Cyber Incident Victim: Heat and power (CHP) plant

On 29 December 2025, a series of coordinated cyberattacks struck Poland’s critical infrastructure, with attackers gaining initial foothold through internet‑exposed FortiGate perimeter devices configured as VPN concentrators and firewalls that lacked multi‑factor authentication. The same threat actor targeted numerous wind and solar farms, a private manufacturing company, and a heat and power (CHP) plant, but the attacks did not negatively affect energy generation or distribution. In the renewable energy sector, at least 30 wind and photovoltaic facilities were hit, focusing on grid connection point substations where the plants interface with distribution system operators. Attackers compromised industrial control systems including RTU controllers, protection relays, HMI computers, and serial device servers from vendors such as Hitachi Energy, Mikronika, and Moxa, uploading corrupted firmware, deleting operating files, and resetting devices to factory settings. This resulted in a loss of communication between the facilities and distribution system operators, reducing monitoring and remote‑control capabilities while electricity generation continued.

For the CHP plant supplying heat to nearly half a million customers, the attackers’ objective was irreversible data loss across the organization’s internal network through the deployment of wiper malware. Prior to the destructive phase, the intruders had maintained months of unauthorized access, conducted internal reconnaissance, and stolen sensitive operational information, during which they obtained privileged Active Directory credentials that enabled lateral movement across servers and workstations. The custom wiper, identified as DynoWiper, was distributed via Group Policy Objects from a domain controller, but an endpoint detection and response platform detected the activity and blocked its execution, limiting the scope of damage. Indicators associated with the intrusion had been observed earlier in 2025, indicating sustained access and preparation ahead of the attack.

The private manufacturing company was attacked concurrently, with initial access gained through a Fortinet perimeter device whose configuration had previously been stolen and publicly disclosed on an online forum used by criminal communities; the attackers modified the device settings to preserve persistence even if credentials were changed. After establishing a foothold, they moved laterally within the internal network and achieved administrative access within the Windows domain. The destructive phase relied on a PowerShell‑based wiper referred to as LazyWiper, which was also distributed through Group Policy Objects with the goal of destroying business‑critical data, and Poland’s CERT noted that the file overwriting function employed by the wiper script appeared to have been generated by a large language model. CERT Polska assessed that all incidents were carried out by the same threat actor and were purely destructive in nature, linking the activity to a Russia‑linked group tracked variously as Static Tundra, Berserk Bear, Ghost Blizzard, and Dragonfly.