---
title: "Sandworm Targets Poland, Pwn2Own Vehicle Hacks, Energy Firms Targeted | DMARC Report"
description: "ESET ties a Polish power-grid wiper attack to Sandworm, Pwn2Own Tokyo exposes 66 EV and infotainment zero-days, and homoglyph"
image: "https://dmarcreport.com/og/blog/sandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted.png"
canonical: "https://dmarcreport.com/blog/sandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted/"
---
Quick Answer
ESET attributed a December 29-30, 2025 wiper attack on two Polish heat and power plants plus a renewables management system to Russia-linked Sandworm, with PM Donald Tusk confirming no blackout occurred. At Pwn2Own Tokyo researchers disclosed 66 zero-days in EV chargers and vehicle infotainment, including an NFC-card attack on the Autel MaxiCharger AC Elite Home 40A. Microsoft Defender XDR flagged a multi-stage AiTM phishing campaign abusing SharePoint to hit energy firms, and Netcraft and Anagram tracked a homoglyph campaign that swaps 'rn' for 'm' to impersonate Marriott and Microsoft, especially on mobile.
Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/)
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fsandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Sandworm%20Targets%20Poland%2C%20Pwn2Own%20Vehicle%20Hacks%2C%20Energy%20Firms%20Targeted&url=undefined%2Fblog%2Fsandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fsandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fsandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted%2F&title=Sandworm%20Targets%20Poland%2C%20Pwn2Own%20Vehicle%20Hacks%2C%20Energy%20Firms%20Targeted "Share on Reddit") [ ](mailto:?subject=Sandworm%20Targets%20Poland%2C%20Pwn2Own%20Vehicle%20Hacks%2C%20Energy%20Firms%20Targeted&body=Check out this article: undefined%2Fblog%2Fsandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted%2F "Share via Email")
> DMARC monitoring should be as routine as checking your inbox, says Adam Lundrigan, CTO of DuoCircle. The aggregate reports tell you exactly who sends email from your domain. If you’re not reading them, you’re flying blind on your own email security posture.
```
DMARC Report
```
Sandworm Targets Poland, Pwn2Own Vehicle Hacks, Energy Firms Targeted
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-38162” readonly/>
```
```
Here’s the \*\*fifth edition of the month. It revolves around the top cyber incidents that took place last week. Be it the Poland power grid [cyberattack](https://www.ndtv.com/world-news/us-firm-claims-it-foiled-large-scale-ai-cyberattack-by-chinese-hackers-9640198), or the “rn” typo trick used by hackers, the incidents hint towards one thing, increasing sophistication of the campaigns. The edition also talks about the Pwn2Own contest that revealed some serious threats in [vehicle infotainment systems](https://ackodrive.com/car-guide/what-is-an-infotainment-system/). Meanwhile, there’s a sudden upsurge in the multi-phishing attacks that target energy firms.
## Poland’s power grid allegedly targeted by notorious, Russia-backed Sandworm group!
Last month was quite devastating for [Poland’s power grid](https://www.bez-kabli.pl/poland-power-grid-cyberattack-new-dynowiper-wiper-malware-points-to-russias-sandworm/). A wiper attack, one of the strongest ones in recent times, targeted the energy grids across Poland. The cyber mishap took place on \*\*December 29 and 30 when [threat actors](https://www.scworld.com/news/china-linked-threat-actor-warp-panda-targets-us-entities-with-brickstorm) managed to penetrate into the systems of two heat and power plants, as well as another system that used to take care of the “electricity generated from renewables (RES) .
\*\*Poland’s Prime Minister Donald Tusk announced the cyber incident on his official website. The statement also mentioned that “there was no blackout or other negative consequences” because of the cyberattack.
**On January 23**, a group of researchers from the security firm [ESET](https://en.wikipedia.org/wiki/ESET) revealed that the cyberattack was backed by the notorious Russian threat actors, who go by the name of Sandworm. ESET researchers have found great similarities between this attack and the previous campaigns run by Sandworm.
Sandworm has been involved in some of the worst cyberattacks. Back in **2015**, the group managed to target the power grid in Ukraine by leveraging [BlackEnergy malware](https://betanews.com/article/blackenergy-3-malware-targets-ukranian-power-facilities/). The attack devastated everyday lives by disrupting the electricity supply for several hours. What ESET does not wish to see as a coincidence is the fact that the recent attack on Poland’s power grid took place exactly on the 10th anniversary of the Ukraine BlackEnergy attack.
## Pwn2Own contest revealed multiple tactics to hack vehicles!
Who knew that a simple card swipe near any vehicle charging point would help a cybercrook hack into your vehicle! The annual **automobile-oriented** [Pwn2Own](https://www.bleepingcomputer.com/news/security/qnap-synology-lexmark-devices-hacked-on-pwn2own-day-3/) contest revealed multiple such vulnerabilities in EV charging and vehicle infotainment systems.
The event, organized in Tokyo, proved to be a game-changer as researchers realized that all it takes is an [NFC card](https://www.rfidcard.com/what-are-nfc-cards-a-complete-guide/?srsltid=AfmBOopOHoxoAJ45JXkRxxiWFHBYRY%5F9qS55USSyGRqiLeE%5FVQgLlQOD) to compromise an [Autel MaxiCharger AC Elite Home 40A](https://amconservation.com/autel-maxicharger-ac-elite-home-40a-240v-level-2-electric-vehicle-charger/).
The contest is all about the existing vulnerabilities in the \*\*IT and operational technology landscape of automobile systems .
