Poland's Energy Sector Attack: When Cyber Sabotage Targets OT
By patrick miller
On December 29, 2025, Poland experienced coordinated destructive cyberattacks across 30+ wind/solar farms, a CHP plant, and manufacturing. Attackers exploited FortiGate devices without MFA, used default credentials on OT equipment, and deployed custom wiper malware designed to damage industrial controls. In this attack, every failure was preventable. Many of these gaps are present across North American utilities today.
Overview
On December 29, 2025, Poland experienced something the critical infrastructure security community has been warning about for years but rarely sees executed at scale: a coordinated destructive cyberattack that bridged IT and OT environments, targeting operational technology with the explicit intent to cause physical disruption. The details are officially shared in an excellent report from CERT.PL.
The attacks hit at least 30 wind and solar farms, a combined heat and power plant serving nearly half a million customers, and a manufacturing facility. This wasn't ransomware. There were no demands, no negotiations, no data theft for extortion. They came to break things. In CERT Polska’s own words: “By analogy to the physical world, [the attacks] can be compared to deliberate arson.”
What makes this incident significant is not just the coordination or the timing during Poland's winter storms, but how the attackers moved through these environments. They exploited perimeter devices, pivoted into industrial control networks, and deployed custom wiper malware designed specifically to damage RTUs, PLCs, HMIs, and serial device servers. This is the kind of attack scenario that gets modeled in tabletop exercises but rarely happens in the real world with this level of operational focus.
Credit is also due to CERT Polska and Poland's Ministry of Digital Affairs for their response and transparency. The 45-page incident report they published is one of the most technically detailed public disclosures of a destructive OT cyberattack the sector has seen. It includes forensic timelines, malware analysis with YARA rules, infrastructure IOCs, and frank assessments of what failed and why. That level of openness, especially from a nation-state target during an active geopolitical conflict, sets a standard the rest of the critical infrastructure community should follow. Simply put, CERT Polska's forensically grounded report set the bar.
The Attack Pattern
All three incidents share a common entry point: compromised FortiGate VPN appliances. The attacker gained access using accounts with default or weak credentials and no multi-factor authentication. From there, the pattern diverges based on target type, but the intent remains consistent.
At the renewable energy farms
The attacker focused on grid connection point substations, the interface between generation assets and the distribution grid. These are typically unmanned facilities with remote management capabilities. The attackers systematically damaged:
Hitachi RTU560 controllers by uploading corrupted firmware that caused boot loops
Mikronika RTUs by executing commands via SSH that deleted critical system files
Hitachi Relion protection relays using default FTP credentials to delete files required for device operation
Moxa NPort serial device servers by factory-resetting them and changing passwords and IP addresses to delay recovery
The result was loss of communication between facilities and distribution system operators. Generation continued, but visibility and remote control were lost.
At the CHP plant
The attacker had been present since at least March 2025, conducting reconnaissance of SCADA systems, exfiltrating Active Directory databases, and stealing FortiGate configurations. On December 29, they attempted to distribute wiper malware across the domain via Group Policy Objects. The organization's EDR detected and blocked the deployment, but not before the attacker also attempted to destroy server data by booting Tiny Core Linux via KVM and using dd to overwrite portions of RAID arrays.
At the manufacturing facility
The attacker used similar tactics: FortiGate compromise, lateral movement via Impacket, credential harvesting, and attempted wiper deployment via GPO. They also configured FortiGate scripts to periodically exfiltrate administrator passwords and weaken security settings, sending results to a Slack channel under their control.
What Actually Got Damaged
The technical details matter because they show how an attacker with OT knowledge operates differently than one focused purely on IT disruption.
The wiper malware (CERT Polska calls it "DynoWiper") was not designed to encrypt or ransom. It was designed to overwrite files at pseudorandom offsets, corrupt firmware, and render devices unbootable. It avoided certain system directories to prevent immediate blue-screens, allowing it to run longer and damage more files before triggering alerts.
At renewable farms, the attacker knew which devices control what. RTUs provide telemetry and supervisory control. Protection relays detect faults and isolate equipment. Serial device servers bridge legacy protocols to IP networks. Damaging all three simultaneously removes visibility, control, and protection, forcing operators into manual mode or complete shutdown.
