POLAND’S energy sector came under sustained cyber sabotage in late 2025, with CERT Polska detailing coordinated attacks on renewable facilities, a large CHP plant and a manufacturing company linked to the sector. The operation marks a shift from espionage to destructive activity, as attackers aimed to “turn the lights off” rather than merely exfiltrate data.
One notable incident targeted the OT of a renewable facility, where attackers gained control of the Grid Control Point and deployed compromised Moxa NPort devices, changing passwords to lock out operators and deploying corrupted firmware that bricked equipment. The investigation identified two new destruction-focused malware strains, DynoWiper and LazyWiper, with DynoWiper described as deleting files from Mikronika RTU controllers.
The attacks spread beyond solar to a large CHP plant, using remote services and valid accounts to pivot into OT segments and cause disruption through loss of control and loss of view for operators. Attribution points to a threat actor known variously as Static Tundra, Berserk Bear, Ghost Blizzard or Dragonfly, according to CERT Polska’s analysis of infrastructure and malware used.