Cyber Incident Victim: Private manufacturing company
Date:
Dec 2025
Location:
Poland
Summary
Coordinated cyberattacks struck Poland’s energy and industrial sectors, hitting numerous wind and solar farms, a heat and power plant, and a private manufacturing company. Intruders entered through internet‑exposed FortiGate VPN concentrators lacking multi‑factor authentication, using stolen device configurations to establish persistence and gain administrative Windows domain access. At the renewable facilities they corrupted firmware, deleted files and reset controllers, disrupting communication with operators while generation continued. At the heat and power plant they deployed the DynoWiper wiper via Group Policy Objects, and at the manufacturing company they used a PowerShell‑based LazyWiper distributed similarly, aiming to destroy business‑critical data. CERT Polska attributed the activity to a single threat actor linked to Russia‑associated groups such as Static Tundra, Berserk Bear, Ghost Blizzard and Dragonfly.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On 29 December 2025, a series of coordinated cyberattacks struck Poland’s critical infrastructure, targeting wind and solar farms, a heat and power plant, and a private manufacturing company. The attackers gained their initial foothold in the manufacturing company’s network through a Fortinet perimeter device whose configuration had previously been stolen and publicly disclosed on an online forum used by criminal communities. After establishing access, the threat actors modified the device’s settings to maintain persistence even if legitimate credentials were later changed. From the compromised perimeter, they moved laterally inside the internal network until they achieved administrative privileges within the Windows domain. This progression occurred concurrently with the attacks on energy sector targets that same day.
With domain administrator access, the attackers deployed a PowerShell‑based wiper dubbed LazyWiper through Group Policy Objects, intending to destroy business‑critical data stored on the company’s systems. The wiper’s file‑overwriting function was assessed by Poland’s CERT to have been generated by a large language model. The destructive phase aimed to erase or corrupt essential files, disrupting the company’s ability to access its operational and business data. The activity was described as opportunistic, unfolding alongside the broader campaign against energy and industrial organizations. The use of Group Policy Objects allowed the wiper to propagate across domain‑joined workstations and servers.