On 29 December 2025, in the morning and afternoon hours, coordinated attacks took place in Polish cyberspace. They were directed at more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant supplying heat to almost half a million customers in Poland.
All attacks had a purely destructive objective. By analogy to the physical world, they can be compared to deliberate arson. It is worth noting that this occurred during a period when Poland was struggling with low temperatures and snowstorms just before the New Year. Although attacks on renewable energy farms disrupted communication between these facilities and the distribution system operator, they did not affect the ongoing production of electricity. Similarly, the attack on the combined heat and power plant did not achieve the attacker’s intended effect of disrupting heat supply to end users.
These events affected both IT systems and physical industrial devices, which is rarely observed in previously described attacks. We are publishing a report on this incident to share knowledge about the sequence of events and the techniques used by the attacker. We hope this will increase awareness of the real risk associated with sabotage in cyberspace. The observed attacks represent a significant escalation compared to incidents we have encountered so far.
Attack on Renewable Energy Plants
The attacks targeted power substations - grid connection points that serve as hubs transferring energy from wind and photovoltaic sources to the distribution system. Numerous industrial automation devices operate at these grid connection points that have become of interest to the attacker. These include RTUs responsible for telecontrol and supervision of the substation operation, local HMIs visualizing the facility’s operational status, protection relays responsible for, among other things, protection against electrical damage, as well as communication devices such as serial port servers, modems, routers, and network switches.
After gaining access to the internal network of the grid connection points, the attacker carried out reconnaissance and then prepared a plan of destructive actions targeting devices they have gained access to: damaging the firmware of controllers, deleting system files, or launching custom-built destructive software (wiper malware). The partially automated plan was triggered in the morning of 29 December. As a result of damage to the RTUs, the stations lost the ability to communicate with the DSO's systems and prevented remote control, although this did not affect ongoing energy production.
Attack on a Large Combined Heat and Power Plant
The goal of the attack on the combined heat and power plant was sabotage in the form of irreversible destruction of data stored on devices in the entity's internal network using wiper malware. The attack was preceded by long-term infiltration of the infrastructure and theft of sensitive operational information. Through these actions, the attacker gained access to privileged accounts, which allowed them to move freely within the plant's systems. When the attacker attempted to activate the malicious software, its operation was blocked by the EDR software used by the organization.
Attack on a Manufacturing Sector Company
On the same day - 29 December - the attacker also attempted to disrupt the operations of a manufacturing sector company. These actions were coordinated with the attacks on the energy-sector entities, but the objective was opportunistic and unrelated to the other targets. The wiper malware used was identical to that employed in the attack on the combined heat and power plant. A detailed technical analysis of the malware is included in the report.
Attribution
Analysis of the infrastructure used in the attack - including compromised VPS servers, routers, traffic patterns, and characteristics of anonymizing infrastructure - shows a high degree of overlap with the infrastructure used by the activity cluster publicly known as “Static Tundra” (Cisco), “Berserk Bear” (CrowdStrike), “Ghost Blizzard” (Microsoft), and “Dragonfly” (Symantec). Public descriptions of this actor's activities indicate a strong interest in the energy sector and capabilities to attack industrial devices, which are consistent with the attacker's actions observed in this incident. This is, however, the first publicly described destructive activity attributed to this activity cluster.
We encourage everyone to download and read the report, in which we describe the full timeline of events, a technical analysis of the malware used, indicators of compromise, and details of the attacker’s tactics, techniques, and procedures.
