CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country.
The incident took place on December 29, 2025. The agency has attributed the attacks to a threat cluster dubbed Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia's Federal Security Service's (FSB) Center 16 unit.
It's worth noting that recent reports from ESET and Dragos attributed the activity with moderate confidence to a different Russian state-sponsored hacking group known as Sandworm.
"All attacks had a purely destructive objective," CERT Polska said in a report published Friday. "Although attacks on renewable energy farms disrupted communication between these facilities and the distribution system operator, they did not affect the ongoing production of electricity. Similarly, the attack on the combined heat and power plant did not achieve the attacker’s intended effect of disrupting heat supply to end users."
The attackers are said to have gained access to the internal network of power substations associated with a renewable energy facility to carry out reconnaissance and disruptive activities, including damaging the firmware of controllers, deleting system files, or launching custom-built wiper malware codenamed DynoWiper by ESET.
In the intrusion aimed at the CHP, the adversary engaged in long-term data theft dating all the way back to March 2025 that enabled them to escalate privileges and move laterally across the network. The attackers' attempts to detonate the wiper malware were unsuccessful, CERT Polska noted.
On the other hand, the targeting of the manufacturing sector company is believed to be opportunistic, with the threat actor gaining initial access via a vulnerable Fortinet perimeter device. The attack targeting the grid connection point is also likely to have involved the exploitation of a vulnerable FortiGate appliance.
At least four different versions of DynoWiper have been discovered to date. These variants were deployed on Mikronika HMI Computers used by the energy facility and on a network share within the CHP after securing access through the SSL‑VPN portal service of a FortiGate device.
"The attacker gained access to the infrastructure using multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled," CERT Polska said, detailing the actor's modus operandi targeting the CHP. "The attacker connected using Tor nodes, as well as Polish and foreign IP addresses, which were often associated with compromised infrastructure."
The wiper's functionality is fairly straightforward -
- Initialization that involves seeding a pseudorandom number generator (PRNG) called Mersenne Twister
- Enumerate files and corrupt them using the PRNG
- Delete files
It's worth mentioning here that the malware does not have a persistence mechanism, a way to communicate with a command‑and‑control (C2) server, or execute shell commands. Nor does it attempt to hide the activity from security programs.
CERT Polska said the attack targeting the manufacturing sector company involved the use of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites files on the system with pseudorandom 32‑byte sequences to render them unrecoverable. It's suspected that the core wiping functionality was developed using a large language model (LLM).
"The malware used in the incident involving renewable energy farms was executed directly on the HMI machine," CERT Polska pointed out. "In contrast, in the CHP plant (DynoWiper) and the manufacturing sector company (LazyWiper), the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller."
The agency also described some of the code-level similarities between DynoWiper and other wipers built by Sandworm as "general" in nature and does not offer any concrete evidence as to whether the threat actor participated in the attack.
"The attacker used credentials obtained from the on‑premises environment in attempts to gain access to cloud services," CERT Polska said. "After identifying credentials for which corresponding accounts existed in the M365 service, the attacker downloaded selected data from services such as Exchange, Teams, and SharePoint."
"The attacker was particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work carried out within the organizations."
Update
Hitachi Energy, whose RTU560 Remote Terminal Units (RTUs) were targeted in the attacks, has released an advisory, stating the affected devices have been confirmed to be located behind vulnerable firewalls, running outdated firmware version for RTU500 series (e.g., CVE‑2024‑2617), configured with default credentials, and operating without recommended security features enabled.
"These circumstances created a scenario in which the devices were exposed to an increased risk," Hitachi Energy said. "Customers are strongly encouraged to assess their environments and adopt the recommended safeguards."
Besides TTU560 RTUs, attackers have also been found to target the following devices -
- Hitachi Relion protection and control relays using a mix of a default FTP account and default credentials
- Mikronika RTUs and human-machine interfaces (HMIs) using default credentials
- Moxa NPort serial device servers using exposed web interfaces and default credentials
In an independent report, ESET published additional details of the DynoWiper malware, describing it as capable of recursively wiping files on all removable and fixed drives, excluding specific directories in the C:\ drive (e.g., system32, windows, program files, temp, boot, perflogs, appdata, and documents and settings).
"The wiper overwrites files using a 16-byte buffer that contains random data generated once at the start of the wiper’s execution," ESET said. "Files of size 16 bytes or fewer are fully overwritten, with smaller files being extended to 16 bytes. To speed up the destruction process, other files (larger than 16 bytes) have only some parts of their contents overwritten."
DynoWiper has been found to share "several similarities" with another wiper strain codenamed ZOV, which the Slovakian cybersecurity company attributes to Sandworm with high confidence. ZOV was deployed in two different attacks targeting an energy company and a financial institution in Ukraine in January 2024 and November 2025, respectively.
ESET said the DynoWiper's links to Sandworm are based on tactical overlaps and the threat actor's targeting of energy companies, including those in Poland, with malware families such as BlackEnergy and GreyEnergy in the past. It also pointed out that it's not aware of any other threat actor that has employed wipers in cyber operations aimed at European Union countries.
"Although Sandworm has previously targeted companies in Poland, it typically did so covertly," it added. "In particular, the preparatory stages leading up to the destructive activity may have been conducted by another threat actor group collaborating with Sandworm."
