Full Report
CERT Polska presents a report on the analysis of an incident in the energy sector that occurred on 29 December 2025. The attacks were destructive in nature and targeted wind and photovoltaic farms, a large combined heat and power plant, and a company from the manufacturing sector. The publication aims to raise awareness of the risks associated with sabotage in cyberspace.
Analysis Summary
# Incident Report: Coordinated Destructive Attacks Against Polish Critical Infrastructure (Dec 2025)
## Executive Summary
On December 29, 2025, coordinated, destructive cyberattacks targeted Polish critical infrastructure, specifically impacting over 30 renewable energy farms, a major combined heat and power (CHP) plant, and a manufacturing company. The attacks involved sophisticated infiltration of both IT and industrial control systems (ICS), aiming to sabotage infrastructure using wiper malware. While remote control was temporarily lost at substations and data destruction was attempted at the CHP plant, successful deployment of the destructive payload was largely mitigated or failed to cause intended widespread physical disruption during a period of high energy demand.
## Incident Details
- **Discovery Date:** Not explicitly stated; implied discovery correlated with the attack execution on Dec 29, 2025.
- **Incident Date:** December 29, 2025 (Morning and afternoon hours).
- **Affected Organization:** Over 30 Wind/Photovoltaic Farms, A large Combined Heat and Power Plant, A private manufacturing sector company.
- **Sector:** Energy (Renewables, Power Generation) and Manufacturing.
- **Geography:** Poland.
## Timeline of Events
### Initial Access
- **Date/Time:** Preceding Dec 29, 2025 (Long-term infiltration mentioned for CHP plant).
- **Vector:** Not explicitly detailed, but implied via network compromise leading to access to internal network.
- **Details:** Attackers infiltrated the internal networks of grid connection points (substations) and the CHP plant via long-term infiltration, resulting in the theft of sensitive operational information and access to privileged accounts.
### Working/Lateral Movement
- **Date/Time:** December 29, 2025 (leading up to the destructive phase).
- **Vector:** Use of privileged accounts at the CHP plant, reconnaissance within grid connection points.
- **Details:** Attackers performed reconnaissance at grid connection points and prepared destructive actions targeting industrial devices (RTUs, HMIs, Protection Relays).
### Impact Phase (Destructive Action)
- **Date/Time:** Morning of December 29, 2025 (Partially automated plan triggered).
- **Vector:** Execution of wiper malware, firmware destruction, deletion of system files.
- **Details:** Attack disrupted communication between renewable energy substations and the Distribution System Operator (DSO) by damaging RTUs. Wiper malware was deployed against the CHP plant (blocked by EDR) and the manufacturing company (identical malware).
### Detection & Response
- **Date/Time:** December 29, 2025.
- **Vector:** EDR software detection at the CHP plant.
- **Details:** The attack on the CHP plant was blocked by the organization's EDR software, preventing the intended data destruction. Renewable energy production continued, although remote control was lost.
## Attack Methodology
- **Initial Access:** Compromise of internal network (details not specified, but suggestive of advanced persistent access given "long-term infiltration").
- **Persistence:** Implied via compromised privileged accounts at the CHP plant.
- **Privilege Escalation:** Gained access to privileged accounts, allowing free movement within systems (CHP Plant).
- **Defense Evasion:** Unknown specific techniques, though the destructive nature itself suggests bypassing standard security controls.
- **Credential Access:** Stole sensitive operational information and gained privileged access.
- **Discovery:** Performed reconnaissance on industrial devices (RTUs, HMIs, protection relays) at substations.
- **Lateral Movement:** Freely moved within the plant's systems (CHP Plant) using privileged accounts.
- **Collection:** Theft of sensitive operational information (prior to destructive phase at CHP).
- **Exfiltration:** Not the primary goal, but sensitive operational information was stolen from the CHP plant prior to the attack.
- **Impact:** Executing a destructive wiper malware, damaging controller firmware, and deleting system files targeting ICS assets.
## Impact Assessment
- **Financial:** Not quantified, but implied significant risk due to targeting critical infrastructure during extreme weather.
- **Data Breach:** Sensitive operational information was stolen from the CHP plant prior to the main attack.
- **Operational:**
* Renewable Energy Farms: Lost communication and remote control capability for RTUs, but electricity production was *not* affected.
* CHP Plant: Attempted sabotage of data via wiper malware was blocked; intended heat supply disruption was *not* achieved.
* Manufacturing Company: Attack occurred, but the resulting operational impact is undocumented other than the attempt.
- **Reputational:** Potential impact due to the coordinated targeting of national energy supply during adverse weather conditions.
## Indicators of Compromise
*(Note: Specific IoCs were not provided in the summary, only that a full report is available.)*
- **Network indicators:** Analysis is pending on compromised VPS servers and anonymizing infrastructure associated with the attacker cluster.
- **File indicators:** Wiper malware used (identical samples across CHP and manufacturing targets).
- **Behavioral indicators:** Issuance of a partially automated destructive plan targeting ICS/OT devices (RTUs, HMIs, Relays).
## Response Actions
- **Containment:** Not explicitly detailed, but the inherent failure of the wiper execution at the CHP plant (blocked by EDR) served as a form of containment against data destruction.
- **Eradication:** Not detailed, but necessary steps would involve cleaning affected RTUs and systems.
- **Recovery:** Renewable energy farms retained the ability to produce power despite communication loss. The CHP plant maintained heat supply.
## Lessons Learned
- The incident demonstrates a significant escalation, involving coordinated, purely **destructive** attacks that successfully targeted both IT and physical industrial devices.
- EDR solutions can be effective in blocking known wiper malware payloads even in advanced ICS/IT environments.
- The attacker exhibits capabilities consistent with the "Static Tundra"/"Berserk Bear" cluster, suggesting a highly sophisticated actor targeting national priorities.
## Recommendations
- Organizations, especially in critical infrastructure sectors, must prioritize security visibility and preventative measures (like EDR) on all enterprise and control systems.
- Implement rigorous segmentation and access controls to prevent deep lateral movement following initial access, especially to devices handling operational firmware/data.
- Regular updates and integrity checks for firmware on network hardware and control system components (RTUs, HMIs) should be mandatory.