Cyber Incident Victim: Poland's renewable energy facilities

On 29 December 2025 a series of coordinated cyberattacks struck Poland’s critical infrastructure, targeting numerous wind and solar farms, a combined heat and power plant supplying heat to nearly half a million customers, and a private manufacturing company. The attackers gained their initial foothold through internet‑exposed FortiGate perimeter devices that were configured as VPN concentrators and firewalls, with the VPN interfaces accessible without multi‑factor authentication and often protected only by default credentials. Once inside, the threat actors moved to grid connection point substations where renewable plants interface with distribution system operators, compromising industrial control systems such as RTU controllers, protection relays, HMI computers and serial device servers from vendors including Hitachi Energy, Mikronika and Moxa. Destructive actions included uploading corrupted firmware, deleting operating files and resetting devices to factory settings, which caused a loss of communication between the facilities and their distribution system operators, degrading monitoring and remote‑control capabilities while electricity generation continued uninterrupted.

At the CHP plant the intruders had maintained access for months prior to the destructive phase, conducting reconnaissance, harvesting credentials and stealing sensitive operational information; they obtained privileged Active Directory credentials that enabled lateral movement across servers and workstations. Using Group Policy Objects they deployed a custom wiper dubbed DynoWiper from a domain controller, an action that was detected and blocked by an endpoint detection and response platform, limiting the scope of damage. The manufacturing company suffered a similar wiper attack after the attackers reused a previously stolen Fortinet device configuration to establish persistence, then distributed a PowerShell‑based wiper called LazyWiper via Group Policy Objects with the aim of destroying business‑critical data; the file‑overwriting function of this script was noted by analysts as potentially generated by a large language model.

Investigations by Poland’s CERT revealed that the same threat actor was responsible for all incidents, describing the group as Russia‑linked and tracked under aliases such as Static Tundra, Berserk Bear, Ghost Blizzard and Dragonfly. The attackers exploited default credentials on Fortinet FortiGate appliances at each of the roughly thirty targeted sites, accessed Hitachi RTU560 units using those credentials and uploaded malicious firmware, a process facilitated by the non‑activation of a security feature and the presence of CVE‑2024‑2617 which permits unsigned firmware updates. Hitachi Relion protection relays were reached via an enabled default FTP account with default credentials, while Mikronika RTUs and HMIs were compromised through default local administrator credentials, allowing the deployment of wipers on Windows machines hosting HMI software. Moxa NPort serial device servers were accessed through exposed web interfaces, default credentials used to reset the devices to factory settings, alter login passwords and assign IP addresses that blocked legitimate users. No zero‑day vulnerabilities were employed in the operation. Attribution assessments varied, with CERT Polska linking the activity to a Russia‑linked group, ESET assigning medium confidence to Sandworm, and Dragos attributing the attack with moderate confidence to a group it tracks as Electrum, which it describes as related to Sandworm. Polish officials publicly blamed Russia for the cyberattack, though the combined loss of capacity across the thirty affected facilities was determined not to threaten the stability of the national power system during the period in question. No electrical outages resulted from the incidents.