After major Poland energy grid cyberattack, CISA issues warning to U.S. audience

A recent attempt at a destructive cyberattack on Poland’s power grid has prompted the Cybersecurity and Infrastructure Security Agency to publish a warning for U.S. critical infrastructure owners and operators. Tuesday’s alert follows a Jan. 30 report from Poland’s Computer Emergency Response Team which concluded the December attack overlapped significantly with infrastructure used by a Russian government-linked hacking group, and that it targeted 30 wind and photovoltaic farms, among others. CISA said the attack highlighted the threats to operational technology (OT) and industrial control systems (ICS). The malicious activity involved gaining initial access through vulnerable internet-facing edge devices, subsequently deploying wiper malware and causing damage to remote terminal units (RTUs). The attack caused a loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware. While energy production continued, operators lost the ability to control or monitor the systems. Poland’s analysis linked the attack to the Russian-linked group known as Static Tundra (also Berserk Bear, Ghost Blizzard, or Dragonfly). Cybersecurity firm Dragos noted this is the first major attack targeting distributed energy resources (DERs), such as smaller wind and solar facilities.