All news with #sandworm tag

🔒 CERT Polska disclosed coordinated, destructive cyber attacks on December 29, 2025 that targeted more than 30 wind and photovoltaic farms, a manufacturing firm, and a large combined heat and power (CHP) plant. The agency attributed the activity to the cluster it calls Static Tundra, linked to Russia's FSB Center 16, while other vendors noted similarities to Sandworm. Attackers deployed multiple wipers — notably DynoWiper and a PowerShell-based LazyWiper — exploited vulnerable FortiGate appliances, harvested credentials and exfiltrated selected M365 data, but did not succeed in disrupting electricity production or heat delivery.

🛡️ ESET researchers describe DynoWiper, a newly identified data-wiping malware used against an energy company in Poland. The report details a three-phase wiper that overwrites files using a single 16-byte random buffer, executes destructive passes with variant-specific behavior, and forces a reboot to complete destruction. ESET attributes the operation to Sandworm with medium confidence and highlights that ESET PROTECT blocked execution and significantly limited impact. The analysis also notes overlaps with the previously observed ZOV wiper.

⚠️ ESET attributes a Dec. 29–30 cyberattack on Poland's electricity grid to Sandworm, a hacking group tied to Russia's GRU. The operation deployed Dynowiper, destructive malware that erases data and left systems at risk of prolonged outage, nearly knocking power out for hundreds of thousands of households. ESET links the incident to a longer campaign of disruptive attacks on Ukrainian energy infrastructure since 2014. Observers say the event highlights growing threats to industrial control systems and the need for stronger defenses and incident response.

🔒 ESET has attributed a late-December 2025 wiper attack on Polish energy infrastructure to the Russia-aligned Sandworm APT and identified the malware as DynoWiper. Analysts reported strong overlaps with prior Sandworm wiper activity and assigned a medium-confidence attribution. Polish officials said critical systems were not disrupted and that two CHP plants and a renewable facility were targeted. The government is accelerating a National Cybersecurity System Act to strengthen IT/OT protections.

⚠️ Security researchers attribute a late-December 2025 cyberattack on Poland’s energy systems to the Russian state-sponsored group Sandworm, which attempted to deploy a destructive wiper named DynoWiper. ESET reports detection as Win32/KillFiles.NMO and published a SHA-1 indicator. Polish officials said two combined heat-and-power plants and a renewable power management system were targeted. Technical details and a public sample remain scarce.

⚠️ A new wiper malware named DynoWiper was used in an attempted disruptive attack on Poland's power sector on December 29–30, 2025, according to a report by ESET. The activity is attributed to the Russia-linked group Sandworm based on overlaps with prior wiper campaigns. Targeted systems included two CHP plants and a renewables management system, but officials report no evidence of successful disruption. Poland is accelerating safeguards and drafting stricter cybersecurity legislation for IT and OT risk management and incident response.

🔎 ESET Research attributes a coordinated late‑2025 cyberattack on Poland’s power grid to the Russia‑aligned APT group Sandworm, citing strong overlaps in malware and tactics. The analyzed destructive payload, named DynoWiper, is detected as Win32/KillFiles.NMO (SHA‑1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6). Researchers state medium confidence in the attribution and report they are not aware of any confirmed operational disruption. The incident occurred on the tenth anniversary of Sandworm’s 2015 Ukrainian power outage.

🔍 A Russian state-sponsored cyberespionage group has shifted to exploiting misconfigurations in network-edge devices to target energy companies and critical infrastructure. Amazon Threat Intelligence found the actor, active since at least 2021, pivoted from known CVEs to passive credential harvesting via compromised routers, VPN concentrators and management appliances. Telemetry shows overlaps with GRU-linked Sandworm and Bitdefender’s Curly COMrades, with attackers intercepting traffic to replay credentials. Amazon urges audits of edge devices, isolation of management interfaces, enforcement of MFA and monitoring for anomalous authentication.

🛡️ Amazon's threat intelligence team disclosed a years-long campaign tied with high confidence to the GRU-affiliated APT44 (also tracked as FROZENBARENTS/Sandworm), which targeted Western critical infrastructure from 2021–2025. The actor shifted from zero-day exploitation to abusing misconfigured customer network edge devices and exposed management interfaces on AWS-hosted instances, enabling packet capture, credential harvesting, and credential replay against energy, telecom, and cloud providers. Amazon observed exploitation of WatchGuard (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532), notified affected customers, disrupted active operations, and recommended audits, stronger authentication, and monitoring for unexpected access and credential replay.

🔒 Amazon Threat Intelligence has attributed with high confidence a years‑long campaign to Russia’s GRU, noting a shift in 2025 from exploiting software flaws to compromising misconfigured customer network edge devices. The actor has targeted enterprise routers, VPN concentrators, network management appliances and cloud-hosted edge instances, including some hosted on AWS, to gain initial access. This tactic supports credential harvesting, replay attacks and lateral movement while reducing attacker exposure and resource expenditure.

🔐 Amazon Threat Intelligence details a multi-year, state-sponsored Russian campaign—assessed as GRU-linked—that targeted Western critical infrastructure, especially the energy sector, from 2021 through 2025. The actor shifted from exploiting N-day/zero-day flaws to abusing misconfigured customer network edge devices (including EC2-hosted appliances) to intercept credentials and gain persistent access. Amazon observed packet-capture based credential harvesting and subsequent credential replay attempts, with infrastructure overlaps linked to clusters tracked as Curly COMrades and Sandworm. Recommended mitigations include auditing edge devices, enforcing strong authentication, monitoring for credential replay, and applying AWS-specific controls.

🔍 The ESET research team released its APT Activity Report covering April–September 2025, summarizing operations by state-aligned hacking groups. The report details espionage, disruptive attacks and monetized campaigns targeting government and corporate networks across multiple regions. Notably, the Russia-aligned group Sandworm deployed several data wipers against Ukraine's grain sector, an apparent attempt to harm economic resilience. ESET Chief Security Evangelist Tony Anscombe outlines key findings in an accompanying video and encourages readers to consult the full report for technical specifics.

🛡️ ESET's APT Activity Report covering Q2–Q3 2025 reports that Russian-aligned Sandworm deployed new data wipers, identified as Zerolot and Sting, against Ukrainian targets including government bodies and critical sectors such as energy, logistics and grain. The firm assessed the activity as likely intended to weaken Ukraine's economy. The findings, published on 6 November 2025, also note increased espionage and tool-sharing among other Russia-aligned groups.

🛡️ A Russia-aligned cluster tracked as InedibleOchotense impersonated Slovak vendor ESET in May 2025, sending spear-phishing emails and Signal messages to multiple Ukrainian organizations. Recipients were directed to domains such as esetsmart[.]com hosting a trojanized installer that deployed the legitimate ESET AV Remover alongside a C# backdoor dubbed Kalambur (aka SUMBUR). Kalambur leverages the Tor network for command-and-control and can install OpenSSH and enable RDP on port 3389 to facilitate remote access. ESET links the campaign to Sandworm sub-clusters and notes overlaps with activity reported by CERT-UA and EclecticIQ.

🔒Russian state-backed Sandworm (aka APT44) deployed multiple data-wiping malware families in June and September 2025, targeting Ukrainian education, government, and grain-production organizations. ESET says these wipers — distinct from ransomware — corrupt files, partitions, and boot records to prevent recovery and cause long outages. Some intrusions began with access by UAC-0099, which then handed access to APT44 for destructive payloads.