Cyber Threat Actor: Static Tundra

The threat actor is known by the aliases Static Tundra and Ghost Blizzard. Public reporting links the actor to Russia, noting its location as Russia when known. Attribution analyses associate the actor with other Russia‑linked groups such as Berserk Bear, Dragonfly, and also with the Sandworm/Electrum cluster. These associations point to a connection with Russian‑linked threat activity.

The actor’s observed operations focus on the energy and industrial sectors. In the reported incidents the targets included wind and solar farms, a heat‑and‑power plant, and a private manufacturing facility, all located in Poland. The actions taken—corrupting firmware, deleting files, resetting controllers, and deploying wiper malware—show an intent to disrupt operations and destroy data rather than to gather information or gain financial profit. Consequently, the strategic objective demonstrated in these attacks is disruption and data destruction.

Initial access is gained by exploiting internet‑exposed FortiGate VPN concentrators that lack multi‑factor authentication, using stolen device configurations to enter the network. Once inside, the actor elevates privileges to obtain administrative access to the Windows domain. Persistence is maintained through this privileged foothold, allowing further movement within the environment. The actor then manipulates industrial control devices from vendors such as Hitachi Energy, Mikronika and Moxa, corrupting firmware, deleting files and resetting RTUs, protection relays, HMIs and serial device servers. On Windows hosts, wiper payloads named DynoWiper and LazyWiper are distributed via Group Policy Objects, with the LazyWiper variant delivered as a PowerShell script.

A representative operation occurred on 2025‑12‑29 when the actor launched coordinated attacks against Poland’s renewable energy facilities, a heat‑and‑power plant and a manufacturing company. The assault combined the VPN‑based entry, firmware corruption on controllers, and the deployment of the two wiper families, resulting in loss of operator communication at the renewable sites and attempted data destruction at the other targets. Although endpoint detection and response tools blocked some wiper execution, the incident demonstrated the actor’s ability to combine IT and OT techniques to achieve disruptive effects. This event is frequently cited in public reports as an illustration of the actor’s typical methodology and its linkage to Russian‑associated threat clusters.