where dozens of smaller installations connect through remote monitoring systems that are more numerous, require extensive remote connectivity, and critically, often receive far less cybersecurity investment than traditional centralised power infrastructure.

Poland's Energy Minister Miłosz Motyka called it "the largest attack on energy infrastructure in years." His country had not seen anything like it before. He expects it to happen again.

Now think about the UK. Thousands of distributed wind and solar installations are connecting to the national grid right now, through exactly the same types of remote monitoring and control systems that were targeted in Poland and protected by exactly the same types of edge devices. Managed with exactly the same budget constraints and staffing challenges.

If Sandworm can do this to Poland, they can do it here. And the NCSC just told you so.

How to Turn This Into a Competitive Advantage

If your business operates in or supplies to the energy sector, utilities, or any critical infrastructure supply chain, this incident just handed you a serious commercial opportunity.

Demonstrate security maturity to win contracts. Energy companies and utilities will be reviewing their supply chain security requirements following the NCSC warning. If you can demonstrate a robust security posture, particularly around edge device management and MFA enforcement, you have a tangible advantage over competitors who cannot.

Use the NCSC's Cyber Assessment Framework proactively. Do not wait for a customer or regulator to ask. Assess yourself against the CAF and present the results as part of your proposals. "We have assessed ourselves against the NCSC's framework for critical infrastructure protection" carries more weight than any glossy security brochure ever printed.

Make MFA your headline. The attackers got in through VPN endpoints without MFA. If your remote access has MFA enforced everywhere, say so loudly. If your competitors have not done it, that is their problem and your opportunity.

Get your Cyber Essentials certification current. With v3.3 requirements landing in April 2026, getting certified now shows forward-looking security commitment. For energy sector supply chains, this is moving from "nice to have" to "required to tender."

How to Sell This to Your Board

Need budget approval for edge device security, MFA rollout, or OT network segmentation? This story gives you everything you need in one meeting.

The financial case: Poland's attack was thwarted, but NotPetya, deployed by the same group, caused $10 billion in global damage. Maersk alone lost $300 million. The cost of MFA and proper edge device hardening is a rounding error compared to what a successful wiper attack costs.

The regulatory case: The UK Cyber Security and Resilience Bill is in Parliament right now. The NCSC director has publicly told UK CNI operators to act. Being ahead of regulatory requirements is always cheaper than being forced to comply after an incident.

The insurance case: Cyber insurers are increasingly requiring evidence of MFA on all remote access as a condition of cover. A claim after a breach through an unprotected VPN endpoint will be contested at best, flatly denied at worst.

The competitive case: Your customers are reading the same NCSC warnings you are. The supplier that can demonstrate robust security controls wins the contract. The one that cannot, loses it. It really is that simple.

What This Means for Your Business

Audit every internet-facing device. Today. If you have Fortinet, Cisco, or any other edge device with a VPN interface exposed to the internet, verify that MFA is enforced on every single account. No exceptions. No "we'll get to it next quarter." Poland's power grid was compromised because someone did not do this.

Segment your networks. If your business operates any industrial control systems, building management systems, or connected operational equipment, it must be on a separate network segment from your corporate IT. The attackers in Poland moved from IT access to OT destruction because nothing was in their way.

Deploy EDR on everything you own. The CHP plant was saved by its EDR software catching DynoWiper. That single defensive layer was the difference between "incident report" and "national emergency." If your endpoints are not running modern EDR, you are betting your business on luck.

Test your backups. Actually test them. Wiper malware destroys data permanently. Your backups need to be tested, isolated from your production network, and verified to actually restore a working system. When was the last time you tried?

Read the NCSC's severe cyber threat guidance. They published it for a reason. It applies to organisations of every size, not just the big players. If you are in a supply chain that touches critical infrastructure, this guidance was written with you in mind.

The lights stayed on in Poland. Barely. One piece of software, working correctly, on one network, stopped a Russian military intelligence unit from plunging half a million people into freezing darkness.

Next time, in the next country, that software might not be there.

Make sure yours is.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

Four Campaigns, One Week, Zero Excuses: New Episode Out Now