Coordinated Cyberattacks Target Poland’s Renewable Energy Infrastructure
On December 29, 2025, Poland’s energy sector faced a series of coordinated cyberattacks targeting over 30 wind and solar farms, a large combined heat and power (CHP) plant, and a manufacturing facility. These attacks occurred during severe winter conditions, with plummeting temperatures and snowstorms threatening the nation’s energy stability. The perpetrators aimed to inflict damage on critical infrastructure rather than extract information, marking a significant escalation in cyber threats against European energy systems.
Targeted Infrastructure and Attack Methods
The cyberattacks focused on power substations that serve as connection points between renewable energy sources and the distribution network. Industrial automation devices at these locations were primary targets, including:
– Remote Terminal Units (RTUs): Devices managing telecontrol operations.
– Human-Machine Interfaces (HMIs): Systems displaying facility status.
– Protection Relays: Equipment safeguarding against electrical damage.
– Communication Equipment: Routers and network switches facilitating data flow.
After infiltrating internal networks, the attackers conducted thorough reconnaissance before executing their destructive plan. They deployed custom-built wiper malware designed to irreversibly delete data and disrupt operations. This malware targeted both information technology (IT) systems and operational technology (OT) devices, representing a significant escalation in cyber sabotage tactics.
Impact on Energy Operations
Despite the attackers’ efforts, electricity production and heat supply remained unaffected. The primary impact was the disruption of communication channels between the renewable energy facilities and the distribution system operator. This disruption posed potential risks to grid stability and operational efficiency, especially during the harsh winter conditions.
Attribution and Threat Actors
CERT Polska, the Polish computer emergency response team, attributed the attacks to a threat cluster known as Static Tundra, also referred to as Berserk Bear, Ghost Blizzard, and Dragonfly by various cybersecurity firms. This group is linked to Russia’s Federal Security Service’s (FSB) Center 16 unit and has a history of targeting energy sectors with sophisticated cyber operations.
The attackers demonstrated advanced capabilities against industrial devices, indicating a high level of expertise and resources. Public analysis suggests that this incident represents the first destructive campaign publicly attributed to this activity cluster, signaling a significant tactical shift in their operations.
Wiper Malware Deployment and Infection Mechanism
The attackers employed identical wiper malware across multiple targets, deploying custom-built destructive software after gaining privileged access through prolonged infrastructure infiltration. The malware’s operation centered on irreversible data destruction across targeted networks.
After establishing footholds through compromised accounts and stolen operational information, attackers prepared partially automated attack sequences ready for simultaneous activation. When deployed against the combined heat and power plant, the malware’s execution was blocked by endpoint detection and response technology already running on the organization’s systems.
The manufacturing sector company faced a similar coordinated assault, though the specific objective differed from energy targets. This attack pattern demonstrated sophisticated planning, with the malware serving as the final payload following extensive preparation and network reconnaissance across multiple weeks of covert presence within target environments.
Broader Context and Implications
This incident is part of a broader trend of increasing cyberattacks on critical infrastructure. In 2024, Poland recorded over 4,000 cyber incidents targeting the energy sector, highlighting the growing threat landscape. The December 2025 attacks underscore the vulnerability of energy networks to coordinated cyber operations and the importance of robust security measures.
The Polish government has responded by mobilizing ministers and special services to work at full capacity, emphasizing the need for preparedness against such threats. Additional safeguards, including the Act on the National Cybersecurity System, have been announced to enhance the country’s resilience against future cyberattacks.
Conclusion
The coordinated cyberattacks on Poland’s renewable energy infrastructure in December 2025 represent a significant escalation in cyber threats against critical infrastructure. While the immediate impact was mitigated, the incident highlights the need for continuous vigilance, advanced security measures, and international cooperation to protect energy systems from sophisticated cyber adversaries.
