A failed December effort to bring down parts of Poland’s energy grid was the work of Russian government hackers known for causing past energy disruptions, according to a security research firm that investigated the incident. 

Last week, Polish Energy Minister Milosz Motyka told reporters that the attempted cyberattack on December 29 and 30 saw hackers targeting two heat and power plants, as well as trying to disrupt the communication links between renewable installations, such as wind turbines and power distribution operators.

Motyka called the incident the “strongest attack” on Poland’s energy infrastructure in years, with the Polish government blaming Moscow for the attempt. Local media reported that the attacks could have knocked out heat and power for at least half a million homes across the country. 

On Friday, cybersecurity firm ESET said it obtained a copy of the destructive malware, which it calls DynoWiper. This type of malware, known as “wiper” malware, is designed to irreversibly destroy data on computers to prevent them from working. 

ESET attributed the malware with “medium confidence” to the hacking group known as Sandworm, a unit within Russia’s military intelligence agency GRU, based on a “strong overlap” with its previous research into Sandworm’s past malware, including the group’s use of destructive malware to target Ukraine’s energy sector.

Independent journalist Kim Zetter first reported the news.

As noted by Zetter, the cyberattacks targeting Poland come almost exactly a decade after Sandworm’s first-known cyberattack on Ukraine’s energy infrastructure in 2015, which caused power outages for more than 230,000 homes around Kyiv, the country’s capital. A similar cyberattack hit Ukraine’s energy systems a year later. 

Following the attempted hack, Poland’s prime minister, Donald Tusk, said that the country’s cybersecurity defenses worked, and “at no point was critical infrastructure threatened.”