Ravie LakshmananJan 31, 2026Network Safety / SCADA
CERT Polska, the Polish laptop emergency response workforce, revealed that coordinated cyber assaults focused greater than 30 wind and photovoltaic farms, a non-public firm from the manufacturing sector, and a big mixed warmth and energy plant (CHP) supplying warmth to nearly half 1,000,000 clients within the nation.
The incident befell on December 29, 2025. The company has attributed the assaults to a menace cluster dubbed Static Tundra, which can be tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (previously Bromine), and Havex. Static Tundra is assessed to be linked to Russia’s Federal Safety Service’s (FSB) Heart 16 unit.
It is price noting that latest experiences from ESET and Dragos attributed the exercise with average confidence to a special Russian state-sponsored hacking group often known as Sandworm.
“All assaults had a purely harmful goal,” CERT Polska mentioned in a report printed Friday. “Though assaults on renewable power farms disrupted communication between these amenities and the distribution system operator, they didn’t have an effect on the continuing manufacturing of electrical energy. Equally, the assault on the mixed warmth and energy plant didn’t obtain the attacker’s meant impact of disrupting warmth provide to finish customers.”
The attackers are mentioned to have gained entry to the inner community of energy substations related to a renewable power facility to hold out reconnaissance and disruptive actions, together with damaging the firmware of controllers, deleting system recordsdata, or launching custom-built wiper malware codenamed DynoWiper by ESET.
Within the intrusion aimed on the CHP, the adversary engaged in long-term knowledge theft relationship all the way in which again to March 2025 that enabled them to escalate privileges and transfer laterally throughout the community. The attackers’ makes an attempt to detonate the wiper malware had been unsuccessful, CERT Polska famous.
Alternatively, the concentrating on of the manufacturing sector firm is believed to be opportunistic, with the menace actor gaining preliminary entry through a susceptible Fortinet perimeter machine. The assault concentrating on the grid connection level can be more likely to have concerned the exploitation of a susceptible FortiGate equipment.
A minimum of 4 completely different variations of DynoWiper have been found up to now. These variants had been deployed on Mikronika HMI Computer systems utilized by the power facility and on a community share throughout the CHP after securing entry via the SSL‑VPN portal service of a FortiGate machine.
“The attacker gained entry to the infrastructure utilizing a number of accounts that had been statically outlined within the machine configuration and didn’t have two‑issue authentication enabled,” CERT Polska mentioned, detailing the actor’s modus operandi concentrating on the CHP. “The attacker related utilizing Tor nodes, in addition to Polish and overseas IP addresses, which had been usually related to compromised infrastructure.”
The wiper’s performance is pretty easy –
Initialization that includes seeding a pseudorandom quantity generator (PRNG) referred to as Mersenne Tornado
Enumerate recordsdata and corrupt them utilizing the PRNG
Delete recordsdata
It is price mentioning right here that the malware doesn’t have a persistence mechanism, a solution to talk with a command‑and‑management (C2) server, or execute shell instructions. Nor does it try to cover the exercise from safety packages.
CERT Polska mentioned the assault concentrating on the manufacturing sector firm concerned the usage of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites recordsdata on the system with pseudorandom 32‑byte sequences to render them unrecoverable. It is suspected that the core wiping performance was developed utilizing a big language mannequin (LLM).
“The malware used within the incident involving renewable power farms was executed instantly on the HMI machine,” CERT Polska identified. “In distinction, within the CHP plant (DynoWiper) and the manufacturing sector firm (LazyWiper), the malware was distributed throughout the Energetic Listing area through a PowerShell script executed on a site controller.”
The company additionally described a few of the code-level similarities between DynoWiper and different wipers constructed by Sandworm as “basic” in nature and doesn’t supply any concrete proof as as to whether the menace actor participated within the assault.
“The attacker used credentials obtained from the on‑premises surroundings in makes an attempt to realize entry to cloud providers,” CERT Polska mentioned. “After figuring out credentials for which corresponding accounts existed within the M365 service, the attacker downloaded chosen knowledge from providers comparable to Trade, Groups, and SharePoint.”
“The attacker was significantly focused on recordsdata and electronic mail messages associated to OT community modernization, SCADA methods, and technical work carried out throughout the organizations.”
