Destructive Cyberattack on Poland’s Energy Sector via Vulnerable Edge Devices
Poland’s Computer Emergency Response Team reported that a destructive cyber incident in December 2025 compromised OT/ICS environments across the country’s energy sector, including renewable energy plants (wind and photovoltaic), a combined heat and power facility, and at least one manufacturing organization. The intrusion reportedly began through vulnerable internet-facing edge devices, after which the actor deployed wiper malware that damaged remote terminal units (RTUs), destroyed data on human-machine interfaces (HMIs), and corrupted firmware on OT devices—resulting in a loss of operator “view and control” even where renewable generation continued producing power but could not be monitored or controlled as designed. Reporting indicated the activity overlapped with infrastructure associated with a Russian government-linked hacking group.
CISA issued an alert to U.S. critical infrastructure organizations to amplify the Polish findings and emphasize mitigations for energy-sector OT/ICS defenders, highlighting the ongoing risk from end-of-support edge devices and the need to harden remote access paths, credential hygiene (including default credentials), and incident response planning for scenarios where OT devices may become inoperable or permanently damaged due to firmware corruption. Separate industry commentary and a Dark Reading article provided broader context on the evolution of OT threats (e.g., lessons from Ukraine’s 2015 grid attack and emerging “living-off-the-plant” techniques), but did not add incident-specific details about the Poland event beyond reinforcing the general trend of increasing attacker capability and interest in industrial environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
UK NCSC warns critical infrastructure after Poland attack
Following the Poland incident, the UK's National Cyber Security Centre issued a severe cyberthreat alert to critical infrastructure operators, warning that similar targeting could escalate quickly. The guidance urged resilience improvements including vulnerability management, secure configuration, access controls, monitoring, threat hunting, and segmentation.
Poland incident drives debate over attribution and response thresholds
By mid-February 2026, public reporting highlighted conflicting attribution assessments linking the operation to Russia-associated actors including Static Tundra/Berserk Bear, Sandworm, and Dragos's Electrum cluster. The failed but potentially harmful attack also triggered debate over whether such cyber operations meet legal or strategic thresholds for retaliation under NATO and international law.
CISA issues alert amplifying Poland incident and OT/ICS mitigations
On 2026-02-10, CISA published an alert to amplify CERT Polska's findings and warn critical infrastructure operators about OT and ICS security gaps exposed by the Poland incident. The agency emphasized risks from unsupported edge devices and default credentials, and recommended mitigations such as firmware verification, password changes, and OT-focused incident response planning.
CERT Polska publishes energy sector incident report
On 2026-01-30, CERT Polska published its report on the December 2025 incident, describing three parallel campaigns and warning that the attack could have left nearly half a million residents without heat if it had succeeded. The report characterized the operation as technically unprecedented in scale and highlighted overlap with Russia-linked infrastructure.
Attackers disrupt OT systems with wiper malware and edge-device compromise
The attackers gained access through vulnerable or misconfigured internet-facing edge devices and, in some cases, default credentials, then pivoted into OT environments. They deployed wiper malware that damaged RTUs, destroyed HMI data, and corrupted OT device firmware, causing loss of view and control between facilities and operators even though power generation continued.
Coordinated cyberattack begins against Poland's energy sector
Beginning on 2025-12-29, attackers targeted Poland's energy infrastructure, including more than 30 wind and photovoltaic farms, a combined heat-and-power plant, and related organizations. The operation occurred during severe winter conditions and was later described by Polish authorities as one of the country's most aggressive cyber incidents in years.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Europe's Cyber Bullets Can't Replace Political Will | Lawfare
lawfaremedia.org
Open sourcePoland Energy Survives Attack on Wind, Solar Infrastructure
darkreading.com
Open sourcePolish Grid Systems Targeted: The Reality of ICS Security Debt
vulnu.com
Open sourceAlert: 'Severe Cyberthreat' to Critical Infrastructure
bankinfosecurity.com
Open sourceBreach Roundup: CISA Flags OT Risks After Polish Grid Hack
bankinfosecurity.com
Open sourceRussia Hacked the Polish Electricity Grid. Now What?
bankinfosecurity.com
Open sourceAfter major Poland energy grid cyberattack, CISA issues warning to U.S. audience | CyberScoop
cyberscoop.com
Open sourcePoland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Static Tundra Sabotage Attempts Against Poland’s Energy Sector Using DynoWiper
CERT Polska reported **late-2025 sabotage activity** against Poland’s energy sector attributed to the threat actor **Static Tundra**, including coordinated intrusions affecting renewable energy facilities, a large combined heat and power (CHP) plant, and an energy-linked manufacturer. The activity showed a shift from espionage to disruption, including an operational technology (OT) incident in which attackers reached a renewable facility’s **Grid Control Point (GCP)** and executed a shutdown of industrial automation devices. Investigators also observed targeting of **Moxa NPort** serial-to-Ethernet devices, including password changes to lock out operators and deployment of corrupted firmware that could prevent controller startup and require manual recovery. The same reporting described two destructive malware families, **DynoWiper** and **LazyWiper**, used to render systems and data unrecoverable; DynoWiper was documented deleting files from **Mikronika RTU controllers**, while LazyWiper appeared to provide redundant destructive capability. Separately, an opinion piece highlighted that attempted disruption of the Polish distribution grid was **rebuffed and reported**, and used the Poland case (alongside speculative discussion of Venezuela) to argue that energy infrastructure attacks are becoming more common; it provided limited additional technical detail beyond noting ambiguity around attribution and the broader trend toward “democratized” attack tooling.
Mar 21, 2026
Sandworm Accused of Cyberattack on Poland’s Power Grid
Polish authorities and reporting tied to **ESET research** attributed a disruptive cyber incident affecting Poland’s electricity grid to **Russia-linked threat actors**, with **Sandworm** named as the likely operator behind the operation in late 2025. The incident was characterized as a targeted attack on critical infrastructure, reinforcing ongoing concerns about state-aligned activity against European energy networks. A separate malware-newsletter roundup recirculated the attribution as one of many items, while an unrelated CSO Online feature focused on forward-looking **CISO predictions for 2026** and did not provide incident-specific details. Executive teams should treat the Poland grid activity as part of the broader pattern of **Russian state-linked** operations against OT/ICS environments, with emphasis on validating segmentation, monitoring for lateral movement into OT, and ensuring incident response playbooks cover grid/industrial disruption scenarios.
Mar 21, 2026
Poland Water Plant Breaches Spur Broader Critical Infrastructure Resilience Push
Poland’s Internal Security Agency said hackers breached five water treatment plants and could potentially have taken control of industrial equipment, raising the risk of compromised water safety and possible physical harm. The incidents were disclosed alongside a wider warning that sabotage campaigns targeting Polish military sites, civilian entities, and critical infrastructure pose an immediate threat, while Sweden separately reported that suspected pro-Russian hackers attempted to disrupt a thermal power plant but were stopped by built-in protections. Officials in both countries described the activity as part of a broader pattern of increasingly aggressive attacks on operational technology across Europe, particularly against infrastructure in countries supporting Ukraine. In the United States, the disclosures add urgency to CISA’s new **CI Fortify** initiative, which tells critical infrastructure operators in sectors including water, energy, transportation, and communications to prepare to keep essential services running for **weeks to months** while isolated from business networks, vendors, and telecom providers. CISA said the program is designed for scenarios in which attackers may already have access to OT environments and foreign adversaries are prepositioned inside U.S. infrastructure, with guidance focused on isolating control systems, maintaining offline and manual operations, and rehearsing recovery through tested backups, documentation, and component replacement plans.
May 14, 2026