top of page

Coordinated Cyberattack on Poland’s Energy Infrastructure: Lessons for Critical OT Security

On 29 December 2025, coordinated cyberattacks struck Poland’s critical infrastructure. At least 30 wind and solar farms were targeted. A large combined heat and power (CHP) plant supplying heat to nearly half a million customers was attacked. A private manufacturing company was also affected.

 

According to CERT Polska, the attacks were purely destructive in nature and represent a significant escalation compared to previously observed incidents. The timing was not incidental; the incidents occurred during a period of low temperatures and snowstorms, just days before New Year’s Eve.

 

There was no extortion demand. The objective was disruption. For leaders responsible for operational continuity, the implications are strategic.


 

The Day Renewable Energy Facilities Went Dark

In the renewable energy sector, the attacker targeted grid connection points (GCPs) across dozens of wind and solar farms.

 

These substations serve as both the physical interconnection to the grid and the point through which distribution system operators (DSOs) perform remote monitoring and supervisory control.

Electricity generation itself was not halted. However, communication between facilities and DSOs was lost. Remote visibility and control were disrupted.

 

Initial access consistently involved FortiGate devices exposed to the internet without multi-factor authentication. In several cases, devices had previously been vulnerable to remote code execution. The reuse of identical credentials across facilities significantly lowered the barrier to lateral expansion.

 

Once administrative access was obtained, the attacker moved deeper into OT systems. At many sites, Hitachi RTU560 controllers were targeted. Using default credentials, the attacker logged into the web interface and uploaded modified firmware. The malicious firmware inserted 240 bytes of 0xFF at the program entry point, causing processors to execute invalid instructions and enter reboot loops. The result was functional device failure and loss of communication.

 

The secure firmware update feature existed in supported versions, but it had not been enabled. Even if it had been, a known vulnerability (CVE-2024-2617) could have allowed bypass unless it had been patched.

 

Other industrial components were also damaged:

  • Mikronika RTUs were accessed via SSH using default credentials and wiped through destructive commands

  • Moxa serial device servers were reset to factory settings, passwords changed, and IP addresses set to unreachable values, delaying restoration

  • In some cases, Hitachi protection relays were rendered inoperable through file deletion

 

The pattern was consistent: default credentials, exposed edge devices, and destructive manipulation of industrial components.

 


A Long-Term Infiltration Inside a Combined Heat and Power Plant

The attack on the CHP plant followed a different trajectory. Unlike the renewable facilities, this incident was preceded by months of reconnaissance. Suspicious activity began as early as March 2025. The attacker gained access through an exposed FortiGate SSL-VPN interface without multi-factor authentication.

 

From there, the attacker used RDP to pivot through jump hosts and access domain controllers. Standard administrative tools were leveraged to avoid detection: PsExec, built-in Windows utilities, and Impacket scripts. Credential theft followed.

 

Evidence showed:

  • LSASS memory dumps

  • Extraction of the Active Directory database (ntds.dit)

  • Copying of SAM and SYSTEM registry hives

  • Use of Kerberos abuse techniques, including Diamond Ticket creation

 

A reverse SOCKS proxy (rsocx) was deployed to tunnel traffic externally. Sensitive data was compressed and exfiltrated.

 

On 29 December, the operation shifted from reconnaissance to destruction. A wiper malware known as DynoWiper was deployed through Group Policy Objects (GPOs). The malware corrupted files by overwriting multiple offsets with pseudorandom 16-byte blocks and then deleting them. It had no persistence mechanism and no command-and-control channel. Its sole purpose was irreversible damage.

 

In this case, the organization’s EDR solution detected runtime modifications to canary files and halted execution across more than 100 machines. Without that intervention, the operational consequences would have been severe.

 

Manufacturing Was Also Targeted

On the same day, a manufacturing company was attacked through a compromised FortiGate perimeter device. The device’s configuration had previously been leaked publicly.

 

Persistence mechanisms were established through scheduled scripts embedded directly within the FortiGate configuration. These scripts harvested credentials and exfiltrated results to an attacker-controlled Slack channel. The destructive payload in this case was LazyWiper, a PowerShell-based script. It overwrote large portions of files using pseudorandom 32-byte sequences. Distribution again relied on GPO manipulation.

 

Even cloud services were probed. Credentials from on-premises systems were reused in attempts to access Microsoft 365, with particular interest in SCADA modernization and OT-related documentation.

 

Infrastructure used in the operation overlaps with activity clusters publicly known as “Static Tundra,” “Berserk Bear,” and “Ghost Blizzard”. While attribution remains cautious, the operational profile aligns with actors historically interested in the energy sector.


 

OT Security Cannot Rely on Assumptions

What makes the December 29 attacks particularly instructive is not the sophistication of any single technique. None of the methods used were unprecedented. VPN exposure without MFA, default credentials on industrial devices, unmonitored firmware updates, and domain-level privilege escalation are all known risks.

 

What escalated this incident was the combination of these weaknesses across IT and OT layers.

 

For executive leadership, this reframes the security conversation. Segmentation alone is not resilience. A firewall does not prevent damage if an attacker already has authenticated VPN access. Endpoint monitoring does not protect industrial firmware if update mechanisms are left unchecked. Backup strategies do not help if firmware images or domain controllers are deliberately corrupted before restoration is possible.

 

Operational continuity in critical infrastructure now depends on governing how systems are accessed, how credentials are managed, and how industrial devices are authenticated and updated.

 

Extending Cyber Resilience into the Industrial Layer

Remote access into OT environments must be tightly governed and continuously monitored. Cross-domain communication should be deliberate, policy-driven, and auditable. Firmware integrity cannot be optional. Industrial devices cannot rely on default credentials or perimeter trust assumptions.

 

DataFlowX supports this architectural approach through solutions designed specifically for critical infrastructure environments:

 

  • DataDiodeX enables hardware-enforced unidirectional communication where operational visibility is required without exposing control systems to inbound risk.

  • DataBrokerX provides controlled, policy-driven cross-domain data exchange for environments that require bidirectional workflows under strict governance.

  • DataStationX supports secure and auditable removable media transfers, reducing exposure from unmanaged devices.

 

Contact our expert team to find out what you need to take guard against similar cyber attacks.

bottom of page