Executive Summary

On December 29 and 30, 2025, coordinated cyberattacks targeted over 30 wind and solar farms, a major combined heat and power (CHP) plant, and a manufacturing company in Poland. The attacks, detailed by CERT Polska and corroborated by multiple independent sources, were destructive in nature and aimed to disrupt communications and remote control of distributed energy resources (DERs). Attackers exploited exposed FortiGate VPN/firewall devices, reused credentials, and leveraged known vulnerabilities to gain access and move laterally across sites. Destructive malware, including DynoWiper and LazyWiper, was deployed to damage industrial devices and erase data. Despite the scale and sophistication of the attack, there was no interruption to electricity or heat supply, and no blackout occurred. The Polish government responded with increased cybersecurity measures and new legislative initiatives. Attribution remains contested, with CERT Polska identifying the threat actor as Static Tundra (linked to Russia’s FSB Center 16), while other firms, including Dragos and ESET, suggest possible involvement of Sandworm (GRU). The incident highlights the growing vulnerability of DERs and the critical need for enhanced operational technology (OT) and information technology (IT) security in the energy sector. All claims in this summary are supported by primary sources, including CERT Polska, Dragos, Polish Government, and Security Affairs.

Technical Information

The coordinated attacks on Poland’s energy infrastructure in late December 2025 represent a significant escalation in the targeting of distributed energy resources. Attackers focused on wind and solar farms, a major CHP plant, and a manufacturing company, leveraging a combination of known vulnerabilities, credential reuse, and destructive malware to achieve their objectives.

Initial Access and Lateral Movement: Attackers gained initial access by exploiting exposed FortiGate VPN/firewall devices, many of which lacked multi-factor authentication (MFA). Some devices were unpatched and contained known vulnerabilities, while reused credentials enabled lateral movement between sites. The attackers also utilized compromised Virtual Private Servers (VPS) and Cisco routers as part of their command and control infrastructure (Security Affairs, 31 Jan 2026).

Attack Techniques (MITRE ATT&CK Mapping): The attack chain included exploitation of public-facing applications (T1190), use of valid accounts (T1078), creation of privileged accounts (T1136), lateral movement via remote services (T1021), device resets and file deletion for defense evasion (T1070.004), and destructive actions such as data destruction (T1485), inhibiting system recovery (T1490), and firmware corruption (T0814). Malware propagation was achieved through Active Directory and malicious Group Policy tasks, including the use of PowerShell scripts (T1059.001) (Security Affairs, 31 Jan 2026).

Malware and Tools: The attackers deployed previously unknown wiper malware, including DynoWiper and LazyWiper. DynoWiper is a Windows-based wiper that corrupts and deletes files by overwriting them with random data, lacking command-and-control, persistence, or obfuscation. LazyWiper is a PowerShell script that targets a wide range of file types, partially overwriting files to render them unusable, and is believed to have been partially generated by AI tools. Both tools were designed solely for destruction, with no ransom demand or data exfiltration functionality (Security Affairs, 31 Jan 2026).

Industrial Device Targeting: Attackers targeted industrial devices such as Hitachi Remote Terminal Units (RTUs), Mikronika controllers, protection relays, Moxa serial devices, and Human-Machine Interface (HMI) computers. Firmware tampering and device wiping actions were observed, including corruption of RTU firmware, wiping of controllers, disabling of protection relays, and sabotage of serial devices. These actions disrupted communications and remote control but did not halt electricity production or heat supply (Security Affairs, 31 Jan 2026).

Data Compromise: In the CHP plant, attackers achieved long-term data theft, lateral movement, and privileged access. However, the deployment of wiper malware was stopped by endpoint detection and response (EDR) systems. There is no evidence of customer or personal data compromise; the focus was on operational disruption and sabotage (Security Affairs, 31 Jan 2026).

Attribution:CERT Polska attributes the attack to Static Tundra (FSB Center 16, also known as Berserk Bear, Ghost Blizzard, or Dragonfly), citing high confidence in infrastructure and tactics, techniques, and procedures (TTPs) overlap. Dragos and ESET suggest moderate confidence in Sandworm (GRU) involvement, based on similarities in malware and operational patterns. The technical evidence, including infrastructure and malware artifacts, supports Static Tundra attribution with high confidence for infrastructure and medium confidence for malware. Attribution remains contested (CERT Polska, 30 Jan 2026, Dragos, 28 Jan 2026, Security Affairs, 31 Jan 2026).

Sector-Specific Implications: The attack demonstrates the vulnerability of distributed energy resources due to their remote connectivity, standardized configurations, and limited cybersecurity investment. As DERs are increasingly integrated into national grids, the risk of similar attacks grows, underscoring the need for enhanced OT/IT security and regulatory oversight (Dragos, 28 Jan 2026).

