CERT Polska – Coordinated Cyber Attacks on Energy Infrastructure

January 31, 2026 Faeem BLOGS 0

On December 29, 2025, CERT Polska reported a coordinated cyber campaign targeting more than 30 wind and solar farms, a manufacturing company, and a combined heat and power (CHP) plant supplying nearly 500,000 customers.

Attribution

  • Threat Actor: Static Tundra (linked to Russia’s FSB Center 16).
  • Also tracked as: Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (Bromine), Havex.
  • Alternative attribution: ESET & Dragos assess with moderate confidence that Sandworm may be involved.

Attack Objectives & Impact

  • Purely destructive intent – disrupting communications and attempting to wipe systems.
  • Renewable farms: Communication disrupted but electricity production unaffected.
  • CHP plant: Attempted heat supply disruption failed; attackers engaged in long-term data theft since March 2025.
  • Manufacturing company: Opportunistic attack via vulnerable Fortinet perimeter device.
  • Grid connection point: Likely exploited FortiGate appliance.

Malware Used

  • DynoWiper (ESET):
    • At least 4 variants discovered.
    • Deployed on Mikronika HMI computers and CHP network shares.
    • Functionality:
      • Seed pseudorandom number generator (Mersenne Twister).
      • Enumerate files → corrupt with PRNG.
      • Delete files.
    • No persistence, C2, or stealth features.
  • LazyWiper (PowerShell-based):
    • Overwrites files with pseudorandom 32-byte sequences.
    • Suspected to have LLM-assisted development.
    • Distributed via Active Directory domain controller scripts.

Attack Chain

  1. Initial Access: Exploiting IIS vulnerabilities, Fortinet devices, or weak perimeter settings.
  2. Reconnaissance: Internal network mapping of substations.
  3. Persistence: Hidden accounts (admin$, fallback mysql$).
  4. Tool Deployment:
    • Sharp4RemoveLog – clears event logs.
    • CnCrypt Protect – hides malicious files.
    • OpenArk64 – terminates security processes.
    • GotoHTTP – remote server control.
  5. Wiper Execution: DynoWiper or LazyWiper deployed.
  6. Cloud Access Attempts: Using stolen on-prem credentials to access M365 services (Exchange, Teams, SharePoint).

Targeted Data

  • OT network modernization projects.
  • SCADA systems.
  • Technical work documentation.
  • Email communications tied to infrastructure upgrades.

Defensive Recommendations

  • Patch Fortinet devices and enforce multi-factor authentication.
  • Audit hidden accounts (admin$, mysql$).
  • Monitor PowerShell activity and domain controller scripts.
  • Segment OT networks from IT/cloud environments.
  • Threat hunting: Look for wiper indicators (PRNG corruption, pseudorandom overwrites).
  • Cloud security: Monitor M365 access attempts from unusual IPs (Tor nodes, foreign addresses).

Takeaway

This campaign highlights the growing convergence of destructive wiper malware with energy infrastructure targeting. While production was not halted, the attacks show intent to disrupt critical services and exfiltrate sensitive OT/SCADA data. The use of LLM-assisted wipers (LazyWiper) and multi-variant DynoWiper demonstrates adversaries’ evolving sophistication.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.