CERT Polska, the Polish laptop emergency response workforce, revealed that coordinated cyber assaults focused greater than 30 wind and photovoltaic farms, a personal firm from the manufacturing sector, and a big mixed warmth and energy plant (CHP) supplying warmth to virtually half 1,000,000 clients within the nation.
The incident happened on December 29, 2025. The company has attributed the assaults to a menace cluster dubbed Static Tundra, which can also be tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (previously Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Safety Service’s (FSB) Heart 16 unit.
It is price noting that current studies from ESET and Dragos attributed the exercise with reasonable confidence to a distinct Russian state-sponsored hacking group often known as Sandworm.
“All assaults had a purely damaging goal,” CERT Polska stated in a report printed Friday. “Though assaults on renewable vitality farms disrupted communication between these amenities and the distribution system operator, they didn’t have an effect on the continued manufacturing of electrical energy. Equally, the assault on the mixed warmth and energy plant didn’t obtain the attacker’s supposed impact of disrupting warmth provide to finish customers.”
The attackers are stated to have gained entry to the inner community of energy substations related to a renewable vitality facility to hold out reconnaissance and disruptive actions, together with damaging the firmware of controllers, deleting system information, or launching custom-built wiper malware codenamed DynoWiper by ESET.
Within the intrusion aimed on the CHP, the adversary engaged in long-term information theft relationship all the best way again to March 2025 that enabled them to escalate privileges and transfer laterally throughout the community. The attackers’ makes an attempt to detonate the wiper malware had been unsuccessful, CERT Polska famous.
Alternatively, the concentrating on of the manufacturing sector firm is believed to be opportunistic, with the menace actor gaining preliminary entry by way of a weak Fortinet perimeter system. The assault concentrating on the grid connection level can also be more likely to have concerned the exploitation of a weak FortiGate equipment.
A minimum of 4 totally different variations of DynoWiper have been found up to now. These variants had been deployed on Mikronika HMI Computer systems utilized by the vitality facility and on a community share throughout the CHP after securing entry via the SSL‑VPN portal service of a FortiGate system.
“The attacker gained entry to the infrastructure utilizing a number of accounts that had been statically outlined within the system configuration and didn’t have two‑issue authentication enabled,” CERT Polska stated, detailing the actor’s modus operandi concentrating on the CHP. “The attacker related utilizing Tor nodes, in addition to Polish and international IP addresses, which had been usually related to compromised infrastructure.”
The wiper’s performance is pretty simple –
- Initialization that entails seeding a pseudorandom quantity generator (PRNG) known as Mersenne Tornado
- Enumerate information and corrupt them utilizing the PRNG
- Delete information
It is price mentioning right here that the malware doesn’t have a persistence mechanism, a approach to talk with a command‑and‑management (C2) server, or execute shell instructions. Nor does it try to cover the exercise from safety packages.
CERT Polska stated the assault concentrating on the manufacturing sector firm concerned using a PowerShell-based wiper dubbed LazyWiper that scripts overwrites information on the system with pseudorandom 32‑byte sequences to render them unrecoverable. It is suspected that the core wiping performance was developed utilizing a big language mannequin (LLM).
“The malware used within the incident involving renewable vitality farms was executed straight on the HMI machine,” CERT Polska identified. “In distinction, within the CHP plant (DynoWiper) and the manufacturing sector firm (LazyWiper), the malware was distributed throughout the Lively Listing area by way of a PowerShell script executed on a site controller.”
The company additionally described a number of the code-level similarities between DynoWiper and different wipers constructed by Sandworm as “common” in nature and doesn’t provide any concrete proof as as to if the menace actor participated within the assault.
“The attacker used credentials obtained from the on‑premises setting in makes an attempt to achieve entry to cloud providers,” CERT Polska stated. “After figuring out credentials for which corresponding accounts existed within the M365 service, the attacker downloaded chosen information from providers similar to Alternate, Groups, and SharePoint.”
“The attacker was notably curious about information and e mail messages associated to OT community modernization, SCADA techniques, and technical work carried out throughout the organizations.”
