On December 29, 2025, Poland faced a coordinated assault targeting more than 30 wind and solar farms, alongside a large combined heat and power plant and a manufacturing facility.
The attacks occurred during severe winter weather, when temperatures dropped and snowstorms threatened the nation’s energy stability.
All operations had purely destructive intentions, designed to damage critical infrastructure rather than steal information.
These coordinated strikes represent the first documented destructive operation by a sophisticated attack group, marking a significant escalation in threats against European energy infrastructure.
The assault targeted power substations serving as connection points between renewable energy sources and the distribution network. Industrial automation devices at these locations became prime objectives for the attackers.
These systems included remote terminal units managing telecontrol operations, human-machine interfaces displaying facility status, protection relays guarding against electrical damage, and communication equipment such as routers and network switches.
After establishing access to internal networks, attackers conducted detailed reconnaissance before executing their destructive plan through damaged firmware and custom-built wiper malware on December 29 morning.
Communication channels between farms and the distribution system operator were disrupted, though electricity generation continued unaffected.
Cert.pl analysts identified the attack infrastructure used in the operation, revealing significant overlap with infrastructure associated with threat groups known as “Static Tundra” by Cisco, “Berserk Bear” by CrowdStrike, “Ghost Blizzard” by Microsoft, and “Dragonfly” by Symantec.
These researchers noted the attackers demonstrated strong capabilities against industrial devices and historical focus on energy sectors.
Public analysis indicated this represented the first destructive campaign publicly attributed to this activity cluster, signaling an important tactical shift in their operations.
Wiper Malware Deployment and Infection Mechanism
The attackers employed identical wiper malware across multiple targets, deploying custom-built destructive software after gaining privileged access through prolonged infrastructure infiltration.
The malware’s operation centered on irreversible data destruction across targeted networks.
After establishing footholds through compromised accounts and stolen operational information, attackers prepared partially automated attack sequences ready for simultaneous activation.
When deployed against the combined heat and power plant, the malware’s execution was blocked by endpoint detection and response technology already running on the organization’s systems.
The manufacturing sector company faced similar coordinated assault, though the specific objective differed from energy targets.
This attack pattern demonstrated sophisticated planning, with the malware serving as the final payload following extensive preparation and network reconnaissance across multiple weeks of covert presence within target environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
