On December 29, 2025, coordinated cyber attacks on energy infrastructure quietly unfolded across Poland—targeting more than 30 wind and solar farms, a combined heat and power (CHP) plant serving nearly half a million people, and a manufacturing company.
The attacks did not cause blackouts or heat outages—but that is precisely what makes them alarming.
According to CERT Polska, the threat actor’s objective was purely destructive, deploying wiper malware against operational technology (OT) environments tied to renewable energy production and industrial control systems (ICS). While production was not ultimately disrupted, the incidents exposed systemic weaknesses in perimeter security, identity controls, and OT-cloud integration.
In this article, we break down what happened, how the attacks worked, and—most importantly—what CISOs, SOC teams, and infrastructure operators must do now to defend against the next wave of nation-state activity targeting energy and industrial environments.
What Are Cyber Attacks on Energy Infrastructure?
Cyber attacks on energy infrastructure refer to malicious activities that target systems responsible for generating, transmitting, or distributing electricity, heat, oil, gas, or renewable energy.
These attacks typically focus on:
- Operational Technology (OT) systems
- SCADA and ICS environments
- Grid connection points
- Energy management and monitoring systems
- Hybrid IT/OT/cloud architectures
Unlike traditional IT breaches, energy infrastructure attacks can result in:
- Physical equipment damage
- Loss of electricity or heat supply
- Safety risks to personnel
- Cascading failures across critical services
Nation-state actors increasingly view energy systems—especially renewables and decentralized grids—as strategic leverage points.
Overview of the CERT Polska Incident
CERT Polska attributed the December 2025 campaign to a threat cluster known as Static Tundra, also tracked under multiple aliases:
- Berserk Bear
- Energetic Bear
- Dragonfly
- Ghost Blizzard (formerly Bromine)
- Havex
The group is assessed to be linked to Russia’s FSB Center 16, though parallel reporting from ESET and Dragos suggests possible overlap with Sandworm, another Russian state-sponsored actor known for disruptive OT attacks.
Affected Sectors
| Sector | Impact |
|---|---|
| Wind & Solar Farms | Communication disruption with grid operators |
| CHP Plant | Long-term espionage, attempted wiper deployment |
| Manufacturing Company | Opportunistic destructive attack |
Key takeaway: Even unsuccessful attacks can expose architectural weaknesses and create future leverage for adversaries.
How the Attacks Worked: Technical Breakdown
1. Initial Access via Perimeter Devices
The attackers exploited vulnerable FortiGate and Fortinet perimeter devices, gaining access through:
- SSL-VPN services
- Statically defined accounts
- No multi-factor authentication (MFA)
This reflects a recurring pattern in critical infrastructure breaches: edge device compromise as the entry point.
2. Lateral Movement in IT and OT Networks
Once inside, the adversary:
- Performed reconnaissance in power substations
- Escalated privileges in Active Directory
- Moved laterally across IT and OT segments
- Used Tor and compromised infrastructure to obfuscate access
In the CHP incident, attackers conducted long-term data exfiltration dating back to March 2025, highlighting the risk of undetected dwell time in hybrid environments.
3. Deployment of Wiper Malware
DynoWiper (Energy & CHP Targets)
DynoWiper was deployed on:
- Mikronika HMI computers
- Network shares in the CHP environment
Capabilities:
- Seeds a PRNG (Mersenne Twister)
- Corrupts files with pseudorandom data
- Deletes system files
Notably, DynoWiper includes no persistence, no C2 communication, and no evasion techniques—suggesting its sole purpose is irreversible destruction.
LazyWiper (Manufacturing Target)
The manufacturing company was hit with LazyWiper, a PowerShell-based wiper that:
- Overwrites files with random 32-byte sequences
- Renders recovery impossible
- Was likely LLM-assisted in development
This demonstrates how AI-assisted malware creation is lowering the barrier for custom destructive tooling.
Why Renewable Energy Is a Prime Target
1. Increased Digitization
Modern renewable energy farms rely on:
- Remote monitoring
- Cloud-connected OT
- Automated grid balancing systems
Each connection expands the attack surface.
