Full Report
CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to
Analysis Summary
# Incident Report: Coordinated Attacks on Polish Energy Sector
## Executive Summary
On December 29, 2025, coordinated cyber attacks attributed to the Russia-linked threat actor Static Tundra (Energetic Bear) targeted over 30 wind/solar farms, a manufacturing company, and a major Combined Heat and Power (CHP) plant in Poland. The objective of the attacks was purely destructive, involving the deployment of wiper malware (DynoWiper and LazyWiper). While communication disruptions occurred at energy farms and reconnaissance/file deletion attempts were made at the CHP, the planned disruption of CHP heat supply was ultimately unsuccessful.
## Incident Details
- Discovery Date: January 30, 2026 (Date of CERT Polska report publication, incident occurred earlier)
- Incident Date: December 29, 2025
- Affected Organization: Over 30 wind/photovoltaic farms, one large CHP plant, one manufacturing company.
- Sector: Energy (Renewables, Heat/Power Generation), Manufacturing
- Geography: Poland
## Timeline of Events
### Initial Access
- Date/Time: Began as early as March 2025 (for CHP intrusion), main attacks on December 29, 2025.
- Vector: Exploitation of vulnerable Fortinet perimeter devices (FortiGate). For the CHP, static accounts without MFA were used via the SSL-VPN portal.
- Details: Opportunistic access via vulnerable perimeter device for the manufacturing target; long-term undetected access for the CHP target. Attackers used Tor nodes and compromised Polish/foreign IP addresses.
### Lateral Movement
- Date/Time: Ongoing for the CHP target since March 2025.
- Vector: Privilege escalation achieved internally within the CHP network after long-term data theft.
- Details: Spread malware (DynoWiper/LazyWiper) via PowerShell scripting across the Active Directory domain.
### Data Exfiltration/Impact
- Date/Time: December 29, 2025 (Wiper execution attempt).
- Vector: Wipers attempting to corrupt and delete system files, including targeting firmware in controllers at renewable facilities.
- Details: Attacks intended to be destructive. For renewable farms, communication with operators was disrupted but power production continued. For the CHP, wiper deployment was attempted but failed to achieve the intended result of disrupting heat supply.
### Detection & Response
- Date/Time: Post-December 29, 2025.
- Vector: CERT Polska investigation and analysis following the destructive activity.
- Details: CERT Polska identified the deployment of DynoWiper and LazyWiper, tracked attacker methods, and reported on the failure of the wipers to achieve full impact.
## Attack Methodology (Based on Observed Techniques)
- Initial Access: Exploitation of vulnerable Fortinet perimeter devices (FortiGate).
- Persistence: Not explicitly detailed for the Wiper stages, but long-term data theft/reconnaissance (since March 2025) suggests pre-existing persistence mechanisms were in place for the CHP target.
- Privilege Escalation: Achieved at the CHP through long-term data theft enabling escalation.
- Defense Evasion: Use of multiple statically defined accounts without MFA; connection camouflage via Tor nodes and known compromised infrastructure.
- Credential Access: Implied through long-term data theft prior to lateral movement at the CHP.
- Discovery: Explicit reconnaissance activities within the power substation networks.
- Lateral Movement: Distribution of malware via PowerShell scripts across the Active Directory domain.
- Collection: Long-term data theft noted at the CHP plant dating back to March 2025.
- Exfiltration: Long-term data theft was conducted (nature of data not specified).
- Impact: Deployment of proprietary wiper malware (DynoWiper/LazyWiper) designed to initialize a PRNG (Mersenne Twister) and overwrite/delete files.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Long-term data theft occurred at the CHP plant dating back to March 2025; nature of data unknown.
- Operational: Disruption of communication between renewable energy facilities and the distribution system operator. **No sustained disruption** to electricity production or CHP heat supply was achieved.
- Reputational: Significant national security attention due to targeting critical infrastructure, revealed publicly by CERT Polska.
## Indicators of Compromise
- Network Indicators: Connection attempts originating from Tor nodes and known compromised Polish and foreign IP addresses.
- File Indicators: DynoWiper (discovered in 4+ versions), LazyWiper (PowerShell-based wiper).
- Behavioral Indicators: Use of Mersenne Twister in file corruption routines; execution of wipers via PowerShell distribution across Active Directory.
## Response Actions
- Containment: Not explicitly detailed, but the attacks were ultimately neutralized before achieving full destructive goals (wiper execution failed at CHP).
- Eradication: Removal of wiper malware and closure of related access vectors (implied actions following incident declaration).
- Recovery: Restoration of disrupted communications capabilities for renewable energy facilities (implied).
## Lessons Learned
- Critical infrastructure components (HMIs, controllers) remain primary targets for destructive attacks.
- Reliance on static, default, or non-MFA-protected accounts on perimeter devices (like FortiGate SSL-VPN) provides a significant and exploitable initial access vector.
- Adversaries linked to state actors (Static Tundra/FSB) actively pursue long-term access for reconnaissance before launching disruptive/destructive payloads.
## Recommendations
- Immediately enforce Multi-Factor Authentication (MFA) on all remote access services, especially SSL-VPN portals for OT/ICS environments.
- Audit and significantly restrict the use of statically defined accounts on network perimeter hardware.
- Implement segmentation and robust network monitoring within OT/ICS environments to detect lateral movement earlier than the final wiper deployment stage.
- Harden or replace legacy Human-Machine Interface (HMI) controllers to resist direct firmware tampering.