The attacker also understood the role of default credentials in industrial environments. Hitachi RTU560 devices shipped with a "Default" account that had firmware upload privileges. Moxa NPort devices had default web credentials. Hitachi Relion relays had default FTP accounts that, if not disabled during deployment per manufacturer guidance, provided filesystem access. These aren't zero-days. They're configuration/design failures that are endemic in OT.
Attribution and Infrastructure
CERT Polska's analysis links the attack infrastructure to activity clusters publicly known as "Static Tundra" (Cisco), "Berserk Bear" (CrowdStrike), "Ghost Blizzard" (Microsoft), and "Dragonfly" (Symantec). These names refer to Russian state-aligned threat actors with a long history of targeting energy infrastructure.
The attackers used compromised VPS servers and Cisco routers for command and control, consistent with prior reporting on this actor's use of compromised infrastructure for anonymization. They also employed reverse SOCKS proxies and Tor to further obfuscate their origin.
Interestingly, CERT Polska notes that while the wiper malware shares some architectural similarities with tools historically used by the "Sandworm" activity cluster (also Russian-aligned, responsible for Ukraine grid attacks), the overlap is not strong enough for high-confidence attribution. What is clear is that this attack represents a significant escalation in publicly observed destructive cyber operations targeting European critical infrastructure.
What the Global Energy Sector Should Take From This
This is not theoretical. This fact should not be news to anyone paying attention (see Ukraine 2015, 2016, 2022). This particular attack demonstrated that adversaries are willing and able to:
Operate in OT environments with specific technical knowledge of RTUs, protection relays, SCADA protocols, and grid architecture
Maintain long-term persistent access before executing destructive actions (the CHP plant attacker was present for at least nine months)
Coordinate across multiple targets simultaneously to maximize operational impact
Exploit default credentials and weak perimeter defenses as primary entry vectors
The good news is that none of the techniques used here are novel or undetectable. Every single phase of this attack could have been disrupted with controls that already exist and are well understood:
Multi-factor authentication on all remote access, especially VPN concentrators and jump hosts
Elimination of default credentials in OT devices during commissioning
Network segmentation to prevent lateral movement from IT into OT and create control points for better monitoring
Endpoint detection and response (EDR) deployed in OT environments (where operationally feasible)
Firmware integrity verification and code signing for RTUs and controllers
Asset inventories that include serial device servers, protection relays, and other "low-visibility" devices
The CHP plant's EDR stopped the wiper deployment. That control worked. The renewable farms had no EDR on HMI computers and no monitoring on controllers. Those environments were defenseless once the attacker gained network access.
NERC CIP Roadmap Timing and Intersection
This isn’t just a Poland issue. This adversary (at the national level) is known for cyber attacks and cyber espionage in most corners of the globe - including North America.
Three weeks after the Poland attacks (but before any official report was available from CERT Polska), NERC published its Critical Infrastructure Protection Roadmap, a comprehensive assessment of where the CIP standards are failing to keep pace with how the grid has changed and how adversaries now operate. Reading the Roadmap alongside CERT Polska's incident report is forshadowing, because the Roadmap essentially predicted what just happened.
NERC's risk assessment ranked "Insufficient Low-Impact Security" as the 12th highest residual risk to the North American bulk power system. The Roadmap explicitly warned that "coordinated attacks on multiple low-impact assets could aggregate to a negative BPS impact." Poland's renewable energy farms, 30+ wind and solar facilities hit simultaneously, are exactly that scenario playing out. These were not similar to high-impact, CIP-covered control centers. They were distributed generation facilities that, if they were in the US, would not have enforceable minimum security baselines to defend against this.
The Roadmap also identified "Unregistered 3rd-Party Operators" as the 17th highest risk, noting that "non-NERC registered entities with remote access to generation facilities for monitoring, maintenance, or control capabilities could be targeted via cyber-attacks leading to risk to the grid." In Poland, the manufacturing facility attack involved FortiGate persistence scripts that exfiltrated credentials to a Slack channel, evidence of third-party operational dependency on remote access infrastructure that was never designed with adversarial resilience in mind.
