Poland’s laptop emergency response group (CERT) has printed a report detailing the current assault by Russia-linked hackers on the nation’s energy grid.
The assault focused communication and management methods at roughly 30 websites, together with mixed warmth and energy (CHP) vegetation and renewable vitality dispatch facilities for wind and photo voltaic services.
The hackers gained entry to industrial management methods (ICS), however primarily focused grid security and stability monitoring methods relatively than energetic energy technology methods. Whereas some ICS gadgets had been completely broken, the incident didn’t lead to any electrical outages.
“It needs to be famous, nevertheless, that given the extent of entry obtained by the attacker, there was a threat of inflicting a disruption in electrical energy technology on the affected services,” CERT.PL stated in its report. “Even when such a disruption had occurred, analyses point out that the mixed lack of capability throughout all 30 services wouldn’t have affected the soundness of the Polish energy system through the interval in query.”
In line with the Polish CERT, the assault started as early as March 2025, with reconnaissance, unauthorized information entry, and credential-harvesting makes an attempt detected by way of July.
The CERT reported that every of the focused services had Fortinet FortiGate gadgets uncovered to the web, utilizing default credentials and missing multi-factor authentication. These Fortinet home equipment, which served as each firewalls and VPN interfaces, represented the preliminary assault vector. Commercial. Scroll to proceed studying.
The hackers initiated disruptive and harmful actions on December 29, with among the exercise partially automated.
Focused ICS
CERT Polska’s report identifies three ICS distributors whose merchandise had been focused within the assault: Hitachi Power, Moxa, and Mikronika.
Within the case of Hitachi, focused gadgets included RTU560 distant terminal models (RTUs), which risk actors accessed utilizing default credentials. The entry allowed the attackers to add malicious firmware. Investigators discovered {that a} safety function meant to stop malicious firmware updates had not been enabled, however even when it had been enabled the gadgets had been affected by CVE-2024-2617, a identified flaw permitting unsigned firmware updates.
The risk actors additionally focused Hitachi Relion safety and management relays. Entry to those gadgets was potential because of the failure to disable a default FTP account (the seller recommends disabling this account) and using default credentials.
The Russia-linked hackers additionally focused RTUs and human-machine interfaces (HMIs) made by Mikronika, a Poland-based industrial automation options agency. Each forms of ICS gadgets had been protected with default credentials, permitting attackers to make malicious modifications that in the end enabled them to provoke harmful actions.
The risk actors deployed wipers on Home windows machines internet hosting the HMI software program, which, on gadgets protected by default native admin credentials, induced harm.
Moxa NPort serial system servers had been additionally focused. In line with CERT.PL, the attackers used uncovered internet interfaces and default credentials to entry the methods after which reset them to manufacturing unit settings, modified their login password, and assigned IP addresses that prevented professional customers from accessing them.
“In every of the analyzed instances, all Moxa gadgets accessible on the facility had been focused,” CERT.PL defined.
Industrial cybersecurity agency Dragos beforehand reported that RTUs had been in the end recovered, however some unspecified ICS gadgets had been broken past restore.
Whereas some risk actors have superior capabilities and important assets for conducting ICS assaults, this incident as soon as once more exhibits that industrial methods are sometimes simple to hack even for low-skilled hackers.
ICS distributors reply
Hitachi Power printed an advisory on Friday to tell clients that its RTU560 and Relion 650 merchandise had been focused within the assault on Poland’s vitality grid.
The seller has urged clients to replace their gadgets and implement normal cybersecurity measures, however famous that the attackers hacked its gadgets as a consequence of “inadequate cyber-hygiene inside the broader system atmosphere”.
Hitachi famous that the compromised gadgets had been configured with default credentials, had beneficial safety features disabled, had been operating outdated firmware, and had been behind weak firewalls.
Mikronika informed SecurityWeek that it collaborated with CERT Polska in investigating the incident and actively participated within the evaluation of your complete assault.
The corporate’s CSO, Tomasz Szała, confirmed to SecurityWeek that there is no such thing as a proof that zero-day vulnerabilities had been used within the assault. “The attackers solely leveraged default credentials,” Szała famous.
On the time of writing Moxa has not printed an advisory and it has not responded to SecurityWeek’s request for remark.
Attribution
Polish officers blamed Russia for the cyberattack shortly after the incident turned public. Nonetheless, cybersecurity agency ESET was the primary to attribute it to a selected risk actor.
ESET reported with medium confidence, based mostly on its evaluation of the malware and related TTPs, that the APT named Sandworm was behind the assault. The corporate’s evaluation has targeted on the wiper malware used within the assault, together with DynoWiper.
Dragos attributed the assault — additionally with average confidence — to a gaggle it tracks as Electrum, which it describes as associated to however not at all times similar to Sandworm.
Sandworm has been tied to Russian army intelligence and is principally identified for its harmful assaults, together with the 2016 Ukraine energy grid assault.
In distinction, CERT.PL has related the assault to a risk actor tracked as Static Tundra, Berserk Bear, Ghost Blizzard, and Dragonfly, which focuses on reconnaissance and espionage.
Associated: Entry System Flaws Enabled Hackers to Unlock Doorways at Main European Corporations
Associated: New Experiences Reinforce Cyberattack’s Position in Maduro Seize Blackout
