On December 29, 2025, Poland experienced a significant escalation in coordinated cyberattacks targeting critical energy infrastructure.
More than 30 wind and photovoltaic farms, a manufacturing company, and a large combined heat and power plant supplying heating to approximately 500,000 customers were subjected to synchronized destructive operations.
The attacks occurred during extreme winter weather, compounding infrastructure vulnerabilities during a period of high energy demand.
The attackers demonstrated a purely destructive objective, comparable to deliberate arson in the physical world.
Despite targeting both IT systems and industrial control devices a combination rarely documented in previous incidents the operations failed to achieve their intended impact.
Energy production at renewable facilities remained uninterrupted, and heat supply to end users was maintained despite sophisticated technical attempts to disrupt critical services.
Renewable Energy Infrastructure
The primary attack vector focused on power substations serving as grid connection points between renewable energy sources and distribution system operators.
Industrial automation devices at these critical junctions became the attackers’ focal point, including Remote Terminal Units (RTUs) managing telecontrol and supervision, Human-Machine Interfaces (HMIs) visualizing operational status, protection relays safeguarding electrical systems, and communication infrastructure, including serial port servers and network switches.
The assault involved firmware corruption, system file deletion, and deployment of custom-built wiper malware.
RTU damage resulted in communication loss between substations and the Distribution System Operator, preventing remote control capabilities while leaving energy production operational a critical distinction demonstrating incomplete attack success.
The coordinated assault on the combined heat and power plant revealed extended pre-attack preparation including long-term infrastructure infiltration and sensitive operational data theft.
Attackers leveraged stolen credentials to acquire privileged account access, enabling lateral movement throughout the facility’s network systems.
Following network infiltration, attackers conducted systematic reconnaissance before executing a partially automated destructive plan on the morning of December 29.
Wiper malware activation targeting irreversible data destruction was ultimately blocked by the organization’s Endpoint Detection and Response (EDR) software, preventing catastrophic operational damage.
Manufacturing Sector Impact
Simultaneous operations targeted an unrelated manufacturing company using identical wiper malware deployed against the energy sector.
This opportunistic objective suggests coordinated timing rather than unified strategic intent, indicating attackers maintained multiple parallel operation streams.
Infrastructure analysis encompassing compromised VPS servers, router patterns, traffic characteristics, and anonymizing infrastructure demonstrates significant overlap with the activity cluster designated “Static Tundra” (Cisco), “Berserk Bear” (CrowdStrike), “Ghost Blizzard” (Microsoft), and “Dragonfly” (Symantec).
The threat actor’s documented energy sector focus and industrial device attack capabilities align with observed methodologies, though this represents the first publicly attributed destructive campaign from this cluster.
This incident underscores escalating sabotage risks against critical infrastructure, particularly during periods of operational stress and extreme environmental conditions.
Organizations operating industrial control systems should prioritize EDR deployment, network segmentation, and credential hygiene as essential defensive measures.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.