Cyberattack Targeting Poland’s Energy Grid Used a Wiper

A cyberattack that targeted power plants and other energy producers in Poland at the end of December used malware known as a “wiper” that was intended to erase computers and in an operation that was intended to cause a power outage and other disruption to services, says European security firm ESET, which obtained a copy of the malware used in the attack.

Wipers are designed to delete or overwrite critical files on a computer in order to render them inoperable. They have been used extensively by Russia against targets in Ukraine before and during its current war with that country.

Robert Lipovsky, principal threat intelligence researcher for the Slovakian firm, whose team has examined the malware – which they're calling DynoWiper – says the operation is “unprecedented” in Poland, since past cyberattacks targeting that country were not disruptive in nature or intent.

“Pulling off a disruptive cyberattack against the Polish energy sector is a big deal,” he told Zero Day.

Although the attack was thwarted, Polish authorities have stated that if successful it could have taken out power to 500,000 people in Poland. Polish officials haven't revealed how the hackers pulled off the attack or how officials determined the intent was to be disruptive or destructive, but the use of a wiper supports a conclusion that this was the intent of the attack.

Officials there have attributed the attack to Russia, and Lipovsky says his team concurs. Although they are still assessing the code, they attribute it “with medium confidence” to Sandworm, based on the tactics and techniques used and their similarity to other wiper incidents orchestrated by Sandworm in Ukraine.

Sandworm is a destructive hacking team connected to the GRU, Russia’s military intelligence agency, which was responsible for the so-called Black Energy attacks that struck Ukraine a decade ago.

The attacks against Poland occurred on December 29 and 30, almost ten years to the day after Sandworm conducted a series of cyberattacks against Ukraine’s energy infrastructure in 2015 and took out power to 250,000 residents around Kyiv. A similar but potentially more harmful attack struck Ukraine’s energy infrastructure again in 2016. 

The attack against Poland targeted several entities that were part of Poland’s energy generator and distribution infrastructure — that is, entities that produce energy and distribute it throughout the country to end users.

The targets included two heat-and-power plants and a system for managing electricity generated from renewable sources such as wind turbines and solar farms, according to Polish authorities.

Authorities have said the attack was caught before it could cause any harm, and Lipovsky confirms that his team has seen no evidence that the attack had an impact.

He says, however, that "this specific type of attack looks [like it could have been] substantial” had it succeeded. 

News of the thwarted attack broke only last week, when Polish government ministers met to discuss it and held a press conference afterward. Poland Prime Minister Donald Tusk said at the time that Poland had successfully defended itself from the breach, and there was no blackout.

“At no point was critical infrastructure threatened, meaning the transmission networks and everything that determines the safety of the entire system,” the Prime Minister said. “Everything indicates that these attacks were prepared by groups directly linked to the Russian services.”