Coordinated Cyberattacks Target Poland’s Critical Infrastructure in December 2025 On 29 December 2025, a series of destructive cyberattacks struck Poland’s energy and industrial sectors, orchestrated by a Russia-linked threat actor tracked as Static Tundra (also known as Berserk Bear, Ghost Blizzard, and Dragonfly). Poland’s CERT Polska confirmed the attacks targeted renewable energy facilities, a heat and power (CHP) plant, and a private manufacturing company, though no disruptions to energy generation or distribution occurred. ### Initial Access & Tactics The attackers exploited internet-exposed FortiGate VPN devices used as perimeter firewalls and VPN concentrators without multi-factor authentication (MFA). In all cases, compromised credentials allowed initial access, with attackers leveraging stolen configurations in some instances. ### Renewable Energy Sector Disruptions At least 30 wind and solar farms were hit, with attackers focusing on substation control systems interfacing with distribution operators. Compromised equipment included: - RTU controllers, protection relays, and HMI computers - Hitachi Energy, Mikronika, and Moxa devices in industrial automation environments Destructive actions corrupted firmware, file deletions, and factory resets led to lost communication between facilities and operators, though power generation continued uninterrupted. ### Heat & Power Plant Sabotage Attempt A CHP plant supplying heat to nearly half a million customers was targeted in a prolonged intrusion dating back months. Attackers conducted: - Internal reconnaissance and credential theft (including Active Directory admin access) - Lateral movement across servers and workstations - Deployment of DynoWiper malware via Group Policy Objects (GPOs) An EDR platform blocked the wiper’s execution, limiting damage. Evidence suggests preparations began earlier in 2025, indicating a long-term operation. ### Manufacturing Company Attack A private manufacturing firm was also targeted opportunistically. Attackers: - Gained access via a Fortinet device with a publicly leaked configuration - Modified settings to maintain persistence despite credential changes - Deployed LazyWiper, a PowerShell-based wiper distributed via GPOs, designed to destroy business-critical data CERT Polska noted the wiper’s file-overwriting function may have been generated by an LLM. ### Impact & Attribution While the attacks disrupted monitoring and control systems, they failed to halt energy production. All incidents were linked to the same threat actor, with tactics aligning with known Russian cyberespionage and sabotage operations. The use of wiper malware, stolen credentials, and prolonged reconnaissance underscores the highly targeted and destructive nature of the campaign.