Poland under cyber attack: DynoWiper and Static Tundra point to energy network and OT infrastructure

On 29 December 2025, it was marked by a coordinated operation against the Polish energy infrastructure that affected more than 30 renewable facilities - wind and photovoltaic parks -, a manufacturing company and a large cogeneration plant that provides heating to hundreds of thousands of households. The most detailed public notification came from CERT Polska, which describes an attack designed to cause damage to operating environments and leaves questions on the table about defenses that protect critical networks.

As for the authorship, CERT Polska's report attributes the campaign to a set of threats they call Static Tundra, historically grouped with appeals such as Berserk Bear or Energy Bear and related in its analysis to the Russian FSB unit 16. Other public analyses have pointed to links with another Russian state actor identified as Sandworm; cyber security firms such as ESET and Drago have published research that, with different levels of confidence, draw technical and tactical connections to this group. This type of divergence is not unusual in complex powers: overlaps in tools, patterns and objectives allow different hypotheses but rarely offer one-sided conclusions.

The attackers were able to penetrate networks associated with substations and industrial control systems. In several cases they accessed HMI (man-machine interface) computers from manufacturers such as Mikronika, and corporate networks that supply the OT environments. CERT Polska describes activities of deep recognition, firmware manipulation in controllers and the implantation of destructive malware, while in the cogeneration plant the intruders have been present since March 2025 to remove information that allowed them to climb privileges and move laterally within the network.

The most prominent destructive component has been identified under the name DynoWiper, a malicious software draft that has been found in several variants. Its mode of operation, according to the analysis, is relatively direct: the code initiates a pseudo-random number generator based on the algorithm Mersenne Twister, runs file systems to corrupt files and eliminates information, but does not integrate sophisticated mechanisms of persistence, command and control or advanced ofuscation techniques. In parallel, the intrusion against the manufacturing company detected a draft developed in PowerShell called LazyWiper that overwrites files with 32 bytes pseudo-random sequences; researchers suspect that the logic of erasing may have been assisted by a language model.

The distribution and initial vector used in several of the incidents reveals a recurring weakness: FortiGate perimeter devices with vulnerable configurations and exposed SSL-VPN portals provided an entry point. CERT Polska notes that the accounts with which it was accessed were static in the configuration, without authentication of two factors, and that the connections came both from nodes Tor as of infrastructure committed from different countries. These findings highlight a combination of patching failures, unsafe configurations and gaps in strengthening remote access; Fortinet maintains a public channel for warnings and patches that should be reviewed regularly on its safety site ( Fortinet Product Security).

Another concern was the re-use of credentials and the escalation from local environments to cloud services. After identifying synchronized accounts with Microsoft 365, the attackers downloaded information from Exchange, Teams and SharePoint; the objectives included documents and emails related to the modernization of OT and SCADA systems. This combination of local attack plus cloud exfiltration demonstrates why it is essential to protect identities and access in both domains: in practice, compromising a VPN or a domain controller can open the door to cloud data if there are no additional controls. Microsoft offers recommendations on how to deploy multifactor authentication and protect identities in Azure AD ( Microsoft MFA Guide).

From an operational perspective, the results were mixed: the interruptions in renewable parks affected communications with the network operator, but did not prevent the generation of electricity; attempts to cut the heat supply from the cogeneration plant did not achieve its final objective, according to CERT Polska. However, material damage and stress on system resilience are real: firmware modification, file destruction and temporary loss of visibility complicate management and recovery, and raise the risk of more serious consequences in future incidents.

The technical lessons are clear: to ensure perimetrals and VPN portals with appropriate patches and configurations, to impose multifactor authentication for administrative access, to minimize accounts and passwords embedded in configurations, to segment OT and IT networks to limit side movements, and to maintain offline backup that allows for restorations after erasing attacks. In addition, early detection and coordinated response between operators, manufacturers and authorities are critical; agencies such as the CISA they publish guides and notices on safety practices in industrial systems that are useful for critical infrastructure operators.

We also need to reflect on the changing nature of malicious tools. The observed erasers lacked sophisticated control and control functions, which is not a danger: a simple, well-directed and executed code at the right time can cause great damage. At the same time, the possible assistance of language models in the generation of erasing modules points to a new vector of acceleration in the technical capacity of attackers with moderate resources.

Ultimately, this incident in Poland recalls that security of energy supply depends both on software and hardware robustness and on basic cyberhygiene and international cooperation practices. Transparency in public reports, the dissemination of commitment indicators and collaboration between the private sector and response agencies are factors that increase collective defence capacity. For those who manage critical infrastructure, the underlying recommendation is clear: to anticipate, patch, segment and audit constantly, and to do so in coordination with national agencies and security providers.

The report of the CERT Polska, research and bulletins of cyber security firms like ESET and sectoral resources Drago in addition to the advisory pages of manufacturers and agencies such as Fortinet, CISA and documentation on the protection of Microsoft. The security of the energy environment is not a one-day problem: it requires sustained investment and ongoing monitoring.