Targeting the Grid: ESET Unmasks “DynoWiper” After Destructive Strike on Polish Energy Sector

ESET has disclosed the intricate technical specifications of an incursion involving a nascent data-obliteration utility designated as DynoWiper. The incident compromised an energy sector entity in Poland, distinguished by its calculated focus on critical infrastructure.

The ESET analytical team determined that the identified malware is engineered to execute widespread data destruction across workstations and servers. In its operational methodology, DynoWiper exhibits a striking resemblance to the previously unearthed ZOV Wiper. Both threats utilized analogous distribution vectors via Active Directory Group Policy Objects (GPO) and employed a specialized file-overwriting logic, wherein segments of content are selectively expunged to accelerate the destructive process. Based on these tactical and instrumental congruencies, analysts tentatively attribute this operation to a notorious disruptive threat actor, though the level of certainty remains moderate.

During the offensive, adversaries deployed multiple iterations of executable binaries within a shared network directory, executing them sequentially. Each subsequent sample featured subtle modifications, indicating deliberate attempts to circumvent defensive perimeters. The ESET PROTECT solution instantiated within the infrastructure successfully neutralized every version of the malicious payload, thereby mitigating systemic devastation.

DynoWiper functions through a phased approach. Initially, the utility scans connected storage volumes and overwrites files with randomized data, deliberately bypassing specific system directories to maintain temporary stability. Subsequently, certain variants lift these restrictions, extending the obliteration to virtually all contents of the drives. The terminal phase involves a forced system reboot, which significantly complicates forensic restoration. This blueprint for data annihilation mirrors other prominent wipers deployed in historical assaults against critical infrastructure.

Within the compromised organization’s network, traces of open-source utilities Rubeus and rsocx were also identified. Furthermore, attempts to exfiltrate the LSASS process memory using native Windows administrative tools were documented. To obfuscate command-and-control traffic, an external server—assessed to be a compromised relay point—was utilized as a proxy.

According to ESET’s observations, this particular collective has long specialized in catastrophic operations and incursions against infrastructure-heavy enterprises, including the energy and transportation-logistics sectors. While their prior maneuvers often masqueraded as ransomware or clandestine espionage, this instance favored a scenario of overt data liquidation.

A separate technical post-mortem of the event was published by CERT Polska. The report underscores that the acquisition of domain administrative privileges profoundly amplifies an adversary’s capabilities within a network and severely hampers defensive efforts; consequently, the fortification of Active Directory and the celerity of intrusion detection remain paramount priorities.