In late December 2025, a significant coordinated cyber attack targeted multiple critical infrastructure entities across Poland, including more than thirty wind and solar farms, a private manufacturing firm, and a large combined heat and power plant (CHP) serving nearly half a million residents. The attack was attributed to a group known as Static Tundra, which is associated with Russia’s Federal Security Service (FSB). This group is also recognized under various names such as Berserk Bear, Energetic Bear, and Dragonfly, among others.

The attacks, which occurred on December 29, were intended to be purely destructive. Despite disrupting the communication between renewable energy farms and the distribution system operators, the attacks did not halt electricity production. Similarly, efforts to disrupt the heat supply from the CHP plant were ineffective.

The intruders gained access to power substations tied to renewable energy facilities, allowing them to conduct reconnaissance and disruptive activities. This included damaging controller firmware, deleting system files, and deploying a malware specifically designed for destruction, known as DynoWiper, as identified by cybersecurity firm ESET.

In the case of the CHP plant, attackers also engaged in prolonged data theft since March 2025. This facilitated further network infiltration, although attempts to employ the wiper malware went unfulfilled. For the manufacturing sector, the attack likely leveraged vulnerabilities in perimeter defense devices, specifically through unpatched Fortinet systems.

Various iterations of DynoWiper have been identified, installed primarily on Mikronika HMI Computers and network shares within the CHP via compromised FortiGate devices. Attackers capitalized on poorly secured infrastructure, taking advantage of accounts without two-factor authentication. Connections were made through Tor nodes and a variety of compromised IP addresses.

The functionality of the wiper malware is relatively straightforward, involving the initiation of a pseudorandom number generator, file enumeration, and corruption, followed by deletion. Notably, the malware lacks persistence mechanisms or methods to elude detection by security systems.

Another malware variant, LazyWiper, was employed against a manufacturing sector company. This PowerShell-based wiper overwrites files with pseudorandom sequences, rendering them irrecoverable. It is suspected to have been developed with the assistance of a large language model.

The malware attacks on renewable energy facilities were directly executed on HMI machines. In contrast, infections within the CHP and the manufacturing company involved domain-wide distribution via PowerShell scripts on domain controllers.

Furthermore, similarities in code between DynoWiper and other malware designed by the Sandworm group have been identified, although no conclusive evidence points to Sandworm’s direct involvement.

Notably, the adversaries attempted to penetrate cloud services using stolen credentials from the on-premises environments. They sought access to Microsoft 365 services, targeting critical technical information related to operational technology network modernization and SCADA systems within the organizations.

These findings underscore the persistent threat posed by state-sponsored cyber groups and the need for robust cybersecurity measures in safeguarding critical infrastructure.