Destructive Cyberattack on Poland’s Energy Sector via Vulnerable Edge Devices
Poland’s Computer Emergency Response Team reported that a destructive cyber incident in December 2025 compromised OT/ICS environments across the country’s energy sector, including renewable energy plants (wind and photovoltaic), a combined heat and power facility, and at least one manufacturing organization. The intrusion reportedly began through vulnerable internet-facing edge devices, after which the actor deployed wiper malware that damaged remote terminal units (RTUs), destroyed data on human-machine interfaces (HMIs), and corrupted firmware on OT devices—resulting in a loss of operator “view and control” even where renewable generation continued producing power but could not be monitored or controlled as designed. Reporting indicated the activity overlapped with infrastructure associated with a Russian government-linked hacking group.
CISA issued an alert to U.S. critical infrastructure organizations to amplify the Polish findings and emphasize mitigations for energy-sector OT/ICS defenders, highlighting the ongoing risk from end-of-support edge devices and the need to harden remote access paths, credential hygiene (including default credentials), and incident response planning for scenarios where OT devices may become inoperable or permanently damaged due to firmware corruption. Separate industry commentary and a Dark Reading article provided broader context on the evolution of OT threats (e.g., lessons from Ukraine’s 2015 grid attack and emerging “living-off-the-plant” techniques), but did not add incident-specific details about the Poland event beyond reinforcing the general trend of increasing attacker capability and interest in industrial environments.
Related Entities
Threat Actors
Malware
Organizations
Sources
5 more from sources like fortra, bank info security, cyberscoop and cisa advisories
Related Stories
Static Tundra Sabotage Attempts Against Poland’s Energy Sector Using DynoWiper
CERT Polska reported **late-2025 sabotage activity** against Poland’s energy sector attributed to the threat actor **Static Tundra**, including coordinated intrusions affecting renewable energy facilities, a large combined heat and power (CHP) plant, and an energy-linked manufacturer. The activity showed a shift from espionage to disruption, including an operational technology (OT) incident in which attackers reached a renewable facility’s **Grid Control Point (GCP)** and executed a shutdown of industrial automation devices. Investigators also observed targeting of **Moxa NPort** serial-to-Ethernet devices, including password changes to lock out operators and deployment of corrupted firmware that could prevent controller startup and require manual recovery. The same reporting described two destructive malware families, **DynoWiper** and **LazyWiper**, used to render systems and data unrecoverable; DynoWiper was documented deleting files from **Mikronika RTU controllers**, while LazyWiper appeared to provide redundant destructive capability. Separately, an opinion piece highlighted that attempted disruption of the Polish distribution grid was **rebuffed and reported**, and used the Poland case (alongside speculative discussion of Venezuela) to argue that energy infrastructure attacks are becoming more common; it provided limited additional technical detail beyond noting ambiguity around attribution and the broader trend toward “democratized” attack tooling.
1 months ago
Sandworm Accused of Cyberattack on Poland’s Power Grid
Polish authorities and reporting tied to **ESET research** attributed a disruptive cyber incident affecting Poland’s electricity grid to **Russia-linked threat actors**, with **Sandworm** named as the likely operator behind the operation in late 2025. The incident was characterized as a targeted attack on critical infrastructure, reinforcing ongoing concerns about state-aligned activity against European energy networks. A separate malware-newsletter roundup recirculated the attribution as one of many items, while an unrelated CSO Online feature focused on forward-looking **CISO predictions for 2026** and did not provide incident-specific details. Executive teams should treat the Poland grid activity as part of the broader pattern of **Russian state-linked** operations against OT/ICS environments, with emphasis on validating segmentation, monitoring for lateral movement into OT, and ensuring incident response playbooks cover grid/industrial disruption scenarios.
1 months ago
Rising Risk of State-Linked Attacks on Power Grids and Operational Technology
Reporting highlighted growing concern that **state-affiliated and state-linked actors** are positioning for disruptive attacks against **operational technology (OT)** and critical infrastructure, with activity that may be difficult for operators to detect. A Codific analysis described five common pathways seen in disruptive grid-focused intrusions—often beginning with **human error or exposed perimeter services**, then escalating through **credential theft**, **remote access exploitation** (e.g., VPNs/gateways), **ransomware**, and misuse of **legitimate industrial commands** that can delay operations and complicate detection and recovery; it also warned that attacks on virtualized environments can hinder restoration efforts and that cascading impacts could be severe (e.g., Lloyd’s “Business Blackout” scenario estimating losses up to **$1T**). Recommended mitigations emphasized proven controls such as **phishing-resistant MFA** and **IT/OT segmentation**, rather than novel defenses. Separate commentary and media content also pointed to OT becoming a frontline in geopolitical escalation, including claims of a coordinated campaign tied to Iran-linked hacktivist activity targeting OT devices such as **Unitronics PLCs** used in water and industrial facilities, alongside psychological operations and SMS spoofing. Other items in the set were leadership/career/podcast-style content without specific incident or vulnerability detail and do not materially add to the OT/power-grid threat reporting.
1 weeks ago