Poland Faces Coordinated Cyberattacks on Critical Energy Infrastructure On December 29, 2025, Poland experienced a large-scale cyberattack targeting its energy sector, marking a significant escalation in destructive operations against critical infrastructure. Over 30 wind and photovoltaic farms, a major combined heat and power (CHP) plant serving 500,000 customers, and an unrelated manufacturing company were hit in synchronized assaults during extreme winter conditions, heightening vulnerabilities amid high energy demand. The attackers, demonstrating a purely destructive intent akin to physical sabotage, employed advanced tactics targeting both IT systems and industrial control devices a rare and sophisticated approach. Primary attack vectors included power substations connecting renewable energy sources to the grid, where Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), protection relays, and network infrastructure were compromised. Methods involved firmware corruption, system file deletion, and custom wiper malware, disrupting remote control capabilities while leaving energy production intact. At the CHP plant, attackers conducted prolonged reconnaissance, leveraging stolen credentials for lateral movement before executing a partially automated destructive operation. Wiper malware activation was thwarted by Endpoint Detection and Response (EDR) software, preventing catastrophic damage. The manufacturing sector attack, though opportunistic, mirrored the same wiper malware, suggesting coordinated timing rather than a unified strategic objective. Infrastructure analysis links the campaign to the threat cluster tracked as Static Tundra (Cisco), Berserk Bear (CrowdStrike), Ghost Blizzard (Microsoft), and Dragonfly (Symantec). While the group has a history of energy sector targeting, this marks its first publicly attributed destructive operation. Despite the attackers’ efforts, the assaults failed to achieve their intended impact renewable energy production remained uninterrupted, and heat supply to end users was maintained. The incident highlights the growing risk of cyber-sabotage against critical infrastructure, particularly during periods of operational stress.