Winter in Eastern Europe is not just a season; It’s a damage multiplier. As my colleague Miguel Jorge well described, what is emerging in the region is a ruthless reality dubbed “thermal terror.” In this scenario, extreme cold becomes a weapon of war designed to make civil infrastructure – heating, electricity, water – the cruelest target. The ultimate goal is not only to destroy military capacity, but to make daily life physically unviable.
Under this logic of making daily life unviable to wear down the population, the Kremlin’s most feared cyberespionage group has decided to cross a dangerous border.
500,000 homes in the spotlight. As Poland prepared for the holidays, its security systems detected what Energy Minister Milosz Motyka called the “strongest attack on Polish energy infrastructure in years,” Reuters reported.
The sabotage occurred on December 29 and 30 and was surgical. The targets were not chosen at random, but instead targeted two cogeneration plants and systems that connect renewable energy facilities — such as wind farms — to power grid operators. In other words, directly to the key nodes so that energy reaches homes.
Local media reported the statements of Prime Minister Donald Tusk, who put figures on the risk: if the attack had been successful, half a million people would have been left without heat in the middle of winter. Fortunately, as the Polish Government’s press release details, the defenses worked. “At no time was critical infrastructure threatened,” said Tusk, although the incident has been treated with the utmost seriousness, mobilizing the special services to their full capacity.
Sandworm’s signature. The attack took on an international dimension when the cybersecurity firm ESET announced the discovery of the weapon used: a destructive malware called DynoWiper. As reported by TechCrunch, ESET attributed this operation with “medium confidence” to the Sandworm group, an elite unit within the Russian military intelligence agency (GRU). The choice of dates does not seem coincidental. As investigative journalist Kim Zetter points out, this attempted blackout in Poland occurred almost exactly ten years after the first Sandworm cyberattack against Ukraine’s power grid in 2015, which left 230,000 homes in the dark.
For experts, the use of a wiper on Polish soil is an unprecedented event, as it marks Russia’s move from simple espionage to destructive sabotage against a NATO member. Furthermore, this is not an isolated episode because since the start of the Ukrainian War, Poland has suffered a sustained increase in cyberattacks attributed to Russian actors. However, according to the Ministry of Energy itself, the December attempt was a turning point both for its intensity and its objective: it was no longer about probing defenses, but rather about causing a real blackout.
Anatomy of the attack. To understand the seriousness of the issue, it is necessary to break down the technology used. Unlike the ransomware common, a wiper It is software designed exclusively to destroy. Its objective is not to ask for a ransom, but rather to permanently delete the information and render the equipment unusable.
In this case, the attackers went directly to the ICS (Industrial Control Systems) systems since these systems are what allow electricity companies to regulate the supply and monitor the network. So, Sandworm sought to break communication between renewable energy sources and distribution operators. When attacking these nodes, the technicians’ margin of action is minimal because the failures propagate in a chain.
A conflict that expands. The Polish Prime Minister directly linked this attack to his country’s support for Ukraine. “We sell electricity there and, in critical situations, we receive it from them,” Tusk explained. Attacking the Polish network is, by extension, attacking Ukraine’s energy rear.
This Russian aggressiveness is not new for Western intelligence services. In fact, the United States government maintains a $10 million reward for information on six GRU officers belonging to Sandworm, responsible for global attacks such as NotPetya, which caused losses of $1 billion. According to Microsoft, Sandworm—whom they call Iridium— has launched nearly 40 destructive attacks against critical infrastructure since the beginning of the invasion of Ukraine, seeking to degrade not only military capacity, but the population’s trust in its leaders.
From NATO’s point of view, attempted sabotage does not automatically activate collective defense mechanisms, but it does reinforce disturbing evidence: hybrid warfare makes it possible to strain the European system without formally crossing the red lines of an armed conflict. The next frontier is no longer territorial, but digital.
Faced with the growing threat. The Polish Government is finalizing the Law on the National Cybersecurity System, a regulation that seeks the “autonomy and polonization” of security systems to reduce dependence on devices that facilitate foreign interference, according to official information.
However, December’s failed sabotage is a reminder that in modern warfare, the front lines are on power plant servers. While in the trenches of Ukraine soldiers try to hide their thermal trace from drones, in cities like Warsaw or Krakow the battle is being fought so that the simple act of turning on the heating does not become an impossible luxury.
For now, Poland has won this defensive battle, even achieving a historical record of energy production a few days after the attack. However, Sandworm’s shadow is still long. The hackers’ message is clear: “If we can’t turn off the light, at least we can scare you.” The war for control of the European switch has only just begun.
Image | Unsplash and Freepik
WorldOfSoftware | La Gomera has been suffering constant total blackouts for years. Now you have a solution: a cable that is unique in the world
