Sandworm's DynoWiper Attack on Poland's Power Grid

Jan 26

BLUF

On January 23–25, 2026, the Russia-linked Sandworm APT targeted the Polish power grid with a new wiper malware called DynoWiper, timed to the 10th anniversary of the first malware-induced blackout.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by destructive wiper malware targeting operational technology and supporting IT environments in the energy sector, the financial impact is driven less by data theft and more by irreversible system loss, prolonged outages, and recovery complexity.

· Low-end total cost: $8M – $15M

o (limited spread, rapid isolation, strong offline backups intact)

· Typical expected range: $18M – $35M

o (multi-site IT impact, partial OT disruption, staged restoration)

· Upper-bound realistic scenarios: $45M – $75M

o (extended outages, hardware replacement, regulatory scrutiny escalation)

Key Cost Drivers

· Duration of operational downtime (hours vs. multi-day outages)

· Extent of irreversible system destruction requiring rebuilds

· Availability and integrity of offline backups and golden images

· Regulatory response intensity for critical infrastructure incidents

· Need for physical equipment replacement alongside IT recovery

Targeted Sectors

· Critical Infrastructure (Energy/Power Grid)

Countries

· Poland

Date of First Reported Activity

· January 23, 2026

Date of Last Reported Activity Update

· January 26, 2026

APT Names

· Sandworm

o BlackEnergy

o UAC-0082

o Iron Viking

o Voodoo Bear

o TeleBots

Associated Criminal Organization Names

· Unit 74455 of the Russian GRU.

TTPs

Impact and Destruction

· T1561.002 Disk Wipe

o DynoWiper is a specialized destructive malware designed to iterate through file systems and irreversibly destroy data, making the operating system unusable.

· T1489 Service Stop

o The attack aims to disrupt operational continuity by stopping critical services required for power grid management.

· T1565 Data Manipulation

o Sandworm has a history of manipulating data to cause operational disruptions in energy sectors.

· T1486 Data Encrypted for Impact

o Though DynoWiper primarily wipes data, Sandworm often employs encryption techniques in similar disruptive campaigns to hinder recovery.

· T1490 Inhibit System Recovery

o The malware’s destructive nature prevents standard system recovery, forcing organizations to rebuild from backups.

Tools Used

· Custom wiper malware

Malware Names

DynoWiper (Win32/KillFiles.NMO)

Malware Sample

sha256

34e0b3a1a98639162e189ce204f7ccb9a86b1a3af4384bf56915a9a61b6e8d0b

Malware Family

· DynoWiper

o Also associated with the CaddyWiper or StoneDrill lineages in some reporting, though often categorized as its own distinct wiper variant

Known Decoding Key

· No decoding key is available; as a "wiper" class of malware, its primary function is the permanent destruction of data rather than encryption for ransom.

Verdict

· Malicious (High Confidence).

Primary Objectives:

Data Destruction

· Irreversibly wiping files and corrupting the Master Boot Record (MBR) or partition tables to render the system unbootable.

Operational Disruption

· Halting the business operations of the targeted organization.

Anti-Forensics

· Deleting logs and system artifacts to complicate incident response.

Behavior Analysis

· Privilege Escalation

o Attempts to gain administrative or SYSTEM level privileges to access low-level disk operations.

· Wiping Mechanism

o Iterates through all connected drives and overwrites file contents with null bytes or random data.

· MBR Corruption

o Targets physical drive 0 to overwrite the boot sector, preventing the OS from loading upon restart.

· System Shutdown

o Frequently triggers an immediate system reboot or shutdown after the wiping process is finished to finalize the destruction.

IOCs

· Massive File Entropy Changes

o Rapid, large-scale overwriting of files with random data or zeros across system drives, leading to a sudden spike in disk write activity and file entropy.

· System Boot/MBR Modification

o Unauthorized attempts to modify the Master Boot Record (MBR) or the GUID Partition Table (GPT), a common behavior for Sandworm-linked wipers to ensure the system cannot reboot.