Affected Versions & Timeline

The attacks targeted over 30 wind and solar farms, a major CHP plant, and a manufacturing company. The primary vector was exposed FortiGate VPN/firewall devices, many of which lacked MFA and were running unpatched firmware with known vulnerabilities. Hitachi RTUs, Mikronika controllers, Moxa serial devices, and HMI computers were also affected.

The verified timeline is as follows: On December 29 and 30, 2025, coordinated cyberattacks occurred, disrupting communications and remote control at substations and deploying destructive malware, but without interrupting power or heat supply (CERT Polska, 30 Jan 2026, Security Affairs, 31 Jan 2026, Gov.pl, 15 Jan 2026). On January 14, 2026, the Polish Prime Minister briefed government leaders, confirming no blackout and announcing new cybersecurity measures (Dragos, 28 Jan 2026, Gov.pl, 15 Jan 2026). On January 15, 2026, an official government statement was released (Gov.pl, 15 Jan 2026). Between January 28 and 31, 2026, CERT Polska, Dragos, and Security Affairs published technical analyses and incident reports (CERT Polska, 30 Jan 2026, Dragos, 28 Jan 2026, Security Affairs, 31 Jan 2026).

Threat Activity

The threat actors demonstrated a high level of sophistication and coordination, targeting multiple sites simultaneously and leveraging both IT and OT attack vectors. The attackers exploited exposed FortiGate devices, often lacking MFA, and used compromised credentials to move laterally. After gaining administrative access, they reset devices to erase evidence and slow recovery. On December 29, 2025, they launched automated destructive actions, damaging equipment in sequence across multiple sites.

The attackers deployed DynoWiper and LazyWiper malware to corrupt and delete files, overwrite firmware, and sabotage industrial devices. The attack on the CHP plant included long-term data theft and lateral movement, but the wiper malware was stopped by EDR systems. The attack on the manufacturing company was opportunistic, using the same wiper malware but not directly linked to the energy sector targets.

The infrastructure used by the attackers included compromised VPS servers and Cisco routers, matching patterns linked to the Static Tundra group. The malware was spread via Active Directory and malicious Group Policy tasks, enabling rapid propagation across networks. The attackers’ primary objective was sabotage, with no evidence of ransom demands or data exfiltration for financial gain.

Attribution remains contested. CERT Polska attributes the attack to Static Tundra (FSB Center 16), while Dragos and ESET suggest possible involvement of Sandworm (GRU). The technical evidence supports Static Tundra attribution with high confidence for infrastructure and medium confidence for malware, but some operational patterns overlap with Sandworm activity (CERT Polska, 30 Jan 2026, Dragos, 28 Jan 2026, Security Affairs, 31 Jan 2026).

Mitigation & Workarounds

Mitigation actions are prioritized by severity:

Critical: Immediate patching and hardening of all exposed FortiGate VPN/firewall devices, including the implementation of multi-factor authentication (MFA) and disabling of unused remote access services. All credentials associated with remote access devices should be reset, and unique, strong passwords enforced. Conduct a comprehensive review of remote access policies and restrict access to only essential personnel and systems (Security Affairs, 31 Jan 2026).

High: Audit and update firmware on all industrial devices, including Hitachi RTUs, Mikronika controllers, Moxa serial devices, and HMI computers. Apply vendor-recommended security updates and disable unnecessary services. Implement network segmentation to isolate OT from IT networks and restrict lateral movement. Deploy endpoint detection and response (EDR) solutions on all critical systems, with a focus on detecting wiper malware and unauthorized firmware changes (Security Affairs, 31 Jan 2026).

Medium: Review and harden Active Directory and Group Policy configurations to prevent unauthorized propagation of malware. Monitor for suspicious PowerShell activity and unauthorized Group Policy changes. Conduct regular security awareness training for staff, emphasizing phishing, credential hygiene, and incident reporting (Security Affairs, 31 Jan 2026).

Low: Engage in regular tabletop exercises and incident response drills focused on OT/IT convergence scenarios. Review and update business continuity and disaster recovery plans to ensure rapid restoration of communications and control in the event of a destructive attack (Dragos, 28 Jan 2026).

Organizations should also monitor for indicators of compromise associated with DynoWiper, LazyWiper, and related infrastructure, and report any suspicious activity to national CERTs and relevant authorities.

References

CERT Polska, 30 January 2026: https://cert.pl/en/tag/report/ Dragos, 28 January 2026: https://www.dragos.com/blog/poland-power-grid-attack-electrum-targets-distributed-energy-2025 Polish Government, 15 January 2026: https://www.gov.pl/web/primeminister/poland-stops-cyberattacks-on-energy-infrastructure Security Affairs, 31 January 2026: https://securityaffairs.com/187503/apt/cyberattacks-disrupt-communications-at-wind-solar-and-heat-facilities-in-poland.html

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and critical infrastructure. Our platform enables continuous visibility into vendor security posture, supports compliance with evolving regulatory requirements, and facilitates rapid response to emerging threats in operational technology and information technology environments. For questions or further information, please contact us at ops@rescana.com.