Full Report
Sweeping sanctions and condemnation follow op that could have left half a million without power in the depths of winter
Analysis Summary
# Incident Report: Attempted Disruption of Polish Power Grid (Winter 2025)
## Executive Summary
In December 2025, the Russian Federal Security Service (FSB) targeted Poland’s power grid in a significant cyber-sabotage attempt. The operation aimed to disrupt communication between renewable energy hardware and distribution operators, potentially leaving 500,000 citizens without power during peak winter. While the deployment of the destructive "DynoWiper" malware was unsuccessful in causing a blackout, the incident triggered sweeping international sanctions and a global advisory on Russian state tradecraft.
## Incident Details
- **Discovery Date:** January 2026
- **Incident Date:** December 2025
- **Affected Organization:** Polish Power Grid (multiple distribution operators)
- **Sector:** Energy / Critical National Infrastructure (CNI)
- **Geography:** Poland
## Timeline of Events
### Initial Access
- **Date/Time:** December 2025
- **Vector:** Exploitation of legacy network protocols (SNMPv1/v2) and unpatched hardware.
- **Details:** Attackers scanned for devices responding to SNMPv1/v2 using default or "guessable" community strings.
### Lateral Movement
- **Technique:** Exploitation of the Cisco Smart Install feature and abuse of SNMP access to harvest device configuration data. This allowed the actors to map the internal network and pivot to industrial control-related communication systems.
### Data Exfiltration/Impact
- **Impact:** Attempted deployment of **DynoWiper** malware.
- **Objective:** To sever communication between renewable energy assets and the central power grid to trigger a mid-winter blackout.
### Detection & Response
- **Discovery:** Detected by Polish energy experts and internal monitoring systems in late 2025/early 2026.
- **Response Actions:** Neutralization of the malware before the kinetic impact occurred; subsequent international investigation by NCSC, EU, and UK authorities.
## Attack Methodology
- **Initial Access:** SNMP scanning (v1/v2) and exploitation of Cisco Smart Install.
- **Persistence:** Transferring device configurations to attacker-controlled C2 servers to maintain long-term access.
- **Defense Evasion:** Use of "proxy groups" and cybercriminal infrastructure (e.g., Lumma Stealer) to mask state involvement.
- **Credential Access:** Brute-forcing default SNMP community strings and using infostealers to harvest credentials.
- **Discovery:** Network scanning and reconnaissance of IP-connected devices (including IP cameras).
- **Lateral Movement:** Misconfiguration exploitation of networking hardware (Routers/Switches).
- **Impact:** Deployment of **DynoWiper** (destructive wiper malware aimed at industrial disruption).
## Impact Assessment
- **Financial:** High remediation costs and costs associated with international sanctions.
- **Data Breach:** Compromise of sensitive CNI configuration data and military logistics intelligence.
- **Operational:** Potential loss of power for 500,000 residents; disruption of renewable energy integration.
- **Reputational:** Massive escalation in geopolitical tensions; formal attribution by UK/EU.
## Indicators of Compromise
- **Network Indicators:** Traffic associated with SNMP scanning on ports 161/162; unauthorized configuration file transfers via TFTP/FTP.
- **File Indicators:** `DynoWiper` malware signatures (specific hashes not disclosed in report).
- **Behavioral Indicators:** Unauthorized use of Cisco Smart Install; unexpected communication between IT networks and renewable energy hardware controllers.
## Response Actions
- **Containment:** Disabling vulnerable legacy protocols across the grid.
- **Eradication:** Removal of wiper malware artifacts and revoking compromised credentials.
- **Recovery:** Coordination with NCSC and EU partners to harden CNI against "Centre 16" (FSB) TTPs.
- **Legal/Diplomatic:** Implementation of sanctions against 24 Russian individuals/entities (e.g., Centre 16, GRU leaders, and Lumma Stealer operators).
## Lessons Learned
- **Legacy Vulnerabilities:** Continued reliance on SNMPv1/v2 with default strings remains a critical failure point in CNI.
- **Convergence of Crime and Espionage:** Russian state actors are increasingly using commercial "infostealers" (Lumma Stealer) to facilitate state-sponsored sabotage.
- **Physical-Cyber Link:** Cyberattacks on energy infrastructure during winter are being used as a hybrid warfare tactic with "potentially lethal" intent.
## Recommendations
- **Disable Legacy Protocols:** Immediately disable SNMPv1 and SNMPv2; migrate to **SNMPv3** with `authPriv` (encryption and strong authentication).
- **Hardware Hardening:** Disable **Cisco Smart Install** on all internet-facing and internal routing equipment.
- **Password Hygiene:** Enforce a ban on default passwords for all IP-connected devices (including IoT/IP cameras).
- **Segment Networks:** Ensure strict air-gapping or filtered communication between Renewable Energy hardware and the primary distribution management systems.