A coordinated wave of cyber attacks has struck critical infrastructure in Poland, marking a dangerous escalation in cyber-physical warfare. In what experts have described as “digital arson,” hackers targeted more than 30 wind and photovoltaic farms, along with a major combined heat and power (CHP) plant, during extreme winter conditions.
A Calculated Winter Strike
The attack, carried out on December 29, 2025, was deliberately timed to coincide with severe cold, heavy snowfall, and peak seasonal demand. Unlike conventional cyber espionage campaigns that focus on data theft or intelligence gathering, this operation was designed primarily for physical and operational disruption.
Although the attackers succeeded in severing communications and disabling remote management systems, they failed to shut down actual electricity and heat production. As a result, nearly half a million customers served by the affected CHP facility avoided immediate service interruptions during the freeze.
A Hybrid Assault on Renewable Infrastructure
Security researchers have classified the incident as a rare “hybrid assault” that simultaneously targeted information technology (IT) systems and industrial control equipment. The attackers demonstrated advanced knowledge of operational technology (OT), combining traditional network exploits with physical-layer sabotage.
At renewable energy sites, the focus was on power substations, which serve as critical connection points between turbines, solar arrays, and the national grid.
Investigators identified a systematic attack pattern:
- Infiltration: Hackers gained access through exposed FortiGate devices, often exploiting weak credentials or unpatched vulnerabilities.
- Sabotage: They corrupted controller firmware, erased system files, and deployed custom wiper malware known as “DynoWiper” and “LazyWiper.”
- Isolation: By destroying Remote Terminal Units (RTUs), they cut off communication with the Distribution System Operator (DSO), effectively blinding centralized oversight.
This combination of digital and physical disruption severely limited operators’ ability to monitor and manage affected assets.
The CHP Plant and Wiper Malware
The CHP plant was subjected to a more covert and prolonged intrusion. Attackers reportedly spent several months inside the network, stealing sensitive operational data and compromising privileged user accounts.
Their ultimate objective was to deploy wiper malware, designed to delete large volumes of data and cripple internal systems, thereby sabotaging heat production during winter.
The attack was narrowly averted when Endpoint Detection and Response (EDR) software detected and blocked the malicious payload before it could spread. Officials noted that a successful deployment could have triggered a major humanitarian and public safety crisis. On the same day, a private manufacturing company was also struck by similar malware, suggesting opportunistic targeting.
Attribution and Strategic Implications
Technical analysis of compromised servers, malware signatures, and network traffic has linked the operation to a threat cluster known by multiple names, including “Static Tundra,” “Berserk Bear,” “Ghost Blizzard,” and “Dragonfly.” Some intelligence assessments also point to a subgroup known as “ELECTRUM,” which reportedly overlaps with the Russia-linked Sandworm network.
Historically, this cluster has focused primarily on intelligence gathering within the energy sector. This incident represents the first publicly documented case of the group shifting decisively from espionage to large-scale sabotage.
Cybersecurity experts warn that the attack highlights structural vulnerabilities within modern renewable energy systems. As countries expand green infrastructure, distributed energy resources (DERs) are creating broader and more fragmented attack surfaces. Many facilities still rely on legacy OT equipment that lacks robust security features.
Regulators and operators are now being urged to strengthen network segmentation, improve firmware verification, and enhance real-time monitoring. Without rapid upgrades, analysts caution, renewable grids may remain highly exposed in an era where cyber warfare increasingly targets physical systems.
