EUROPE — The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory on February 10 highlighting a destructive cyber incident in Poland’s energy sector from late December.

Share

PRC State-Sponsored Cyber Actors Deploy BRICKSTORM Malware Targeting Public Sector and Information Technology Systems

Defcon Level and Donald Standeford

·

December 8, 2025

Read full story

U.S. Secret Service Dismantles Imminent Telecommunications Threat in the New York Tri-State Area

Defcon Level and Donald Standeford

·

September 23, 2025

Read full story

China's Great Firewall Temporarily Enforces HTTPS Traffic Block

Defcon Level

·

August 27, 2025

Read full story

More Cyber/Tech Alerts

The attacks targeted operational technology and industrial control systems at over 30 wind and solar farms, a combined heat and power plant serving nearly half a million customers, and a manufacturing firm producing energy components.

“The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices. While the affected renewable energy systems continued production, the system operator could not control or monitor them according to their intended design.” - CISA

Attackers exploited vulnerable FortiGate firewalls with default credentials to access networks, then used remote desktop protocol and virtual network computing for lateral movement before deploying custom wiper malware called DynoWiper to encrypt files and disrupt communications.

While no interruptions to power or heat occurred, the event exposed risks in distributed renewable energy systems and prompted recommendations for enhanced edge device security.

CERT Polska’s incident report from January 30 detailed the assaults occurring in morning and afternoon hours on December 29. The malware aimed to cause irreversible data destruction, but endpoint detection tools at the combined heat and power plant blocked execution.

Polish authorities attributed the operation to the Russian-linked group Static Tundra, also known as Electrum or Berserk Bear, based on infrastructure overlaps and tactics matching prior campaigns.

Incident Details