Poland's Energy Sector Faced Coordinated Cyberattacks Targeting Renewable Facilities and Deploying Wiper Malware
The attacks targeted operational technology and industrial control systems at over 30 wind and solar farms, a combined heat and power plant serving nearly half a million customers
EUROPE — The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory on February 10 highlighting a destructive cyber incident in Poland’s energy sector from late December.
The attacks targeted operational technology and industrial control systems at over 30 wind and solar farms, a combined heat and power plant serving nearly half a million customers, and a manufacturing firm producing energy components.
“The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices. While the affected renewable energy systems continued production, the system operator could not control or monitor them according to their intended design.” - CISA
Attackers exploited vulnerable FortiGate firewalls with default credentials to access networks, then used remote desktop protocol and virtual network computing for lateral movement before deploying custom wiper malware called DynoWiper to encrypt files and disrupt communications.
While no interruptions to power or heat occurred, the event exposed risks in distributed renewable energy systems and prompted recommendations for enhanced edge device security.
CERT Polska’s incident report from January 30 detailed the assaults occurring in morning and afternoon hours on December 29. The malware aimed to cause irreversible data destruction, but endpoint detection tools at the combined heat and power plant blocked execution.
Polish authorities attributed the operation to the Russian-linked group Static Tundra, also known as Electrum or Berserk Bear, based on infrastructure overlaps and tactics matching prior campaigns.
