Cyberattacks Disrupt Communications at Wind, Solar, and Heat Facilities in Poland

CERT Polska said cyberattacks hit 30+ wind and solar farms, a manufacturer, and a major CHP plant supplying heat to nearly 500,000 people.

On December 29, 2025, Poland faced coordinated cyberattacks targeting over 30 wind and solar farms, a manufacturing company, and a major heat and power plant serving nearly 500,000 people, CERT Polska reported.

The attacks aimed to cause disruption, a sabotage activity, during a period of severe winter weather. The attackers only impacted communications; however, electricity generation and heat supply were not interrupted. The incidents impacted both IT systems and physical industrial equipment (OT), marking a rare and serious escalation. CERT Polska published a report to raise awareness of the growing risk of cyber sabotage.

CERT Polska attributed the attacks to a threat cluster called Static Tundra, linked to Russia’s FSB Center 16, though other firms suggest Russia-linked ATP Sandworm involvement.

“Analysis of the infrastructure used in the attack – including compromised VPS servers, routers, traffic patterns, and characteristics of anonymizing infrastructure – shows a high degree of overlap with the infrastructure used by the activity cluster publicly known as “Static Tundra” (Cisco), “Berserk Bear” (CrowdStrike), “Ghost Blizzard” (Microsoft), and “Dragonfly” (Symantec).” reads the report published by CERT Polska. “Public descriptions of this actor’s activities indicate a strong interest in the energy sector and capabilities to attack industrial devices, which are consistent with the attacker’s actions observed in this incident. This is, however, the first publicly described destructive activity attributed to this activity cluster.”

The attacks were purely destructive but failed to disrupt electricity or heat supply. Attackers infiltrated renewable energy substations to damage systems using techniques like firmware tampering and DynoWiper malware. In a CHP plant breach, they conducted long-term data theft and lateral movement, but the wiper failed. A manufacturing firm was likely hit opportunistically via vulnerable Fortinet devices.

Attackers targeted power substations that connect wind and solar plants to the grid. They focused on industrial devices like controllers, HMIs, protection relays, and network equipment.

“The attack affected the GCP substation, which serves not only as the physi‑ cal grid interconnection point but also as the location through which the DSO performs remote monitoring and supervisory control.” continues the report. “Such substations are typically remotely managed and unmanned, with remote access capabilities commonly employed for operations and maintenance.”

After breaking into the internal network, they mapped the systems and launched destructive actions, including damaging firmware, deleting files, and deploying wiper malware. On December 29, the attack disrupted communication with the grid operator and blocked remote control, but electricity production continued without interruption.

Attackers accessed each facility through exposed FortiGate devices used for VPN and firewall functions, often without multi-factor authentication. Some devices had known vulnerabilities, and reused credentials likely helped attackers move between sites. After gaining admin access, they reset devices to erase evidence and slow recovery. On December 29, they launched automated destructive actions, damaging equipment in sequence. They corrupted firmware on Hitachi RTUs, wiped Mikronika controllers, disabled protection relays, compromised HMI computers with DynoWiper malware, and sabotaged Moxa serial devices.

These actions cut communications and remote control but did not stop electricity production.

Attackers aimed to sabotage a large combined heat and power plant by destroying data with wiper malware. They spent months inside the network, stealing sensitive information and gaining privileged access. When they tried to activate the malware, the plant’s EDR system stopped the attack. On the same day, attackers also hit a manufacturing company in an opportunistic move, using the same wiper malware. The attack was coordinated in timing but not directly linked to the energy targets.

During the attacks, the attackers used previously unknown wiper malware designed only to destroy data, with no ransom demand. Investigators identified two tools: the Windows wiper called DynoWiper and a PowerShell script named LazyWiper. DynoWiper corrupted and deleted files across disks by overwriting parts of them with random data, making recovery impossible. The researchers noted that it had no command-and-control, no persistence, and made no effort to hide. LazyWiper targeted a wide range of file types and partially overwrote files to render them unusable; analysts believe part of it may have been generated using an AI tool. Attackers spread the malware through Active Directory using malicious Group Policy tasks to run it across networks.

CERT Polska found that the attackers used compromised VPS servers and Cisco routers, with infrastructure matching patterns linked to the APT group known as Static Tundra, also tracked as Berserk Bear, Ghost Blizzard, or Dragonfly. The infrastructure closely matches activity previously described by Cisco and the FBI and shows strong links to attacks against the energy sector. While the wiper malware shared some similarities with tools used by Sandworm, the overlap was not strong enough for firm attribution. CERT Polska concluded the attack infrastructure aligns with Static Tundra, marking its first publicly known destructive operation.

Recent reports from ESET and Dragos suggest, with moderate confidence, that a different Russian state-backed group known as Sandworm may be behind the activity.

“Analysis of the infrastructure used in the attack – including compromised VPS servers, routers, traffic patterns, and characteristics of anonymizing infrastructure – shows a high degree of overlap with the infrastructure used by the activity cluster publicly known as “Static Tundra” (Cisco), “Berserk Bear” (CrowdStrike), “Ghost Blizzard” (Microsoft), and “Dragonfly” (Symantec).” concludes the report. “Public descriptions of this actor’s activities indicate a strong interest in the energy sector and capabilities to attack industrial devices, which are consistent with the attacker’s actions observed in this incident. This is, however, the first publicly described destructive activity attributed to this activity cluster.”

It’s worth noting that recent reports from ESET and Dragos attributed the activity with moderate confidence to a different Russian state-sponsored hacking group known as Sandworm.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT Polska)