In the final days of December 2025, while much of the world was looking toward the new year, a sophisticated cyber offensive targeted Poland’s power grid. This wasn’t a standard attempt at data exfiltration or a “smash and grab” ransomware attack, it was a calculated strike using a newly discovered wiper malware dubbed DynoWiper.
Attributed by security researchers to the notorious Sandworm group (APT44), the attack hit two combined heat and power plants and renewable energy management systems. While Polish authorities successfully thwarted a total blackout, the technical evolution of the tools used sends a clear message to the global industrial sector: the attack objective has shifted from stealing data to breaking hardware.
Why is DynoWiper different?
DynoWiper represents a significant technical leap in Operational Technology (OT) threats. Unlike previous iterations that focused on deleting files or encrypting hard drives, this malware is designed to target the very configurations that allow industrial equipment to communicate.
Permanent Configuration Damage |
By overwriting Master Boot Records (MBR) and specific industrial control system (ICS) processes, DynoWiper aims to render equipment “bricks.” |
Protocol-Specific Sabotage |
It doesn’t just delete; it targets the specific protocols used in power distribution, making the hardware incapable of receiving instructions from human operators. |
The “Recovery-Proof” Nature |
When hardware configurations are destroyed at a firmware or deep-system level, a simple “restore from backup” is impossible. The cost of recovery shifts from hours of IT labor to the millions required for physical equipment replacement. |
Why do attacks on OT matter more now than ever?
The Poland incident is a near-miss that highlights a critical vulnerability in global infrastructure. For decades, the focus has been on Information Technology (IT), protecting emails, databases, and customer records. But in critical infrastructure, Operational Technology (OT) is where the physical world meets the digital.
When a wiper hits a factory floor or a power plant, the damage isn’t just digital. We are seeing the rise of attacks that leave equipment beyond repair without a single shot being fired. This creates a recovery-proof scenario where the time-to-restore isn’t dictated by data transfer speeds, but by global supply chain lead times for specialised industrial components.
How does the industrial sector boost resilience?
At Mondas, we see the narrative needs to shift from prevention to resilience. In a landscape where state-sponsored actors are “pre-positioning” within networks months before an attack, the assumption has to be that a breach is possible, even probable. To combat threats like DynoWiper, organisations need to adopt a high-maturity security posture built on three pillars:
1. Zero Trust for Industrial Environments
The old model of “protecting the perimeter” is obsolete. In OT, every command needs to be verified. This means micro-segmenting machine networks so that a compromise in a renewable energy management system cannot move laterally to a turbine controller.
2. AI-Driven Anomaly Detection
Malware like DynoWiper often uses “Living-off-the-Land” (LotL) techniques, i.e. using legitimate system tools to perform malicious acts. Human operators can’t monitor these nuances in real-time. We leverage AI-powered SOC (Security Operations Centre) tooling to baseline normal Modbus or Ethernet/IP traffic, flagging a “programming write” command the millisecond it occurs outside of a maintenance window.
3. Immutable and Offline Backups
If the malware targets the boot records and system files, your backups must be “out of reach.” High-level resilience requires immutable, air-gapped backups and, perhaps more importantly, rehearsed restoration procedures. If you haven’t tested a restore of a PLC (Programmable Logic Controller) from a “golden image” in the last quarter, you are at risk.
Conclusion: DynoWiper is a critical warning
The attack in Poland was a victory for the defenders, but it was also a warning. The cost of cyber warfare is no longer measured solely in Bitcoin or lost data; it’s measured in the physical destruction of the world’s most critical assets.
As we navigate 2026, the question for leadership is no longer “Are we secure?” but “How quickly can we rebuild if the hardware itself is destroyed?” Thought leadership in this space requires moving beyond the software layer and securing the very physical fabric of our modern world.
This article was brought to you by 🔗Lance Nevill, Director of Cyber Security here at Mondas. If you’d like to discuss any of the issues in this article, learn more about how Mondas support the energy sector, or you just want to chat through your overall security posture with Lance, click here to get in touch.
