On Friday, researchers revealed that Poland's electric grid was the target of a cyberattack involving wiper malware, which is suspected to have been launched by Russian state hackers. The attack, which occurred in the last week of December, aimed to disrupt communication between renewable energy installations and power distribution operators, according to a report from Reuters. However, the attempt was unsuccessful, although specific reasons for the failure were not provided.
Wiper Malware Identified
Security firm ESET announced that the malware involved in the attack was a wiper, designed to permanently erase code and data on servers, aiming to completely destroy operations. After examining the tactics, techniques, and procedures (TTPs) used, ESET researchers suggested that the wiper malware was likely developed by a Russian government-affiliated group known as Sandworm. Researchers stated, "Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activities we analyzed." Additionally, ESET noted, "We’re not aware of any successful disruption occurring as a result of this attack."
Sandworm’s Background
Sandworm has a history of carrying out destructive cyberattacks on behalf of the Kremlin, targeting adversaries across the globe. One of its most notorious attacks occurred in Ukraine in December 2015, which left around 230,000 people without power for about six hours during harsh winter conditions. The hackers used general-purpose malware called BlackEnergy to infiltrate supervisory control and data acquisition systems of power companies, leveraging legitimate functionalities to halt electricity distribution. This incident was the first known case of a malware-facilitated blackout.