ACCORDING to CERT Polska, cyberattacks on 29 December 2025 hit more than 30 wind and solar farms, a manufacturing company, and a major combined heat and power plant supplying nearly 500,000 people, with the aim of disruption during severe winter weather. The incidents disrupted communications but did not interrupt electricity generation or heat supply, affecting both IT and OT systems and marking a rare escalation in the energy sector.
Attackers gained entry via exposed FortiGate devices used for VPN and firewall functions, sometimes without multi-factor authentication, and deployed two wiper tools, DynoWiper and LazyWiper, to destroy data across networks. They damaged firmware and disabled protection relays while moving laterally through compromised infrastructure, including Hitachi RTUs, Mikronika controllers, and Moxa devices, ultimately cutting remote control access to the grid operator.
CERT Polska linked the operation to the threat cluster known as Static Tundra, with overlaps to activity described by Cisco and the FBI, though attribution remains contested and some firms have suggested involvement by Sandworm.