Full Report
On 29 December 2025, in the morning and afternoon hours, coordinated attacks took place in Polish cyberspace. They were directed at more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant supplying heat to almost half a million customers in Poland. All attacks…
Analysis Summary
# Incident Report: Coordinated Attack on Polish Energy Sector (Dec 2025)
## Executive Summary
On December 29, 2025, a coordinated destructive cyber attack targeted critical infrastructure in Poland, impacting over 30 renewable energy facilities, a manufacturing company, and a major heat and power plant. The objective was purely destructive, attempting to cause outages during severe winter weather. While communication systems were disrupted and industrial controls were affected, the intended impact of shutting down heat and electricity supply was ultimately mitigated by defenders.
## Incident Details
- Discovery Date: January 2026 (Based on CERT Polska public report date)
- Incident Date: 29 December 2025 (Morning and afternoon hours)
- Affected Organization: Over 30 Wind/PV Farms, 1 Manufacturing Company, 1 Large CHP Plant (Specific entities not named in the summary)
- Sector: Energy (Renewables, Heat Production), Manufacturing
- Geography: Poland
## Timeline of Events
### Initial Access
- Date/Time: 29 December 2025 (Morning/Afternoon)
- Vector: Not explicitly detailed in the summary, but the attack targeted both IT and physical industrial devices.
- Details: Coordinated attacks commenced across multiple energy and industrial targets.
### Lateral Movement
- (Information not provided in the summary)
### Data Exfiltration/Impact
- Date/Time: 29 December 2025
- Vector: Destructive objective (Analogous to deliberate arson)
- Details: Attacks disrupted communication between renewable energy farms and the distribution system operator. The attack specifically affected Industrial Control Systems (ICS) leading to impacts on physical industrial devices.
### Detection & Response
- Date/Time: Ongoing throughout 29 Dec 2025, followed by post-incident analysis by CERT Polska.
- Details: CERT Polska initiated reporting and analysis to share knowledge regarding the sequence and techniques used. The intended disruption of heat supply to end-users was successfully averted.
## Attack Methodology
- Initial Access: Unknown from source text.
- Persistence: Unknown from source text.
- Privilege Escalation: Unknown from source text.
- Defense Evasion: Unknown from source text.
- Credential Access: Unknown from source text.
- Discovery: Unknown from source text.
- Lateral Movement: Unknown from source text.
- Collection: Unknown from source text.
- Exfiltration: Objected was purely destructive, not data exfiltration.
- Impact: Disruption of communication/IT systems and direct interference with physical industrial devices (ICS).
## Impact Assessment
- Financial: Not specified.
- Data Breach: Primarily focused on operational disruption; data integrity/exfiltration not the primary goal.
- Operational: Disruption of communications for over 30 renewable farms. Potential threat of heat supply failure to nearly half a million customers, which was *avoided*. Production of electricity was not affected.
- Reputational: Significant security event highlighting vulnerability of critical infrastructure during adverse weather conditions.
## Indicators of Compromise
(No specific IoCs—IP addresses, domains, or file hashes—were provided in the summary text.)
- Network indicators: N/A (Defanged)
- File indicators: N/A
- Behavioral indicators: Targeted coordination across multiple critical infrastructure entities; combined impact on IT and physical industrial devices.
## Response Actions
- Containment measures: Not detailed, but the outcome suggests immediate action prevented the complete shutdown of heat supply.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed, though operations eventually stabilized.
## Lessons Learned
- Escalation: The observed attacks represent a significant escalation compared to previous incidents.
- Attack Sophistication: The incident involved a rare combination of simultaneous attacks affecting both Information Technology (IT) systems and physical Industrial Control Systems (ICS).
- Context Awareness: The attack was timed during a period of high external threat (low temperatures and snowstorms), suggesting operational awareness by the adversary.
## Recommendations
- Harden ICS/OT environments to resist combined IT/OT attacks.
- Enhance monitoring specifically for destructive payloads aimed at industrial processes, especially during peak operational stress or adverse environmental conditions.
- Review incident response plans for coordinated, multi-sector cyber-physical attacks.