CERT Polska Unveils Coordinated Cyber Attacks on Wind, Solar Farms
CERT Polska has reported a series of coordinated cyber attacks that targeted over 30 renewable energy facilities, including wind and solar farms, as well as a significant combined heat and power plant (CHP) in Poland. The attacks took place on December 29, 2025, and have been linked to a threat cluster known as Static Tundra, associated with Russian state-sponsored hacking activities.
Key Details of the Cyber Attacks
The affected CHP provides heat to nearly half a million customers. Despite the disruptions caused by the attacks, electricity production remained unaffected. The incident highlights several alarming tactics employed by the attackers.
- Date of Incident: December 29, 2025
- Affected Facilities: Over 30 wind and solar farms, a private manufacturing company, and a CHP
- Threat Cluster Identified: Static Tundra (also known as Berserk Bear and others)
- Alleged Origin: Linked to Russia’s FSB Center 16 unit
Technical Methods and Malware Used
CERT Polska stated that the attackers implemented destructive objectives during their assault. Their strategies included:
- Accessing internal networks of power substations
- Disrupting communication lines between energy facilities and operators
- Using wiper malware, DynoWiper, to destroy system files
In the CHP attack, unauthorized access allowed for long-term data theft dating back to March 2025, permitting lateral movement within the network. Notably, the attackers failed to execute the wiper malware.
Opportunistic Targeting and Vulnerabilities Exploited
The intrusion into the manufacturing sector was considered opportunistic. Initial access was achieved through a vulnerable Fortinet perimeter device. Multiple FortiGate appliances were exploited during the attacks. CERT Polska pointed out that:
- Four versions of DynoWiper were detected.
- Access was gained using accounts that lacked two-factor authentication.
- The attackers employed Tor nodes and various IP addresses to infiltrate systems.
Malware Characteristics
DynoWiper and another PowerShell-based wiper known as LazyWiper were utilized during these attacks. Key traits include:
- DynoWiper directly executed on HMI machines within renewable energy facilities.
- LazyWiper overwrites files with pseudorandom data to make recovery impossible.
- Both malware variants featured some shared code characteristics with previously identified threats.
The report detailed the attackers’ attempts to retrieve data from cloud services, focusing particularly on operational technology (OT) network modernization and SCADA systems documentation.
Conclusion
The coordinated cyber attacks targeting Poland’s energy and manufacturing sectors underscore the urgency for enhanced cybersecurity measures. As CERT Polska continues to investigate these incidents, the threat landscape remains a significant concern for critical infrastructure worldwide.
