Russian Hackers Target Poland’s Energy Sector in Destructive Cyberattack
Polish authorities revealed details of a coordinated cyberattack last month that targeted the country’s grid infrastructure, including a heat-and-power plant, wind and solar farms, and a manufacturing firm. The attackers, believed to be the Russian hacking group Berserk Bear (linked to Russia’s FSB), exploited weak security measures such as default credentials and the absence of multi-factor authentication to gain deep access to critical systems.
The intrusion at the heat-and-power plant began between March and July 2023, with hackers conducting reconnaissance and stealing sensitive operational data before deploying a wiper malware, DynoWiper, on December 29. The attack aimed to erase files on over 100 workstations, but an intrusion-detection system blocked the malicious code before it could fully execute. At wind and solar farms, attackers successfully bricked remote terminal units (RTUs) by replacing firmware with malicious versions, disrupting monitoring and control systems.
While the attack caused operational disruptions, investigators confirmed it did not affect power stability in Poland. The combined output of the compromised sites would not have impacted the national grid, contradicting earlier claims that 500,000 users could have been affected. The Polish Computer Emergency Response Team (CERT) attributed the attack to Berserk Bear, noting that while the group has historically focused on espionage, this incident marks a shift toward destructive operations.
Security failures played a key role in the breach. Many systems used default credentials, including a Hitachi RTU with an admin account named "Default." Some FortiGate VPN firewalls lacked multi-factor authentication, allowing attackers to bypass defenses. Additionally, outdated firmware and disabled security features on RTUs enabled the installation of malicious firmware.
The attack coincided with winter storms and low temperatures, leading investigators to liken it to "deliberate acts of arson." While the heat-and-power plant’s defenses mitigated the worst damage, the wind and solar farms suffered operational disruptions. A separate, opportunistic attack on a manufacturing firm using a different wiper, LazyWiper was also detected, though its impact remains unclear.
The incident underscores the growing threat of state-backed cyberattacks on critical infrastructure, with Russian hacking groups expanding beyond espionage to potentially disruptive operations.
Polish Energy Partners cybersecurity rating report: https://www.rankiteo.com/company/polish-energy-partners
"id": "POL1774823214",
"linkid": "polish-energy-partners",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Energy',
'location': 'Poland',
'name': 'Unnamed heat-and-power plant',
'type': 'Energy (Heat and Power)'},
{'industry': 'Energy',
'location': 'Poland',
'name': 'Unnamed wind and solar farms',
'type': 'Renewable Energy'},
{'industry': 'Manufacturing',
'location': 'Poland',
'name': 'Unnamed manufacturing firm',
'type': 'Manufacturing'}],
'attack_vector': ['Exploiting default credentials',
'Absence of multi-factor authentication',
'Outdated firmware',
'Disabled security features'],
'data_breach': {'data_exfiltration': 'Yes (reconnaissance phase)',
'sensitivity_of_data': 'High (critical infrastructure '
'operational data)',
'type_of_data_compromised': 'Operational data'},
'date_detected': '2023-12-29',
'description': 'Polish authorities revealed details of a coordinated '
'cyberattack last month that targeted the country’s grid '
'infrastructure, including a heat-and-power plant, wind and '
'solar farms, and a manufacturing firm. The attackers, '
'believed to be the Russian hacking group Berserk Bear (linked '
'to Russia’s FSB), exploited weak security measures such as '
'default credentials and the absence of multi-factor '
'authentication to gain deep access to critical systems. The '
'attack aimed to deploy wiper malware (DynoWiper) and disrupt '
'operational systems, though it did not affect power stability '
'in Poland.',
'impact': {'data_compromised': 'Sensitive operational data',
'downtime': 'Operational disruptions at wind and solar farms',
'operational_impact': 'Disrupted monitoring and control systems; '
'bricked RTUs',
'systems_affected': ['Heat-and-power plant workstations',
'Wind and solar farm RTUs',
'Manufacturing firm systems']},
'initial_access_broker': {'high_value_targets': 'Critical infrastructure '
'(energy sector)',
'reconnaissance_period': 'March–July 2023'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Security failures such as default credentials, lack of '
'MFA, and outdated firmware enabled the attack. The '
'incident highlights the shift of state-backed groups from '
'espionage to disruptive operations.',
'motivation': ['Espionage',
'Disruption of critical infrastructure',
'Destructive operations'],
'post_incident_analysis': {'root_causes': ['Default credentials (e.g., '
'Hitachi RTU admin account '
"'Default')",
'Lack of MFA on FortiGate VPN '
'firewalls',
'Outdated and insecure RTU '
'firmware',
'Disabled security features on '
'operational technology (OT) '
'devices']},
'recommendations': ['Enforce multi-factor authentication (MFA) on all '
'critical systems',
'Replace or secure default credentials',
'Update and patch firmware regularly',
'Enable security features on RTUs and other operational '
'technology (OT) devices',
'Enhance monitoring and intrusion-detection systems for '
'critical infrastructure'],
'references': [{'source': 'Polish Computer Emergency Response Team (CERT)'}],
'response': {'containment_measures': 'Intrusion-detection system blocked '
'DynoWiper execution'},
'threat_actor': 'Berserk Bear (linked to Russia’s FSB)',
'title': 'Russian Hackers Target Poland’s Energy Sector in Destructive '
'Cyberattack',
'type': 'Cyberattack (Wiper Malware, Firmware Tampering)',
'vulnerability_exploited': ['Default credentials (e.g., Hitachi RTU admin '
"account 'Default')",
'Lack of MFA on FortiGate VPN firewalls',
'Outdated RTU firmware']}