CERT Polska, the Polish pc emergency response staff, revealed that coordinated cyber assaults focused greater than 30 wind and photovoltaic farms, a non-public firm from the manufacturing sector, and a big mixed warmth and energy plant (CHP) supplying warmth to virtually half 1,000,000 clients within the nation.
The incident came about on December 29, 2025. The company has attributed the assaults to a risk cluster dubbed Static Tundra, which can be tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (previously Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Safety Service’s (FSB) Heart 16 unit.
It is value noting that latest stories from ESET and Dragos attributed the exercise with average confidence to a special Russian state-sponsored hacking group generally known as Sandworm.
“All assaults had a purely harmful goal,” CERT Polska mentioned in a report revealed Friday. “Though assaults on renewable vitality farms disrupted communication between these services and the distribution system operator, they didn’t have an effect on the continuing manufacturing of electrical energy. Equally, the assault on the mixed warmth and energy plant didn’t obtain the attacker’s supposed impact of disrupting warmth provide to finish customers.”
The attackers are mentioned to have gained entry to the inner community of energy substations related to a renewable vitality facility to hold out reconnaissance and disruptive actions, together with damaging the firmware of controllers, deleting system recordsdata, or launching custom-built wiper malware codenamed DynoWiper by ESET.
Within the intrusion aimed on the CHP, the adversary engaged in long-term knowledge theft courting all the way in which again to March 2025 that enabled them to escalate privileges and transfer laterally throughout the community. The attackers’ makes an attempt to detonate the wiper malware had been unsuccessful, CERT Polska famous.
Then again, the focusing on of the manufacturing sector firm is believed to be opportunistic, with the risk actor gaining preliminary entry by way of a weak Fortinet perimeter machine. The assault focusing on the grid connection level can be more likely to have concerned the exploitation of a weak FortiGate equipment.
Not less than 4 totally different variations of DynoWiper have been found so far. These variants had been deployed on Mikronika HMI Computer systems utilized by the vitality facility and on a community share throughout the CHP after securing entry by means of the SSL‑VPN portal service of a FortiGate machine.
“The attacker gained entry to the infrastructure utilizing a number of accounts that had been statically outlined within the machine configuration and didn’t have two‑issue authentication enabled,” CERT Polska mentioned, detailing the actor’s modus operandi focusing on the CHP. “The attacker related utilizing Tor nodes, in addition to Polish and international IP addresses, which had been typically related to compromised infrastructure.”
The wiper’s performance is pretty simple –
- Initialization that entails seeding a pseudorandom quantity generator (PRNG) known as Mersenne Tornado
- Enumerate recordsdata and corrupt them utilizing the PRNG
- Delete recordsdata
It is value mentioning right here that the malware doesn’t have a persistence mechanism, a strategy to talk with a command‑and‑management (C2) server, or execute shell instructions. Nor does it try to cover the exercise from safety packages.
CERT Polska mentioned the assault focusing on the manufacturing sector firm concerned using a PowerShell-based wiper dubbed LazyWiper that scripts overwrites recordsdata on the system with pseudorandom 32‑byte sequences to render them unrecoverable. It is suspected that the core wiping performance was developed utilizing a big language mannequin (LLM).
“The malware used within the incident involving renewable vitality farms was executed straight on the HMI machine,” CERT Polska identified. “In distinction, within the CHP plant (DynoWiper) and the manufacturing sector firm (LazyWiper), the malware was distributed throughout the Lively Listing area by way of a PowerShell script executed on a website controller.”
The company additionally described a few of the code-level similarities between DynoWiper and different wipers constructed by Sandworm as “normal” in nature and doesn’t supply any concrete proof as as to if the risk actor participated within the assault.
“The attacker used credentials obtained from the on‑premises setting in makes an attempt to achieve entry to cloud providers,” CERT Polska mentioned. “After figuring out credentials for which corresponding accounts existed within the M365 service, the attacker downloaded chosen knowledge from providers reminiscent of Change, Groups, and SharePoint.”
“The attacker was significantly fascinated with recordsdata and electronic mail messages associated to OT community modernization, SCADA methods, and technical work carried out throughout the organizations.”
