Winter in Eastern Europe is not just a season; It’s a damage multiplier. As my colleague Miguel Jorge described wellwhat is emerging in the region is a ruthless reality dubbed “thermal terror.” In this scenario, extreme cold becomes a weapon of war designed to make civil infrastructure – heating, electricity, water – the cruelest target. The ultimate goal is not only to destroy military capacity, but to make daily life physically unviable.
Under this logic of making daily life unviable to wear down the population, the Kremlin’s most feared cyberespionage group has decided to cross a dangerous border.
500,000 homes in the spotlight. As Poland prepared for the holidays, its security systems detected what Energy Minister Milosz Motyka called the “strongest attack against Polish energy infrastructure in years,” as reported by Reuters.
The sabotage occurred on December 29 and 30 and was surgical. The targets were not chosen at random, but instead targeted two cogeneration plants and systems that connect renewable energy facilities — such as wind farms — to power grid operators. In other words, directly to the key nodes so that energy reaches homes.
local media they collected the statements from Prime Minister Donald Tusk, who put figures at risk: if the attack had been successful, half a million people would have been left without heat in the middle of winter. Fortunately, as detailed in the press release of the Polish Governmentthe defenses worked. “At no time was critical infrastructure threatened,” said Tusk, although the incident has been treated with the utmost seriousness, mobilizing the special services to their full capacity.
Sandworm’s signature. The attack took on an international dimension when the cybersecurity firm ESET announced the discovery of the weapon used: a destructive malware called DynoWiper. As reported by TechCrunchESET attributed this operation with “medium confidence” to the Sandworm groupan elite unit within the Russian military intelligence agency (GRU). The choice of dates does not seem coincidental. As investigative journalist Kim Zetter points outthis attempted blackout in Poland came almost exactly ten years after the first Sandworm cyberattack against Ukraine’s power grid in 2015, which left 230,000 homes in the dark.
For experts, the use of a wiper on Polish soil is an unprecedented event, as it marks Russia’s move from simple espionage to destructive sabotage against a NATO member. Furthermore, this is not an isolated episode because since the beginning of the Ukrainian War, Poland has undergone a sustained increase of cyberattacks attributed to Russian actors. Nevertheless, according to the Ministry of Energy itselfthe December attempt was a turning point both in its intensity and in its objective: it was no longer about probing defenses, but rather about causing a real blackout.
Anatomy of the attack. To understand the seriousness of the issue, it is necessary to break down the technology used. Unlike the ransomware commona wiper It is software designed exclusively to destroy. Your goal is not to ask for a ransom, but delete permanently information and leave equipment unusable.
In this case, the attackers went directly to the ICS (Industrial Control Systems) systems since these systems are the ones that allow electric companies regulate the supply and monitor the network. So, Sandworm sought to break communication between renewable energy sources and distribution operators. When attacking these nodes, the technicians’ margin of action is minimal because the failures propagate in a chain.
A conflict that expands. The Polish Prime Minister directly linked this attack to his country’s support for Ukraine. “We sell electricity there and, in critical situations, we receive it from them,” Tusk explained.. Attacking the Polish network is, by extension, attacking Ukraine’s energy rear.
This Russian aggressiveness is not new for Western intelligence services. In fact, the United States government keeps a reward 10 million dollars for information about six GRU officers belonging to Sandworm, responsible for global attacks such as NotPetya, which caused losses of 1 billion dollars. According to Microsoft, Sandworm—whom they call Iridium— has launched nearly 40 destructive attacks against critical infrastructure since the beginning of the invasion of Ukraine, seeking to degrade not only military capacity, but the population’s trust in its leaders.
From NATO’s point of view, attempted sabotage does not automatically activate collective defense mechanisms, but it does reinforce disturbing evidence: hybrid warfare makes it possible to strain the European system without formally crossing the red lines of an armed conflict. The next frontier is no longer territorial, but digital.
Faced with the growing threat. The Polish Government is finalizing the Law on the National Cybersecurity System, a regulation that seeks the “autonomy and polonization” of security systems to reduce dependence on devices that facilitate foreign interference, according to official information.
However, December’s failed sabotage is a reminder that in modern warfare, the front lines are on power plant servers. While in the trenches of Ukraine soldiers try to hide their thermal trace from drones, in cities like Warsaw or Krakow the battle is being fought so that the simple act of turning on the heating does not become an impossible luxury.
For now, Poland has won this defensive battle, even achieving a historical record of energy production a few days after the attack. However, Sandworm’s shadow is still long. The hackers’ message is clear: “If we can’t turn off the light, at least we can scare you.” The war for control of the European switch has only just begun.
GIPHY App Key not set. Please check settings