CERT Polska, Poland’s national computer emergency response team, has disclosed details of a coordinated cyber attack campaign that targeted more than 30 wind and photovoltaic energy farms, a private manufacturing sector company, and a major combined heat and power plant supplying heat to nearly half a million customers.
The attacks occurred on December 29, 2025, and were assessed as part of a destructive operation aimed at disrupting critical infrastructure. According to CERT Polska, the activity has been attributed to a threat cluster known as Static Tundra, which is also tracked under several aliases including Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard, previously known as Bromine, and Havex. The group is believed to be linked to Center 16 of Russia’s Federal Security Service.
However, CERT Polska noted that recent reporting by ESET and Dragos attributed the activity, with moderate confidence, to another Russian state sponsored group known as Sandworm, highlighting ongoing attribution challenges in this case.
Destructive Intent but Limited Operational Impact
“All attacks had a purely destructive objective,” CERT Polska stated in its report. While the attacks against renewable energy facilities disrupted communication between the farms and the distribution system operator, they did not interrupt electricity generation. Similarly, the attack targeting the combined heat and power plant failed to disrupt heat supply to end users.
Despite the limited physical impact, the campaign demonstrates a clear intent to damage operational technology environments and energy sector infrastructure.
Attack Techniques and Initial Access
Investigators determined that attackers gained access to the internal networks of power substations associated with renewable energy facilities. Once inside, they conducted reconnaissance and disruptive actions, including damaging controller firmware, deleting system files, and deploying custom built wiper malware known as DynoWiper, previously analyzed by ESET.
In the case of the combined heat and power plant, the intrusion involved long term data exfiltration that began as early as March 2025. This allowed the attackers to escalate privileges and move laterally across the network. Attempts to deploy and activate wiper malware within the CHP environment were unsuccessful.
The manufacturing sector company appears to have been targeted opportunistically. Initial access was achieved through a vulnerable Fortinet perimeter device. A similar exploitation of a vulnerable FortiGate appliance is believed to have been used in the attack targeting the grid connection point.
DynoWiper and LazyWiper Malware Details
CERT Polska identified at least four different variants of DynoWiper. These were deployed on Mikronika HMI computers used by renewable energy facilities and on a network share within the CHP environment. Access was gained through the SSL VPN portal service of a FortiGate device.
According to CERT Polska, attackers used multiple accounts that were statically defined in device configurations and lacked two factor authentication. Connections were established through Tor exit nodes as well as Polish and foreign IP addresses, many of which were associated with compromised infrastructure.
DynoWiper’s functionality is relatively simple and includes the following stages:
- Initialization using the Mersenne Twister pseudorandom number generator
- File enumeration and corruption using pseudorandom data
- Deletion of files
The malware does not include persistence mechanisms, command and control communication, shell execution capabilities, or evasion techniques designed to hide activity from security tools.
In the manufacturing sector incident, a different PowerShell based wiper named LazyWiper was used. This malware overwrites files with pseudorandom 32 byte sequences, rendering them unrecoverable. CERT Polska suspects that the core wiping logic may have been developed with the assistance of a large language model.
A key difference in deployment was also observed. In renewable energy facilities, the malware was executed directly on HMI machines. In contrast, within the CHP plant and the manufacturing company, DynoWiper and LazyWiper were distributed across the Active Directory domain using PowerShell scripts executed on a domain controller.
Cloud Access and Data Targeting
CERT Polska reported that attackers attempted to reuse credentials obtained from on premises environments to access cloud services. When valid Microsoft 365 accounts were identified, the attackers downloaded selected data from Exchange, Teams, and SharePoint.
The threat actors showed particular interest in files and email communications related to operational technology network modernization, SCADA systems, and technical projects within the affected organizations.
While CERT Polska acknowledged general code level similarities between DynoWiper and wipers previously linked to Sandworm, it emphasized that these overlaps are not sufficient to conclusively prove the group’s involvement in the attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
