Static Tundra Sabotage Attempts Against Poland’s Energy Sector Using DynoWiper
CERT Polska reported late-2025 sabotage activity against Poland’s energy sector attributed to the threat actor Static Tundra, including coordinated intrusions affecting renewable energy facilities, a large combined heat and power (CHP) plant, and an energy-linked manufacturer. The activity showed a shift from espionage to disruption, including an operational technology (OT) incident in which attackers reached a renewable facility’s Grid Control Point (GCP) and executed a shutdown of industrial automation devices. Investigators also observed targeting of Moxa NPort serial-to-Ethernet devices, including password changes to lock out operators and deployment of corrupted firmware that could prevent controller startup and require manual recovery.
The same reporting described two destructive malware families, DynoWiper and LazyWiper, used to render systems and data unrecoverable; DynoWiper was documented deleting files from Mikronika RTU controllers, while LazyWiper appeared to provide redundant destructive capability. Separately, an opinion piece highlighted that attempted disruption of the Polish distribution grid was rebuffed and reported, and used the Poland case (alongside speculative discussion of Venezuela) to argue that energy infrastructure attacks are becoming more common; it provided limited additional technical detail beyond noting ambiguity around attribution and the broader trend toward “democratized” attack tooling.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Analysts attribute Poland energy attacks primarily to Static Tundra
Analysis published with the CERT Polska reporting linked the campaign's infrastructure primarily to the state-sponsored cluster Static Tundra, also known as Berserk Bear, Ghost Blizzard, and Dragonfly. Researchers also noted possible but inconclusive similarities to Sandworm-associated tooling.
CERT Polska publicly reports destructive attacks on energy infrastructure
By February 2026, CERT Polska disclosed that the late-2025 campaign against Poland's energy infrastructure involved destructive malware and operational disruption affecting OT systems. The report identified DynoWiper and LazyWiper and described damage to industrial controller environments.
Attempted disruption of Poland's distribution grid is reportedly rebuffed
In early 2026, Poland reportedly faced an attempted disruption of its distribution grid, but the effort was said to have been successfully resisted. The incident was cited as an example of stronger resilience in power infrastructure defense.
Operation Absolute Resolve linked to Caracas power outage
On January 3, 2026, a Caracas power outage was associated in reporting with 'Operation Absolute Resolve,' described as a US operation aimed at abducting Venezuelan President Nicolás Maduro. Public attribution and the exact method of disruption remained unclear.
Attackers disrupt Polish grid operations and damage OT devices
During the campaign, the attackers reportedly took control of a Grid Control Point, shut down industrial automation devices, and damaged RTU controllers to disrupt communications with the Distribution System Operator. They also targeted Moxa NPort devices by changing passwords and installing corrupted firmware that required manual recovery.
Static Tundra launches coordinated attacks on Poland's energy sector
In late 2025, attackers conducted sustained cyberattacks against Polish energy-sector critical infrastructure, including renewable energy facilities and a large combined heat and power plant. The activity extended from IT into OT environments and marked an escalation from espionage toward disruptive operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Sandworm-Linked DynoWiper Used in Failed Attack on Poland’s Energy Infrastructure
Polish officials reported a **failed late-December cyberattack** targeting the country’s energy infrastructure, described by Energy Minister Milosz Motyka as the “strongest attack” on the sector in years. The activity on December 29–30 targeted **two combined heat and power (CHP) plants** and attempted to disrupt systems and communications supporting electricity management from **renewable sources** (including wind and photovoltaic installations) and their links to power distribution operators; local reporting indicated the impact could have been significant if successful. Security firm **ESET** said the attempted disruptive operation involved a previously undocumented **wiper** malware it named **DynoWiper**, designed to irreversibly destroy data and render systems inoperable. ESET attributed the activity with **medium confidence** to **Sandworm** (a GRU-linked threat actor) based on overlaps with prior Sandworm-associated destructive campaigns, particularly against Ukraine’s energy sector; Polish leadership publicly blamed Russia-linked groups and indicated additional safeguards and cybersecurity legislation were being prepared to strengthen IT/OT risk management and incident response. Both reporting noted the timing was close to the **10-year anniversary** of Sandworm’s 2015 attacks on Ukraine’s power grid.
Feb 6, 2026
Destructive Cyberattack on Poland’s Energy Sector via Vulnerable Edge Devices
Poland’s Computer Emergency Response Team reported that a **destructive cyber incident** in December 2025 compromised **OT/ICS environments** across the country’s energy sector, including **renewable energy plants** (wind and photovoltaic), a **combined heat and power** facility, and at least one **manufacturing** organization. The intrusion reportedly began through **vulnerable internet-facing edge devices**, after which the actor deployed **wiper malware** that damaged **remote terminal units (RTUs)**, destroyed data on **human-machine interfaces (HMIs)**, and **corrupted firmware** on OT devices—resulting in a loss of operator “view and control” even where renewable generation continued producing power but could not be monitored or controlled as designed. Reporting indicated the activity overlapped with infrastructure associated with a **Russian government-linked** hacking group. CISA issued an alert to U.S. critical infrastructure organizations to amplify the Polish findings and emphasize mitigations for **energy-sector OT/ICS** defenders, highlighting the ongoing risk from **end-of-support edge devices** and the need to harden remote access paths, credential hygiene (including **default credentials**), and incident response planning for scenarios where OT devices may become inoperable or permanently damaged due to firmware corruption. Separate industry commentary and a Dark Reading article provided broader context on the evolution of OT threats (e.g., lessons from Ukraine’s 2015 grid attack and emerging “living-off-the-plant” techniques), but did not add incident-specific details about the Poland event beyond reinforcing the general trend of increasing attacker capability and interest in industrial environments.
Mar 21, 2026
Sandworm Accused of Cyberattack on Poland’s Power Grid
Polish authorities and reporting tied to **ESET research** attributed a disruptive cyber incident affecting Poland’s electricity grid to **Russia-linked threat actors**, with **Sandworm** named as the likely operator behind the operation in late 2025. The incident was characterized as a targeted attack on critical infrastructure, reinforcing ongoing concerns about state-aligned activity against European energy networks. A separate malware-newsletter roundup recirculated the attribution as one of many items, while an unrelated CSO Online feature focused on forward-looking **CISO predictions for 2026** and did not provide incident-specific details. Executive teams should treat the Poland grid activity as part of the broader pattern of **Russian state-linked** operations against OT/ICS environments, with emphasis on validating segmentation, monitoring for lateral movement into OT, and ensuring incident response playbooks cover grid/industrial disruption scenarios.
Mar 21, 2026