Poland’s Energy Grid Breached Via Exposed VPN
▼ Summary
– On December 29, 2025, coordinated cyberattacks targeted Poland’s critical infrastructure, including renewable energy facilities, a heat and power plant, and a manufacturing company.
– The attacks were assessed as purely destructive and were attributed to a Russia-linked threat group known by names like Static Tundra and Berserk Bear.
– Initial access in all incidents was gained through internet-exposed FortiGate devices that lacked multi-factor authentication for VPN accounts.
– At renewable energy substations, attackers compromised industrial control systems, causing a loss of monitoring capabilities but not disrupting electricity generation.
– The attackers used custom wiper malware, including DynoWiper and a likely AI-generated script called LazyWiper, to attempt irreversible data destruction.
In late December 2025, a series of sophisticated cyberattacks targeted Poland’s critical energy and industrial infrastructure. While the coordinated strikes aimed to cause significant disruption, they ultimately failed to halt electricity generation or distribution. The incidents, linked to a Russia-aligned threat actor known by various names including Static Tundra and Berserk Bear, all began with the exploitation of a common vulnerability: internet-exposed Fortinet VPN devices lacking multi-factor authentication. This breach vector provided the initial foothold for what Polish cybersecurity authorities described as purely destructive operations.
The campaign simultaneously hit multiple sectors. Renewable energy facilities, including over thirty wind and solar farms, were a primary focus. Intruders gained access to grid connection substations, which are crucial interfaces between power plants and distribution networks. Once inside, they compromised industrial control systems like RTU controllers, protection relays, and HMI computers from vendors such as Hitachi Energy and Moxa. Their actions included uploading corrupted firmware, deleting critical operating files, and resetting devices to factory defaults. This sabotage severed communication links between the facilities and grid operators, crippling remote monitoring and control capabilities. Despite this, the physical generation of electricity continued uninterrupted.
A separate but related attack targeted a combined heat and power plant that serves nearly half a million customers. This intrusion was far more patient and prepared. Investigators found evidence that the attackers had maintained unauthorized access for months prior, conducting internal reconnaissance and stealing sensitive operational data. During this prolonged period, they obtained privileged Active Directory credentials, allowing them to move laterally across the network. Their end goal was the deployment of a custom wiper malware called DynoWiper, designed to cause irreversible data loss. The malware was distributed via Group Policy Objects from a domain controller, but its execution was blocked by an endpoint detection and response platform, which significantly limited the damage.
In a parallel operation, attackers took aim at a private manufacturing company. This target appears to have been more opportunistic. Initial access was gained through a Fortinet device whose configuration had been stolen and publicly posted on a criminal forum. After breaching the perimeter, the attackers altered device settings to ensure persistent access, even if login credentials were later changed. They then moved through the internal network to gain administrative control of the Windows domain. The destructive phase involved a PowerShell-based wiper script dubbed LazyWiper, also deployed through Group Policy Objects to overwrite and destroy business-critical data. Analysis suggests the file-overwriting code within this wiper was likely generated by a large language model.
(Source: HelpNet Security)