· Service and Backup Deletion

o Programmatic execution of commands to delete Volume Shadow Copies (e.g., vssadmin.exe delete shadows) and disabling of recovery services to prevent data restoration.

· Privilege Escalation Anomalies

o Unusual process spawning from administrative accounts (like LocalSystem) that attempt to gain direct disk access (e.g., calling \\.\PhysicalDrive0).

· Execution in Targeted Environments

o Heuristic alerts for new, unsigned executables running in critical infrastructure environments (specifically energy or government sectors in Central/Eastern Europe), consistent with Sandworm’s historical targeting.

· Self-Deletion or Log Clearing

o Rapid clearing of Windows Event Logs (Security and System) or the use of self-deletion routines immediately following high-volume disk activity to hinder forensic analysis.

CVE-2024-3400 (Suspected)

CVSS:3.1

· (10.0) /AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (Base Score: 10.0).

CVSS:4.0

· (10.0) AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Nessus IDs

· 114282

· 193255

Is CVE-2024-3400 in the KEV Catalog?

· Yes

What was the patch by date for CVE-2024-3400?

· April 19, 2024

URL to patch information

· hxxps://security.paloaltonetworks.com/CVE-2024-3400

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

· Payload Detection (DynoWiper Download):

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Sandworm DynoWiper Download Attempt"; file_data; content:"|4E 4D 4F|"; content:"|4E 4D 4F|"; distance:0; sid:2026001; rev:1;)

· Lateral Movement (Potential PAS Webshell):

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT Sandworm PAS Webshell Activity"; content:"POST"; http_method; content:".php"; http_uri; pcre:"/(?:cmd|exec|system|passthru)\s*$.*$/"; sid:2026002; rev:1;)

SentinelOne

· Inhibiting System Recovery (Shadow Copy Deletion):

sql

ProcessCmd CONTAINS ANY ("vssadmin.exe delete shadows", "wbadmin.exe delete catalog", "bcedit /set {default} recoveryenabled No")

· This identifies commands often used by Sandworm before executing wipers to prevent easy restoration.

o DynoWiper Execution by Hash:

sql

(FileSHA1 = "4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6") OR (IndicatorName = "Win32/KillFiles.NMO")

· Massive File Deletion Events

o Targets the core "wiper" behavior of destroying multiple files rapidly.

sql

EventType = "File Delete" AND (FileExtension NOT IN ("tmp", "log"))

| count() by AgentName, ProcessName

| filter count > 1000

Splunk

Unusual Process Spawning (Sandworm TTPs):

splunk

index=windows sourcetype=WinEventLog:Security EventCode=4688

| search ParentProcessName="*mshta.exe*" OR ParentProcessName="*wscript.exe*"

| search ProcessName="*powershell.exe*" OR ProcessName="*cmd.exe*"

| stats count by ComputerName, NewProcessName, ParentProcessName

· Detecting DynoWiper via Sysmon (File Overwrites):

o Event Code 23 (File Delete) combined with high frequency is a strong indicator of wiper activity.

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=23

| stats count by host, Image, TargetFilename

| where count > 500

· RDP Lateral Movement from Unexpected Sources:

splunk

index=windows EventCode=4624 Logon_Type=10

| stats count by src_ip, dest_nt_domain, user

| where NOT cidrmatch("10.0.0.0/8", src_ip)

References

Security affairs

· hxxps://securityaffairs.com/187309/hacking/russia-linked-sandworm-apt-implicated-in-major-cyber-attack-on-polands-power-grid.html

VirusTotal

· hxxps://www.virustotal.com/gui/file/34e0b3a1a98639162e189ce204f7ccb9a86b1a3af4384bf56915a9a61b6e8d0b/details

NVD

· hxxps://nvd.nist.gov/vuln/detail/CVE-2024-3400

Security Palo Alto Networks