CERT Polska, the Polish national computer emergency response team, has unveiled details of a sophisticated and coordinated cyber offensive that struck over 30 wind and photovoltaic farms, a major combined heat and power (CHP) plant serving nearly half a million customers, and a private manufacturing firm. The incident, which unfolded on December 29, 2025, highlights the escalating threat to critical national infrastructure.
A Destructive Objective: Targeting Poland’s Vital Systems
The attacks, attributed by CERT Polska to a formidable threat cluster known as Static Tundra – also tracked under monikers like Berserk Bear, Blue Kraken, and Energetic Bear – are believed to be linked to Russia’s Federal Security Service’s (FSB) Center 16 unit. Interestingly, reports from cybersecurity firms ESET and Dragos have, with moderate confidence, pointed towards Sandworm, another notorious Russian state-sponsored hacking group, as the perpetrator.
“All attacks had a purely destructive objective,” CERT Polska stated in its comprehensive report. While the assaults on renewable energy farms successfully disrupted communication with the distribution system operator, they critically failed to impede actual electricity production. Similarly, the attack on the CHP plant, despite its malicious intent, did not manage to disrupt heat supply to end-users, demonstrating a degree of resilience within the targeted systems.
Infiltration and Espionage: The Attack Vector
Attackers reportedly gained deep access to the internal networks of power substations linked to renewable energy facilities. This access facilitated extensive reconnaissance and disruptive activities, including the damaging of controller firmware, deletion of critical system files, and the deployment of custom-built wiper malware, dubbed DynoWiper by ESET.
For the CHP plant intrusion, the adversary engaged in a prolonged data theft operation, dating back to March 2025. This long-term access allowed for privilege escalation and lateral movement across the network. However, attempts to detonate the destructive wiper malware within the CHP network were ultimately unsuccessful.
Opportunistic Strikes and Vulnerable Points
The targeting of the manufacturing sector company appears to have been more opportunistic, with initial access gained through a vulnerable Fortinet perimeter device. A similar exploitation of a vulnerable FortiGate appliance is suspected in the attack on the grid connection point.
At least four distinct versions of DynoWiper have been identified, deployed on Mikronika HMI Computers within energy facilities and on a network share at the CHP plant, following access through a FortiGate device’s SSL-VPN portal service.
Modus Operandi: Exploiting Weaknesses
CERT Polska detailed the attackers’ methods, noting, “The attacker gained access to the infrastructure using multiple accounts that were statically defined in the device configuration and did not have two-factor authentication enabled.” The threat actors further obscured their tracks by connecting via Tor nodes and a mix of Polish and foreign compromised IP addresses.
The Arsenal of Destruction: DynoWiper and LazyWiper
DynoWiper’s functionality is deceptively simple: it initializes a pseudorandom number generator (Mersenne Twister), enumerates files, corrupts them using the PRNG, and then deletes them. Notably, this malware lacks persistence mechanisms, command-and-control (C2) capabilities, or features to evade security programs.
In the manufacturing sector attack, a PowerShell-based wiper named LazyWiper was used. This script overwrites system files with pseudorandom 32-byte sequences, rendering them unrecoverable. Intriguingly, CERT Polska suspects the core wiping functionality of LazyWiper may have been developed using a large language model (LLM).
Distribution Methods
“The malware used in the incident involving renewable energy farms was executed directly on the HMI machine,” CERT Polska clarified. “In contrast, in the CHP plant (DynoWiper) and the manufacturing sector company (LazyWiper), the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller.”
While some “general” code-level similarities were observed between DynoWiper and other wipers attributed to Sandworm, CERT Polska emphasized that this alone does not provide concrete evidence of Sandworm’s direct participation.
Cloud Compromise and Data Exfiltration
The attackers also attempted to leverage credentials obtained from the on-premises environment to gain access to cloud services. After identifying corresponding accounts in the M365 service, they successfully downloaded selected data from platforms like Exchange, Teams, and SharePoint. Their primary interest lay in files and email messages related to OT network modernization, SCADA systems, and technical work within the organizations, underscoring a strategic intelligence-gathering objective alongside the destructive intent.
For more details, visit our website.
Source: Link
Leave a comment