Poland Faces Coordinated Cyberattacks on Critical Energy Infrastructure
On December 29, 2025, Poland experienced a large-scale cyberattack targeting its energy sector, marking a significant escalation in destructive operations against critical infrastructure. Over 30 wind and photovoltaic farms, a major combined heat and power (CHP) plant serving 500,000 customers, and an unrelated manufacturing company were hit in synchronized assaults during extreme winter conditions, heightening vulnerabilities amid high energy demand.
The attackers, demonstrating a purely destructive intent akin to physical sabotage, employed advanced tactics targeting both IT systems and industrial control devices a rare and sophisticated approach. Primary attack vectors included power substations connecting renewable energy sources to the grid, where Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), protection relays, and network infrastructure were compromised. Methods involved firmware corruption, system file deletion, and custom wiper malware, disrupting remote control capabilities while leaving energy production intact.
At the CHP plant, attackers conducted prolonged reconnaissance, leveraging stolen credentials for lateral movement before executing a partially automated destructive operation. Wiper malware activation was thwarted by Endpoint Detection and Response (EDR) software, preventing catastrophic damage. The manufacturing sector attack, though opportunistic, mirrored the same wiper malware, suggesting coordinated timing rather than a unified strategic objective.
Infrastructure analysis links the campaign to the threat cluster tracked as Static Tundra (Cisco), Berserk Bear (CrowdStrike), Ghost Blizzard (Microsoft), and Dragonfly (Symantec). While the group has a history of energy sector targeting, this marks its first publicly attributed destructive operation.
Despite the attackers’ efforts, the assaults failed to achieve their intended impact renewable energy production remained uninterrupted, and heat supply to end users was maintained. The incident highlights the growing risk of cyber-sabotage against critical infrastructure, particularly during periods of operational stress.
Source: https://gbhackers.com/wind-and-solar-farms/
Ministerstwo Energii cybersecurity rating report: https://www.rankiteo.com/company/megovpl
"id": "MIN1770194830",
"linkid": "megovpl",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Energy',
'location': 'Poland',
'size': 'Over 30 farms',
'type': 'Wind and photovoltaic farms'},
{'customers_affected': '500,000',
'industry': 'Energy',
'location': 'Poland',
'type': 'Combined Heat and Power (CHP) plant'},
{'industry': 'Manufacturing',
'location': 'Poland',
'type': 'Manufacturing company'}],
'attack_vector': ['Firmware corruption',
'System file deletion',
'Custom wiper malware',
'Stolen credentials for lateral movement'],
'date_detected': '2025-12-29',
'description': 'Poland experienced a large-scale cyberattack targeting its '
'energy sector, including over 30 wind and photovoltaic farms, '
'a major combined heat and power (CHP) plant, and a '
'manufacturing company. The attackers employed advanced '
'tactics to disrupt IT systems and industrial control devices, '
'demonstrating destructive intent akin to physical sabotage.',
'impact': {'operational_impact': 'Disruption of remote control capabilities; '
'energy production and heat supply '
'maintained',
'systems_affected': ['IT systems',
'Industrial control devices',
'Power substations',
'Remote control capabilities']},
'initial_access_broker': {'reconnaissance_period': 'Prolonged reconnaissance '
'at CHP plant'},
'lessons_learned': 'The incident highlights the growing risk of '
'cyber-sabotage against critical infrastructure, '
'particularly during periods of operational stress.',
'motivation': 'Destructive intent / Cyber-sabotage',
'post_incident_analysis': {'root_causes': ['Advanced tactics targeting IT '
'systems and industrial control '
'devices',
'Stolen credentials for lateral '
'movement',
'Firmware corruption and custom '
'wiper malware']},
'references': [{'source': 'Cisco (Static Tundra)'},
{'source': 'CrowdStrike (Berserk Bear)'},
{'source': 'Microsoft (Ghost Blizzard)'},
{'source': 'Symantec (Dragonfly)'}],
'response': {'containment_measures': 'Endpoint Detection and Response (EDR) '
'software thwarted wiper malware '
'activation'},
'threat_actor': ['Static Tundra (Cisco)',
'Berserk Bear (CrowdStrike)',
'Ghost Blizzard (Microsoft)',
'Dragonfly (Symantec)'],
'title': "Coordinated Cyberattacks on Poland's Critical Energy Infrastructure",
'type': 'Cyber Sabotage',
'vulnerability_exploited': ['Remote Terminal Units (RTUs)',
'Human-Machine Interfaces (HMIs)',
'Protection relays',
'Network infrastructure']}