CERT Polska, Poland’s computer emergency response team, has uncovered a coordinated cyberattack targeting more than 30 wind and solar power plants, private companies in the manufacturing industry, and large combined heat and power plants (CHPs) that provide heat to almost 500,000 customers in the country.
This incident occurred on December 29, 2025. Government agencies believe this attack is due to a threat cluster known as Static Tundra. This cluster is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be associated with the Center 16 unit of the Russian Federal Security Service (FSB).
It is worth noting that recent reports from ESET and Dragos attribute this activity with moderate confidence to another Russian state-sponsored hacking group known as Sandworm.
“All attacks had a purely destructive purpose,” CERT Polska said in a report released Friday. “Attack on renewable energy power plants disrupted communications between these facilities and distribution system operators, but did not affect continued power generation. Similarly, attacks on combined heat and power plants did not achieve the attackers’ intended effect of cutting off heat supply to end users.”
The attackers allegedly gained access to the internal networks of substations associated with renewable energy facilities and carried out reconnaissance and sabotage activities, including damaging controller firmware, deleting system files, and launching custom-built wiper malware developed by ESET and codenamed DynoWiper.
In the CHP-targeted intrusion, the attackers conducted a lengthy data theft dating back to March 2025, which allowed them to escalate privileges and move laterally across the network. CERT Polska noted that the attacker’s attempt to detonate the wiper malware failed.
On the other hand, targeting manufacturing companies is considered to be opportunistic, with attackers gaining initial access through vulnerable Fortinet perimeter devices. Attacks targeting grid connection points may have also included exploitation of vulnerable FortiGate appliances.
At least four different versions of DynoWiper have been discovered to date. These variants were deployed to network shares within Mikronika HMI computers and CHPs used at energy facilities after securing access through the SSL‑VPN portal service on FortiGate devices.
“The attackers gained access to the infrastructure using multiple accounts that were statically defined in the device configuration and did not have two-factor authentication enabled,” CERT Polska said, detailing the modus operandi of the attackers targeting CHP. “The attackers connected using Tor nodes as well as Polish and foreign IP addresses associated with the compromised infrastructure.”
The function of the wiper is very simple –
Initializes a pseudorandom number generator (PRNG) called Mersenne Twister Enumerates files and uses PRNG to corrupt files Delete files
It’s worth mentioning here that the malware has no persistence mechanism, no way to communicate with a command-and-control (C2) server, or a way to execute shell commands. It also makes no attempt to hide your activity from security programs.
According to CERT Polska, attacks targeting manufacturing companies use a PowerShell-based wiper called LazyWiper, which uses a script to overwrite files on the system with pseudo-random 32-byte sequences, rendering them unrecoverable. It is suspected that the core elimination function was developed using large-scale language models (LLM).
“The malware used in the incident involving renewable energy power plants was executed directly on the HMI machine,” CERT Polska noted. “In contrast, at a CHP factory (DynoWiper) and a company in the manufacturing sector (LazyWiper), the malware was distributed within Active Directory domains via PowerShell scripts executed on domain controllers.”
The agency also described some of the code-level similarities between DynoWiper and other wipers built by Sandworm as “general” in nature, and provided no concrete evidence as to whether threat actors participated in the attack.
“The attacker attempted to access cloud services using credentials obtained from an on-premises environment,” CERT Polska said. “After identifying the corresponding account credentials present in the M365 service, the attackers downloaded selected data from services such as Exchange, Teams, and SharePoint.”
“The attackers were particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work performed within the organization.”
Source link
