Cyber ​​attack on the Polish energy sector. Goal: to cause maximum damage

On December 29, 2025, there was a coordinated hacker attack on the Polish energy infrastructure. A month after this event, CERT Polska published a detailed report on the possible motives, goals and effects of cybercriminals’ actions.

Their target was at least 30 wind and photovoltaic farms, a large thermal power plant and a production company. It was purely a destructive attack, which CERT Polska analysts compare to digital arson – at the worst possible moment, just before the New Year, when Poland was struggling with frost and snowstorms.

The attacks were carried out simultaneously and aimed to cause maximum damage. In the case of renewable energy farms, hackers destroyed communication systems between the farms and the distribution network operators – the stations lost the ability to be remotely controlled, although the energy production itself was not interrupted. The heat and power plant, which supplies heat to almost half a million customers, was the target of an attack with wiper malware – a program that destroys data without the possibility of recovering it. Fortunately, EDR security software blocked the attack at the last minute.

The attackers took advantage of weak security of industrial equipment. In the case of wind and solar farms, criminals entered through Fortigate devices that served as VPN gateways – many of them had default passwords without additional two-factor authentication. Once inside the network, the hackers destroyed everything they could: Hitachi RTU drivers were crippled by uploading corrupted software, Mikronik drivers were wiped by deleting all system files via SSH, and Moxa port servers were restored to factory settings with swapped passwords and broken IP addresses.

The heat and power plant was infiltrated much longer – the first traces of the presence of hackers date back to March 2025. The attackers gained access to administrator accounts, stole the Active Directory database and spent months preparing the ground for the final attack. On December 29, they tried to run a data-destroying program on over 100 computers using a GPO policy, but the security system stopped the attack.

CERT Polska conducted a detailed analysis of the infrastructure used for the attack and determined that the perpetrators most likely belong to a group (so-called activity cluster) known under various names given by various security companies as Static Tundra (Cisco), Berserk Bear (CrowdStrike), Ghost Blizzard (Microsoft) or Dragonfly (Symantec). This is a known group from Russia that specializes in attacks on the energy sector and has the ability to attack industrial equipment. However, this is the first publicly described destructive activity attributed to this group.

CERT Polska recommends that all companies verify logs in terms of compromise indicators included in the report, register in the Moje.cert.pl system and implement recommendations for securing OT systems. It is also crucial to report incidents to the appropriate CSIRT teams: CSIRT GOV for government administration and critical infrastructure, CSIRT MON for military institutions, and CSIRT NASK for other entities.

The technical report is publicly available here: