CERT Polska details cyberattacks on Polish manufacturer, energy sites; fails to disrupt power and heat supply - Industrial Cyber

A new report from CERT Polska highlighted that although the attacks on renewable energy farms disrupted communication between these facilities and distribution network operators, they had no impact on current electricity production. Similarly, the attack on the combined heat and power (CHP) plant failed to achieve the attacker’s intended effect of interruptions on heat supply to end users. On December 29, 2025, coordinated attacks took place in Polish cyberspace during the morning and afternoon hours. They targeted at least 30 wind and photovoltaic farms, a private manufacturing company, and a large combined heat and power plant supplying heat to nearly half a million customers in Poland. All attacks were aimed solely at destruction. The wiper malware used was identical to that deployed in the attack on the CHP plant. CERT Polska added that the attacks targeted power substations – the main collection points, which act as nodes transmitting energy from wind and photovoltaic sources to the distribution grid. Analysis reveals significant overlap with the infrastructure used by the activity cluster publicly known as ‘Static Tundra’, ‘Berserk Bear’, ‘Ghost Blizzard’, and ‘Dragonfly’. Publicly available descriptions indicate a significant interest in the energy sector and the ability to attack industrial equipment. Dragos described the incident as the first major cyberattack to directly target distributed energy resources. While no power outages occurred, adversaries gained access to OT systems with control capabilities.