Listen to this Post
Poland experienced a rare and alarming escalation in cyber threats on December 29, 2025, when coordinated attacks targeted the nation’s energy and industrial infrastructure. Over 30 wind and solar farms, a major combined heat and power (CHP) plant serving nearly 500,000 people, and a manufacturing company were compromised, sparking concerns about national energy security during severe winter conditions. While electricity and heat supply were not disrupted, the attacks successfully damaged communication systems and industrial devices, highlighting the growing sophistication of cyber sabotage campaigns against critical infrastructure.
the Incident
CERT Polska, Poland’s national cybersecurity team, reported that the attacks primarily impacted communications networks but avoided interrupting electricity generation or heat supply. The attackers infiltrated renewable energy substations, deploying destructive techniques such as firmware tampering and wiper malware, specifically DynoWiper and LazyWiper. The CHP plant was subjected to long-term network intrusion, data theft, and lateral movement, but protective systems prevented the malware from fully executing. A manufacturing firm was also affected, likely due to opportunistic exploitation of vulnerable Fortinet VPN devices.
The attackers targeted key industrial devices, including controllers, HMIs, protection relays, and network equipment. Notably, the GCP substation, critical for grid interconnection and remote control operations, was impacted. Attackers accessed internal networks through exposed FortiGate devices lacking multi-factor authentication. Using compromised credentials, they performed automated destructive actions, wiping firmware, deleting files, and compromising Moxa and Mikronika devices in sequence. Despite these efforts, electricity production continued uninterrupted, underscoring both the resilience of the infrastructure and the attackers’ focus on sabotage rather than disruption of energy supply.
Investigators linked the cyber campaign to the Russian-linked threat cluster Static Tundra, also known as Berserk Bear, Ghost Blizzard, or Dragonfly, although some cybersecurity firms suggested possible involvement from the Sandworm APT group. CERT Polska’s analysis noted that the attack infrastructure—including VPS servers, routers, traffic patterns, and anonymizing techniques—closely matched known Static Tundra operations, marking the first publicly attributed destructive activity for this group. The attackers’ wiper malware was deliberately designed for data destruction without ransom, employing both Windows-based and PowerShell-based variants to overwrite and render files unrecoverable.
The operation demonstrated meticulous planning, with months of network reconnaissance, mapping, and preparation. Malware propagation leveraged Active Directory via malicious Group Policy tasks, showing sophisticated operational knowledge of industrial networks. While no energy supply disruption occurred, the attackers successfully showcased their ability to damage physical devices remotely, creating an unprecedented warning for the industrial sector.
What Undercode Say:
This incident represents a critical turning point in the cybersecurity landscape for industrial control systems (ICS). The attack highlights several significant trends:
Focus on Industrial Sabotage: Unlike ransomware or espionage campaigns, the primary goal here was destructive sabotage. By targeting firmware and industrial controllers, the attackers could theoretically cause long-term equipment damage or operational chaos without overtly affecting electricity or heat supply.
Sophistication in Operational Tactics: The attackers combined traditional IT hacking methods with deep knowledge of operational technology. By infiltrating FortiGate devices, exploiting weak authentication, and deploying malware via Active Directory, they achieved both lateral movement and destructive capability across multiple facilities.
Strategic Timing: Launching the attack during severe winter conditions indicates intent to create maximum pressure on both public services and emergency response frameworks, exploiting social and operational vulnerabilities in crisis scenarios.
Attribution Challenges: CERT Polska’s report demonstrates how attribution in cyber warfare is complex. Static Tundra appears most likely responsible, yet overlaps with Sandworm activity illustrate the ambiguity and intelligence gaps in identifying state-sponsored actors accurately.
Resilience and Preparedness: Despite extensive network penetration, energy and heat supply remained uninterrupted. This underscores the importance of robust industrial cybersecurity measures, including endpoint detection and network segmentation, which prevented total operational collapse.
Emerging Malware Techniques: DynoWiper and LazyWiper reflect a shift toward highly targeted destructive tools that do not rely on command-and-control servers, persistence mechanisms, or stealth. This indicates a new class of cyber weapons designed solely for sabotage rather than financial gain, possibly incorporating AI-generated code for custom destructive actions.
Policy and Defense Implications: The attack signals a growing need for national cybersecurity strategies that address both IT and OT convergence. Regulatory bodies, energy operators, and security firms must adapt to counter destructive campaigns capable of physical impact, beyond traditional data breaches.
Future Threat Landscape: The incident foreshadows a broader geopolitical weaponization of cyberattacks on critical infrastructure, where energy grids and manufacturing systems may increasingly become primary targets in international conflicts or covert operations.
Fact Checker Results
✅ CERT Polska confirmed the attacks impacted communications but not electricity supply.
✅ The malware used, DynoWiper and LazyWiper, had destructive intent without ransom.
✅ Attribution leans toward Russian-linked Static Tundra, with Sandworm as a possible alternative.
Prediction
🔮 Poland’s energy sector will likely see increased investment in ICS cybersecurity, particularly in securing remote-access devices and firmware integrity.
🔮 Future attacks may involve AI-assisted malware capable of precision destruction across multiple industrial sites simultaneously.
🔮 State-backed cyber operations against European critical infrastructure may become more frequent, with coordinated attacks timed to exploit societal stress or natural crises.
▶️ Related Video (90% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
