On 29 December 2025, coordinated cyberattacks unfolded across Poland’s critical infrastructure, targeting energy and industrial organizations.
The attackers struck numerous wind and solar farms, a private manufacturing company, and a heat and power (CHP) plant, but failed to negatively affect energy generation or distribution.
Poland’s national computer emergency response team, CERT Polska, assessed that all of the incidents were carried out by the same threat actor and were purely destructive in nature. Analysts say the activity aligns with a Russia-linked threat group tracked by multiple vendors as Static Tundra, Berserk Bear, Ghost Blizzard, and Dragonfly.
“In all three incidents, the attackers gained their initial foothold through internet-exposed FortiGate perimeter devices configured as VPN concentrators and firewalls,” CERT said in its report. “In every case, the VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication.”
Renewable energy facilities lost visibility at substations
In the renewable energy sector, attackers targeted at least 30 wind and photovoltaic facilities. The activity focused on grid connection point substations, where renewable plants interface with distribution system operators.
After gaining access, the attackers compromised industrial control systems including RTU controllers, protection relays, HMI computers, and serial device servers.
The affected equipment included systems from Hitachi Energy, Mikronika, and Moxa deployed within substation and industrial automation environments supporting renewable energy production and distribution. Destructive actions included uploading corrupted firmware, deleting operating files, and resetting devices to factory settings.
The activity caused a loss of communication between facilities and distribution system operators, reducing monitoring and remote control capabilities, but electricity generation continued.
Prolonged intrusion preceded heat and power plant sabotage
On the same day, attackers executed an operation against a heat and power (CHP) plant supplying heat to nearly half a million customers. The goal was irreversible data loss across the organization’s internal network through the deployment of wiper malware.
Evidence indicates that the incident was preceded by months of unauthorized access, internal reconnaissance, and theft of sensitive operational information. During this period, privileged Active Directory credentials were obtained, enabling lateral movement across servers and workstations.
A custom wiper known as DynoWiper was later deployed using Group Policy Objects distributed from a domain controller. An EDR platform detected the activity and blocked execution, limiting the scope of damage.
Indicators associated with the intrusion had been present earlier in 2025, pointing to sustained access and preparation ahead of the attack.
Manufacturing company targeted in parallel operation
Attackers also attempted to disrupt operations at a private manufacturing company. The activity unfolded alongside the energy sector attacks, and the target was opportunistic in nature.
Initial access was gained through a Fortinet perimeter device whose configuration had previously been stolen and publicly disclosed on an online forum used by criminal communities. After access was established, the attackers modified device settings to preserve persistence even if credentials were changed. Movement within the internal network led to administrative access within the Windows domain.
The destructive phase relied on a PowerShell-based wiper referred to as LazyWiper, which was distributed through Group Policy Objects with the goal of destroying business-critical data. The Polish CERT believes that the file overwriting function employed by the wiper script was generated by an LLM.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
