CERT Polska, the Polish computer emergency response team, said that coordinated cyber attacks struck more than 30 wind and photovoltaic farms, a private manufacturing company, and a large CHP plant supplying heat to almost half a million customers.
The incident occurred on 29 December 2025, and CERT Polska attributed the attacks to a threat cluster named Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex, and is assessed to be linked to Russia’s Federal Security Service’s Center 16 unit.
According to CERT Polska, the attacks were executed with a destructive objective, but while renewable-energy facilities experienced disrupted communications with the distribution system operator, electricity production was not halted. The attackers reportedly gained access to substation networks for reconnaissance and disruptive activities, including damaging firmware and deploying DynoWiper on Mikronika HMI devices, with long‑term data theft dating back to March 2025 in the CHP incident.
The manufacturing-sector target is believed to have been opportunistic, with initial access via a Fortinet perimeter device, and the grid-targeting activity likely involved a FortiGate‑exposed FortiGate FortiGate vulnerability.