2. Weak IT/OT Segmentation
Many environments lack:
- Strict network zoning
- OT-aware intrusion detection
- Least-privilege identity controls
This enables attackers to pivot from IT into OT with minimal resistance.
3. Strategic and Geopolitical Value
Disrupting renewable energy:
- Undermines national resilience
- Creates public distrust in green infrastructure
- Offers geopolitical leverage without kinetic force
Cloud and M365 Exposure in the Attack
CERT Polska confirmed that attackers attempted to use on-prem credentials to access Microsoft 365 services, including:
- Exchange
- Teams
- SharePoint
They specifically targeted:
- OT modernization documents
- SCADA architecture files
- Technical engineering communications
This underscores a critical risk:
Compromised OT credentials can directly expose cloud collaboration platforms.
Mapping the Attack to MITRE ATT&CK for ICS
| Tactic | Technique |
|---|---|
| Initial Access | Exploit Public-Facing Application |
| Credential Access | Valid Accounts |
| Lateral Movement | Remote Services |
| Impact | Data Destruction |
| Discovery | Network Service Scanning |
Using MITRE ATT&CK for ICS enables SOC teams to model, detect, and prioritize similar attack paths.
Common Mistakes Organizations Make
- ❌ Treating VPNs as “trusted” zones
- ❌ No MFA on OT-adjacent systems
- ❌ Poor logging in ICS environments
- ❌ Inadequate asset visibility
- ❌ Assuming renewables are “low-risk” targets
Best Practices to Defend Against Energy Infrastructure Attacks
1. Enforce Zero Trust for IT/OT Environments
- MFA on all remote access
- No implicit trust between IT and OT
- Continuous authentication and monitoring
2. Secure Perimeter Devices Aggressively
- Rapid patching of VPNs and firewalls
- Disable unused accounts
- Monitor for anomalous VPN behavior
3. Segment and Monitor OT Networks
- Implement network zoning
- Deploy OT-aware threat detection tools
- Monitor HMI and controller behavior
4. Align with Security Frameworks
- NIST SP 800-82 (ICS Security)
- ISO/IEC 27001
- MITRE ATT&CK for ICS
- NIS2 Directive (EU regulatory relevance)
5. Prepare for Destructive Attacks
- Immutable backups
- Offline recovery plans
- Tabletop exercises for wiper scenarios
Compliance and Regulatory Implications
For EU-based operators, this incident directly intersects with:
- NIS2 Directive obligations
- Critical entity resilience requirements
- Supply chain security expectations
Failure to address these risks may result in regulatory penalties, operational downtime, and reputational damage.
FAQs: Cyber Attacks on Energy Infrastructure
What was the goal of the CERT Polska attacks?
The attacks were purely destructive, aiming to wipe systems rather than steal data or demand ransom.
Did the attacks disrupt electricity or heat supply?
No—but CERT Polska confirmed the intent was to do so, and future attempts may succeed.
Why are wiper attacks more dangerous than ransomware?
Wipers permanently destroy data, offering no recovery option or negotiation path.
How did attackers access cloud services?
They reused compromised on-prem credentials to access Microsoft 365 accounts.
Are renewable energy systems more vulnerable than traditional grids?
They often have broader digital exposure, making them attractive targets if not properly secured.
Conclusion: A Warning Shot for Critical Infrastructure
The CERT Polska incident is not an anomaly—it is a preview of modern cyber warfare targeting energy systems, renewables, and industrial operations.
Even failed attacks deliver intelligence, test defenses, and refine future playbooks.
For CISOs, SOC leaders, and infrastructure operators, the message is clear:
Cyber attacks on energy infrastructure are no longer hypothetical—they are operational reality.
Now is the time to reassess OT security, enforce zero trust, and prepare for destructive attack scenarios before resilience is tested the hard way.
Next step: Conduct an OT security posture assessment or review your incident response plan for wiper malware scenarios.
