ACCORDING to CERT Polska, Poland’s CERT, the attack on the country’s energy facilities began as early as March 2025, with reconnaissance, unauthorised data access and credential-harvesting detected through July, and disruptive actions on December 29.
The assault targeted around 30 sites, including CHP plants and wind and solar dispatch centres, with attackers gaining access to ICS devices largely via Fortinet FortiGate appliances that were exposed to the internet and using default credentials, and with multi-factor authentication not enabled.
Hitachi Energy, Moxa and Mikronika were identified as the ICS vendors whose products were targeted, with RTU560 remote terminal units and Relion protection devices affected; in some cases a default FTP account not being disabled and default credentials enabled access for malicious firmware updates, including a CVE-2024-2617 related risk.
The attackers also deployed wipers on Windows machines hosting the Mikronika HMIs, and targeted Moxa NPort devices by exploiting exposed web interfaces and default credentials to reset devices and change passwords. Attribution has varied, with ESET naming Sandworm and Dragos noting Electrum as the related group, while CERT Polska links the incident to a threat actor tracked as Static Tundra, Berserk Bear, Ghost Blizzard and Dragonfly.