Coordinated Cyberattacks Target Poland’s Critical Infrastructure in December 2025
On 29 December 2025, a series of destructive cyberattacks struck Poland’s energy and industrial sectors, orchestrated by a Russia-linked threat actor tracked as Static Tundra (also known as Berserk Bear, Ghost Blizzard, and Dragonfly). Poland’s CERT Polska confirmed the attacks targeted renewable energy facilities, a heat and power (CHP) plant, and a private manufacturing company, though no disruptions to energy generation or distribution occurred.
Initial Access & Tactics
The attackers exploited internet-exposed FortiGate VPN devices used as perimeter firewalls and VPN concentrators without multi-factor authentication (MFA). In all cases, compromised credentials allowed initial access, with attackers leveraging stolen configurations in some instances.
Renewable Energy Sector Disruptions
At least 30 wind and solar farms were hit, with attackers focusing on substation control systems interfacing with distribution operators. Compromised equipment included:
- RTU controllers, protection relays, and HMI computers
- Hitachi Energy, Mikronika, and Moxa devices in industrial automation environments
Destructive actions corrupted firmware, file deletions, and factory resets led to lost communication between facilities and operators, though power generation continued uninterrupted.
Heat & Power Plant Sabotage Attempt
A CHP plant supplying heat to nearly half a million customers was targeted in a prolonged intrusion dating back months. Attackers conducted:
- Internal reconnaissance and credential theft (including Active Directory admin access)
- Lateral movement across servers and workstations
- Deployment of DynoWiper malware via Group Policy Objects (GPOs)
An EDR platform blocked the wiper’s execution, limiting damage. Evidence suggests preparations began earlier in 2025, indicating a long-term operation.
Manufacturing Company Attack
A private manufacturing firm was also targeted opportunistically. Attackers:
- Gained access via a Fortinet device with a publicly leaked configuration
- Modified settings to maintain persistence despite credential changes
- Deployed LazyWiper, a PowerShell-based wiper distributed via GPOs, designed to destroy business-critical data
CERT Polska noted the wiper’s file-overwriting function may have been generated by an LLM.
Impact & Attribution
While the attacks disrupted monitoring and control systems, they failed to halt energy production. All incidents were linked to the same threat actor, with tactics aligning with known Russian cyberespionage and sabotage operations. The use of wiper malware, stolen credentials, and prolonged reconnaissance underscores the highly targeted and destructive nature of the campaign.
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
CERT-In cybersecurity rating report: https://www.rankiteo.com/company/cert-in
Moxa, Inc cybersecurity rating report: https://www.rankiteo.com/company/moxa-inc
"id": "FORCERMOX1770408103",
"linkid": "fortinet, cert-in, moxa-inc",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Energy',
'location': 'Poland',
'name': 'Renewable energy facilities (wind and solar '
'farms)',
'type': 'Critical Infrastructure'},
{'customers_affected': 'Nearly 500,000',
'industry': 'Energy',
'location': 'Poland',
'name': 'Heat and Power (CHP) plant',
'size': 'Supplies heat to nearly half a million '
'customers',
'type': 'Critical Infrastructure'},
{'industry': 'Manufacturing',
'location': 'Poland',
'name': 'Private manufacturing company',
'type': 'Private Company'}],
'attack_vector': 'Exploited internet-exposed FortiGate VPN devices without '
'multi-factor authentication (MFA) using compromised '
'credentials and stolen configurations',
'data_breach': {'data_encryption': 'Data corruption via wiper malware',
'sensitivity_of_data': 'High (industrial control systems, '
'business operations)',
'type_of_data_compromised': ['Industrial control system '
'configurations',
'Business-critical data']},
'date_detected': '2025-12-29',
'description': 'On 29 December 2025, a series of destructive cyberattacks '
'struck Poland’s energy and industrial sectors, orchestrated '
'by a Russia-linked threat actor tracked as Static Tundra '
'(also known as Berserk Bear, Ghost Blizzard, and Dragonfly). '
'The attacks targeted renewable energy facilities, a heat and '
'power (CHP) plant, and a private manufacturing company, '
'though no disruptions to energy generation or distribution '
'occurred.',
'impact': {'data_compromised': 'Business-critical data, industrial control '
'system configurations',
'downtime': 'Lost communication between facilities and operators',
'operational_impact': 'Disrupted monitoring and control systems in '
'renewable energy facilities and a CHP plant',
'systems_affected': ['RTU controllers',
'Protection relays',
'HMI computers',
'Industrial automation devices (Hitachi '
'Energy, Mikronika, Moxa)',
'Active Directory servers',
'Workstations']},
'initial_access_broker': {'entry_point': 'FortiGate VPN devices',
'high_value_targets': ['Active Directory admin '
'access',
'Industrial control systems'],
'reconnaissance_period': 'Months (prolonged '
'intrusion at CHP plant)'},
'motivation': ['Sabotage',
'Cyberespionage',
'Disruption of critical infrastructure'],
'post_incident_analysis': {'root_causes': ['Lack of MFA on critical VPN '
'devices',
'Exposed internet-facing systems',
'Stolen credentials',
'Prolonged reconnaissance']},
'references': [{'source': 'CERT Polska'}],
'response': {'enhanced_monitoring': 'EDR platform blocked wiper execution',
'third_party_assistance': 'CERT Polska'},
'threat_actor': 'Static Tundra (Berserk Bear, Ghost Blizzard, Dragonfly)',
'title': 'Coordinated Cyberattacks Target Poland’s Critical Infrastructure in '
'December 2025',
'type': ['Destructive Cyberattack', 'Sabotage', 'Cyberespionage'],
'vulnerability_exploited': ['Lack of MFA on FortiGate VPN devices',
'Exposed VPN concentrators',
'Stolen credentials']}