Poland’s Energy Sector Targeted in Coordinated Cyber Attacks Linked to Russian Hackers
On December 29, 2025, Poland’s energy infrastructure faced a series of coordinated cyber attacks targeting over 30 wind and photovoltaic farms, a manufacturing company, and a major combined heat and power (CHP) plant supplying heat to nearly half a million residents. CERT Polska, the nation’s computer emergency response team, has attributed these incidents to a threat group known as Static Tundra, also referred to by aliases such as Berserk Bear, Blue Kraken, and Energetic Bear. This group is believed to be associated with Russia’s Federal Security Service’s (FSB) Center 16 unit.
The primary objective of these attacks was destruction. While the assaults disrupted communication between renewable energy facilities and the distribution system operator, they did not halt electricity production. Similarly, the attack on the CHP plant failed to disrupt heat supply to end-users.
Attack Methodology:
The attackers infiltrated the internal networks of power substations linked to renewable energy facilities, conducting reconnaissance and engaging in disruptive activities. Their tactics included damaging controller firmware, deleting system files, and deploying custom-built wiper malware known as DynoWiper.
In the case of the CHP plant, the adversaries engaged in prolonged data theft dating back to March 2025. This allowed them to escalate privileges and move laterally across the network. However, their attempts to deploy the wiper malware were unsuccessful.
The manufacturing sector company appeared to be an opportunistic target. The attackers gained initial access through a vulnerable Fortinet perimeter device. Similarly, the attack on the grid connection point likely involved exploiting a vulnerable FortiGate appliance.
Malware Analysis:
CERT Polska identified four versions of DynoWiper, deployed on Mikronika HMI Computers used by the energy facility and on a network share within the CHP after accessing the SSL‑VPN portal service of a FortiGate device. The attackers utilized multiple accounts defined in the device configuration without two‑factor authentication, connecting through Tor nodes and various IP addresses associated with compromised infrastructure.
DynoWiper’s functionality includes:
– Initializing by seeding a pseudorandom number generator (PRNG) called Mersenne Twister.
– Enumerating files and corrupting them using the PRNG.
– Deleting files.
Notably, the malware lacks persistence mechanisms, command-and-control communication, or shell command execution capabilities. It also does not attempt to conceal its activities from security programs.
In the manufacturing sector attack, a PowerShell-based wiper dubbed LazyWiper was used. This script overwrites files with pseudorandom 32‑byte sequences, rendering them unrecoverable. It’s suspected that the core wiping functionality was developed using a large language model (LLM).
Distribution Methods:
The malware targeting renewable energy farms was executed directly on the HMI machine. In contrast, in the CHP plant (DynoWiper) and the manufacturing sector company (LazyWiper), the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller.
CERT Polska noted code-level similarities between DynoWiper and other wipers built by Sandworm, describing them as general and not offering concrete evidence of Sandworm’s involvement in the attack.
Cloud Services Targeting:
The attackers used credentials obtained from the on-premises environment to attempt access to cloud services. After identifying credentials corresponding to accounts in the M365 service, they downloaded selected data from services such as Exchange, Teams, and SharePoint. The attackers were particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work within the organizations.
Implications and Recommendations:
This incident underscores the growing threat to critical infrastructure from state-sponsored cyber actors. Organizations in the energy sector must enhance their cybersecurity measures, including:
– Implementing two-factor authentication across all systems.
– Regularly updating and patching software and hardware to address known vulnerabilities.
– Conducting thorough network monitoring to detect unauthorized access.
– Providing ongoing cybersecurity training for employees to recognize and respond to potential threats.
By adopting these practices, energy sector organizations can better protect themselves against sophisticated cyber attacks and ensure the resilience of critical infrastructure.
