Ddos 
The critical infrastructure of Poland’s energy sector has come under sustained fire from a sophisticated threat actor deploying destructive wiper malware. In a comprehensive new report, CERT Polska details a series of coordinated attacks targeting renewable energy facilities, a large Combined Heat and Power (CHP) plant, and a manufacturing company tied to the sector.
The incidents, which occurred in late 2025, showcase a shift from mere espionage to active sabotage. The attackers didn’t just want to steal data; they wanted to turn the lights off.
One of the most alarming incidents involved a direct assault on the operational technology (OT) of a renewable energy facility. The attackers gained control of the GCP (Grid Control Point), the critical junction connecting the facility to the distribution grid.
According to the report, the attackers managed to execute a “Shutdown of compromised industrial automation devices”.
The sabotage went deeper than just flipping a switch. The threat actors targeted Moxa NPort devicesβserial-to-Ethernet converters often used to bridge legacy industrial equipment with modern networks. They changed passwords to lock out legitimate operators and deployed corrupted firmware.
“Deployment of corrupted firmware preventing controller startup” was observed, effectively bricking the devices and requiring manual intervention to restore operations.
The investigation uncovered two new strains of malware designed specifically for destruction: DynoWiper and LazyWiper.
DynoWiper is a ruthless tool. Once executed, it targets the file system with the intent of making data unrecoverable. It doesn’t just delete files; it obliterates them. The report describes its function as “Deletion of files from Mikronika RTU controllers”.
LazyWiper, while similarly destructive, operates with a different mechanism, likely serving as a redundant tool to ensure the job gets done if the primary payload fails.
The attacks were not limited to solar. A large Combined Heat and Power plant also faced a breach. Here, the attackers moved laterally through the network, leveraging “Remote Services” and “Valid Accounts” to pivot from IT networks into the sensitive OT segments.
The goal remained consistent: causing physical disruption through digital means. The report highlights “Damage to RTU controllers resulting in loss of communication between the facility and the DSO (Distribution System Operator)”.
In a complex forensic investigation, CERT Polska has mapped the digital footprints of the attack back to one of the world’s most notorious state-sponsored clusters, while uncovering potentialβthough inconclusiveβlinks to another.
The attribution analysis rests on two pillars: the infrastructure used to stage the assault and the malware deployed to execute it.
The strongest evidence points to a threat actor known variously as “Static Tundra” (Cisco), “Berserk Bear” (CrowdStrike), “Ghost Blizzard” (Microsoft), or “Dragonfly” (Symantec).
By reconstructing the communication traffic and analyzing the compromised devicesβspecifically VPS servers and Cisco routersβinvestigators found a distinct overlap with the anonymizing infrastructure historically used by this group.
“CERT Polska concludes that the infrastructure used to obtain initial access, exfiltrate data, establish VPN tunnels for wiper malware deployment… overlaps with the ‘Static Tundra’ infrastructure.”
This alignment is consistent with the group’s known modus operandi. “Static Tundra” has long demonstrated a “significant interest in the energy sector and the ability to attack industrial devices.” However, this incident marks a disturbing escalation: it is the “first publicly described destructive activity attributed to this cluster,” suggesting a shift from espionage to active sabotage.
While the infrastructure points one way, the malware offers a murkier picture. Analysts compared the DynoWiper malware and its delivery scripts to tools used by “Sandworm” (aka “SeashellBlizzard”), a group infamous for destructive operations in Ukraine.
These incidents represent a dangerous escalation in cyber warfare targeting critical infrastructure. By attacking the devices that control power generation and distribution, the threat actors demonstrated a clear intent to cause physical impact.
As CERT Polska concludes, the attackers utilized a mix of living-off-the-land techniques and custom malware to achieve “Loss of Control” and “Loss of View” for the operators.
Related Posts:
- A Decade of Espionage: How a Russian APT Exploited Cisco Devices (CVE-2018-0171) for Years
- NGate NFC Malware Steals Cash from ATMs by Relaying EMV Data and PINs from Victim’s Phone
- UNC1151 Exploits Roundcube Flaw in Spear Phishing Attack
- CVE-2024-25600: WordPress’s Bricks Builder RCE Flaw Under Attack
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