It was a three-day contest, and the first two days revealed as many as 66 [zero-day vulnerabilities](https://en.wikipedia.org/wiki/Zero-day%5Fvulnerability). Jaws dropped as [5 out of every 6 attempts](https://www.darkreading.com/endpoint-security/researchers-find-new-ways-hack-vehicles) succeeded.
_EV chargers seemed to have boosted security systems, and yet they were highly vulnerable to cyberattacks._ Similarly, \*\*infotainment systems were also highly prone to threat attacks through unpatched bugs.
## Multi-stage BEC and phishing campaigns are doing the rounds as they target energy firms
Microsoft has recently warned energy sector firms against a [multi-stage phishing campaign](https://thehackernews.com/2026/01/microsoft-flags-multi-stage-aitm.html). The threat actors have been abusing SharepOint file sharing feature to send phishing links. They have also successfully managed to camouflage their malicious approaches.
After phase one of the attack, the threat actors proceed to launch AiTM attacks, thereby leading to [business email compromise (BEC) attacks](https://www.cybersecuritydive.com/news/fbi-internet-crime-bec-scams-investment-fraud-losses/746181/). Next, the cybercrooks misuse trusted internal accounts to send phishing content both **internally and externally**. This significantly expands the reach of the campaign .
The campaign was detected by **Microsoft Defender** [XDR](https://www.crowdstrike.com/en-us/cybersecurity-101/endpoint-security/extended-detection-and-response-xdr/) as it noticed multiple suspicious sign-ins and fake inbox rules. The experts managed to limit the extent of the attack by effectively disrupting AiTM activity. They also assisted with auto-purging the [malicious emails](https://www.securitymagazine.com/articles/100687-the-last-six-months-shows-a-341-increase-in-malicious-emails) and helped people recover all the impacted identities. The remediation process involved resetting passwords, revoking the session cookies, altering the MFA changes, and eliminating false inbox rules.
## “rn” typo used for impersonating biggies like Marriott and Microsoft
[Microsoft and Marriott](https://cybersecuritynews.com/rn-typo-phishing-attack/) \*\*International customers are being targeted by a “homoglyph” phishing campaign. Domains are being registered to impersonate Marriott and Microsoft by combining “rn” that would replace the letter “m.”
This technique is called a [homoglyph attack](https://www.trendmicro.com/en%5Fus/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html) or typosquatting. Such attacks involve visual tricks so that victims cannot spot errors easily.
**Netcraft**, a security firm , detected multiple such [fake domains](https://www.cloudsek.com/blog/cybercriminals-hate-this-cloudseks-fake-domains-observer-is-changing-the-game) that are targeting popular hotel brands.The threat actors aim at gaining access to guest data or loyalty account credentials with the help of these malicious websites.
\*\*Experts at Anagram also revealed a similar campaign that has been targeting Microsoft for some time. The cybercrooks have been sending [phishing emails](https://cybernews.com/news/phishing-email-costs-school-millions/) from fake websites. _These websites try to mimic the layouts, logo, and tone of Microsoft_. The campaign gets extremely dangerous on smartphones as the optimization makes it almost impossible to detect the difference between “rn” and “m.”
[Cybersecurity](https://dmarcreport.com/blog/email-security-meets-cybersecurity-understanding-the-role-of-dmarc-reports/) teams rely on [DMARC](https://dmarcreport.com/), [DKIM](https://dmarcreport.com/what-is-dkim/), and [SPF](https://dmarcreport.com/what-is-spf/) to authenticate email, **prevent spoofing attacks**, and protect organizations from phishing and domain abuse.
## Topics
[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ News ](/tags/news/)[ SPF ](/tags/spf/)
[ Brad Slavin ](/authors/brad-slavin/)
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Foundational 4m Adidas Data Breach, Whatsapp Image Threat, Silent Ransom Vishing May 29, 2025 ](/blog/adidas-data-breach-whatsapp-image-threat-silent-ransom-vishing/)[ Foundational 4m Africa Fights Cybercrime, Attention Farmers Customers, Apple Prevents Threats Aug 28, 2025 ](/blog/africa-fights-cybercrime-attention-farmers-customers-apple-prevents-threats/)[ Foundational 4m AI Scam Alert, Federal Cuts Vulnerability, American Tire Cyberattack Sep 9, 2025 ](/blog/ai-scam-alert-federal-cuts-vulnerability-american-tire-cyberattack/)[ Foundational 4m Akira flaunts victims, Idaho targets orthodontist, AI granny protects Nov 22, 2024 ](/blog/akira-flaunts-victims-idaho-targets-orthodontist-ai-granny-protects/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Sandworm Targets Poland, Pwn2Own Vehicle Hacks, Energy Firms Targeted","description":"ESET ties a Polish power-grid wiper attack to Sandworm, Pwn2Own Tokyo exposes 66 EV and infotainment zero-days, and homoglyph 'rn' phishing fakes Marriott.","url":"https://dmarcreport.com/blog/sandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted/","datePublished":"2026-01-28T11:02:39.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-01-28T11:02:39.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/sandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted/"},"articleSection":"foundational","keywords":"dkim, DMARC, News, SPF","wordCount":1106,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Sandworm Targets Poland, Pwn2Own Vehicle Hacks, Energy Firms Targeted","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Sandworm Targets Poland, Pwn2Own Vehicle Hacks, Energy Firms Targeted","item":"https://dmarcreport.com/blog/sandworm-targets-poland-pwn2own-vehicle-hacks-energy-firms-targeted/"}]}
```