Russian state-sponsored threat actors launched coordinated cyberattacks against Poland’s energy sector on December 29, 2025, targeting over 30 wind and solar farms, a manufacturing company, and a major combined heat and power (CHP) plant that serves nearly 500,000 people, according to CERT Polska.
The attacks aimed to cause sabotage during a period of severe winter weather. While attackers successfully disrupted communications and remote monitoring capabilities, electricity generation and heat supply were not interrupted—demonstrating both the resilience of well-designed industrial systems and the potentially catastrophic intent behind these operations.
Attribution: Static Tundra with Possible Sandworm Links
CERT Polska attributed the attacks to a threat cluster called Static Tundra, linked to Russia’s FSB Center 16 and also tracked as Berserk Bear (CrowdStrike), Ghost Blizzard (Microsoft), and Dragonfly (Symantec). However, recent reports from ESET and Dragos suggest that Sandworm, another Russian state-sponsored group, may be responsible with moderate confidence.
CERT Polska noted this marks the first publicly described destructive activity attributed to the Static Tundra cluster, despite their long-documented interest in the energy sector.
Attack Methodology: IT and OT Convergence
Attackers infiltrated renewable energy substations through exposed FortiGate devices used for VPN and firewall functions—often without multi-factor authentication enabled. Known vulnerabilities and reused credentials helped attackers move laterally between facilities.
After gaining access, they executed a sophisticated multi-stage attack:
- Reconnaissance and mapping of industrial control systems
- Firmware tampering on Hitachi RTUs
- Wiper deployment on Mikronika controllers
- Protection relay disabling
- HMI computer compromise using DynoWiper malware
- Moxa serial device sabotage
Novel Wiper Malware: DynoWiper and LazyWiper
The attackers deployed two previously unknown wiper tools designed purely for destruction with no ransom demand:
DynoWiper: A Windows wiper that corrupts and deletes files by overwriting them with random data. Notably, it has no command-and-control capability, no persistence mechanism, and makes no effort to hide—indicating a one-shot sabotage design.
LazyWiper: A PowerShell script targeting multiple file types. Analysts believe portions may have been generated using AI tools based on code characteristics.
Both malware variants spread through Active Directory using malicious Group Policy tasks, enabling simultaneous execution across compromised networks.
Why This Matters
This incident represents a significant escalation in Russia’s cyber operations against NATO-allied critical infrastructure:
- Direct targeting of renewable energy during winter—maximizing potential humanitarian impact
- Simultaneous IT and OT compromise—crossing the traditional enterprise/industrial boundary
- First confirmed destructive operation from Static Tundra cluster
- Demonstrates Russian capability to coordinate multi-target energy sector attacks
For organizations operating critical infrastructure, this attack highlights the urgent need for OT network segmentation, multi-factor authentication on all remote access points, and enhanced monitoring of industrial control systems—particularly during geopolitically sensitive periods.
Source: Security Affairs
