CERT Polska, Poland’s computer emergency response team, has disclosed a series of coordinated cyberattacks targeting more than 30 wind and photovoltaic (PV) farms, a large combined heat and power (CHP) plant, and a private manufacturing company. The attacks occurred on December 29, 2025 and were attributed to the threat cluster Static Tundra, which is linked to Russia’s Federal Security Service (FSB), Center 16 unit. This group is also tracked under various aliases, including Berserk Bear, Blue Kraken, and Energetic Bear.
While some cybersecurity researchers, including ESET and Dragos, have associated similar activity with the Russian state-sponsored group Sandworm, CERT Polska emphasized that the primary objective of these attacks was destruction rather than disruption of services.
Impact on Renewable Energy and CHP Infrastructure
The attacks on renewable energy farms temporarily disrupted communication between facilities and the distribution system operator, but electricity production continued uninterrupted. Similarly, the CHP plant, which supplies heat to nearly half a million customers, did not experience a disruption in heat delivery.
The attackers reportedly gained access to internal networks at these sites to conduct reconnaissance and deploy wiper malware, including a strain named DynoWiper, developed to damage controllers, delete files, and compromise operational technology (OT) systems. In the case of the CHP plant, the intruders had been collecting data since March 2025, escalating privileges and moving laterally within the network. Attempts to execute the malware to disrupt services were unsuccessful.
Targeting the Manufacturing Sector
The attack on the manufacturing company appears to have been opportunistic, exploiting vulnerabilities in Fortinet perimeter devices. Similarly, access to the grid connection point may have involved compromised FortiGate appliances.
CERT Polska identified at least four DynoWiper variants, deployed across Mikronika HMI computers in renewable energy facilities and within the CHP network via SSL-VPN services. In this campaign, attackers used multiple static accounts without two-factor authentication and connected through Tor nodes and foreign IP addresses, often associated with compromised infrastructure.
DynoWiper’s operation is relatively straightforward: it enumerates files, corrupts them using a pseudorandom number generator (Mersenne Twister), and deletes them. Notably, the malware lacks persistence, C2 communication, and anti-detection features.
In the manufacturing sector attack, CERT Polska reported the use of a PowerShell-based wiper called LazyWiper, which overwrites files with 32-byte pseudorandom sequences. CERT Polska suggested the malware’s core functionality may have been developed using a large language model (LLM).
Distribution and Data Theft
For the CHP and manufacturing sector attacks, malware distribution occurred via Active Directory domains using PowerShell scripts executed on domain controllers. Attackers also attempted to access cloud services, including Microsoft 365, to exfiltrate files from Exchange, Teams, and SharePoint. The stolen data focused on OT network modernization, SCADA systems, and technical operational documents.
CERT Polska noted general code-level similarities between DynoWiper and previous Sandworm wipers but stated that there is no definitive evidence linking Sandworm to these specific attacks.
Conclusion
The incidents highlight the growing threat posed by state-sponsored actors to critical infrastructure and industrial networks. While immediate operational disruptions were avoided, the attacks demonstrate the potential for long-term data compromise and destructive malware deployment in Poland’s energy and industrial sectors.