NERC's top near-term recommendation is to mandate MFA for interactive remote access to low-impact BES Cyber Systems. Every entry point in Poland's attacks involved compromised remote access without MFA. FortiGate VPNs, default credentials, credential reuse, and static passwords provided the initial footholds that allowed attackers to move from IT networks into OT environments and from one facility to another across flat, under-segmented networks.
The Roadmap's second major theme, foundational cyber hygiene, reads like an autopsy checklist for what failed in Poland. NERC calls out persistent gaps in asset identification, configuration management, vulnerability and patch management, and network topology documentation. Poland's attackers exploited default credentials on Hitachi RTUs (the "Default" account with firmware upload privileges), Mikronika devices (default root SSH access), Moxa serial servers (factory default admin passwords), and HMIs (default Windows admin credentials). These are not zero-days. They are deployment failures that could have been prevented with disciplined commissioning processes and asset lifecycle management, the exact "foundational controls" NERC now says must become part of the baseline for low-impact systems.
NERC's third priority, protection of public network communications, also intersects with this attack. The Roadmap warns that "electric utilities rely on leased or third-party network circuits for SCADA and AGC communications" and that "recent state-sponsored campaigns targeting telecommunications providers demonstrate that these networks cannot be assumed to be trustworthy." While CERT Polska did not detail the telecom dependencies involved in Poland's grid operations, the attacker's use of compromised infrastructure, Tor nodes, and reverse proxies to obscure command-and-control traffic suggests they understood how to exploit trust assumptions in carrier networks. NERC's recommendation to expand CIP-012 protections to facility-to-control-center links is directly aimed at closing this exposure.
The timing here is not coincidental. NERC did not write the Roadmap in response to Poland. The Roadmap was the product of a year-long risk assessment process that surveyed industry, analyzed incident data, and built a structured evaluation framework. What makes this moment significant is that a major European grid attack, executed by a capable adversary with OT-specific knowledge, has now validated nearly every high-priority gap NERC identified.
For North American utilities, this is a forcing function. The CIP Roadmap is no longer a planning document. It is a checklist of things adversaries are already exploiting in the wild. MFA for remote access is not a future nicety, it is the control that stops the initial access phase of attacks like this. Foundational cyber hygiene is not compliance overhead, it is the difference between an attacker spending nine months undetected in your network versus being stopped at the perimeter. And low-impact system security is not optional, it is the new front line, because that is where the grid's operational dependency now sits.
The NIS 2 Question
Poland's attacks occurred during regulatory limbo, the EU's NIS 2 transposition deadline passed in October 2024, but Poland's implementing/transposing legislation remains pending in Parliament as of this writing. At the time of the attacks, Poland was still operating under the original 2016 NIS Directive.
NIS 2 brings meaningful improvements that could reduce the likelihood and impact of attacks like these: mandatory supply chain security assessments that would force scrutiny of vendor remote access practices, enhanced incident reporting requirements that drive detection capabilities and response coordination, and explicit business continuity obligations that push entities to prepare for loss of visibility and control scenarios.
The defensive successes in Poland, EDR blocking wiper deployment, operators maintaining control through SCADA loss, rapid multi-entity coordination, reflect the kind of organizational discipline that NIS 2's risk management framework is designed to institutionalize.
The Bigger Picture
Poland's experience is not unique. It is part of a pattern of increasing willingness by state actors to use cyber capabilities for coercive and destructive purposes against critical infrastructure. Ukraine has experienced repeated grid attacks since 2015. The U.S. grid has been quietly pre-positioned by Chinese actors (Volt Typhoon). European energy operators have been targeted by Russian actors for years.
What was clearly demonstrated here is that the attacks were overt, destructive, and operationally focused. The attackers were not positioning for future contingencies. This was straight sabotage.
For utilities, generators, grid operators, and all the grid assets in between and adjacent, this means that cybersecurity for OT is no longer optional, deferred, or ignored. The threat is not hypothetical. The techniques are proven. Each attack is practice for being more effective at the next one. The targets are clear and well-studied. The adversaries are mapping the environment, stealing credentials, honing skills, and preparing for the next operation. Accepting this reality and acting accordingly is the most responsible approach - regardless of whether or not you are required by regulation to do so.
