Threat Intel

This week there’s been a lot of activity on reporting on a compromise which occurred in 2025 in Poland.

I’m neck deep inside some project work so I don’t have time to pour over this but I did spent a few minutes prompting GROK.

“On December 29, 2025, Poland experienced a coordinated and destructive cyber attack targeting its electric grid, specifically focusing on distributed energy resources (DERs) such as more than 30 wind farms, solar (photovoltaic) installations, and one major combined heat and power (CHP) plant that supplies heat to nearly half a million residents. The assault, which occurred amid harsh winter weather including low temperatures and snowstorms, exploited vulnerabilities like exposed FortiGate firewalls/VPNs lacking multi-factor authentication, default or weak credentials on devices (e.g., Hitachi RTUs, Mikronika controllers), and poor network segmentation. Attackers gained access to operational technology (OT) systems, deploying wiper malware (including variants like DynoWiper and LazyWiper), overwriting disks, deleting files, resetting configurations, and uploading corrupted firmware to “brick” certain hardware—resulting in permanent field-level impairment and complete loss of remote monitoring and control at affected sites. Despite these actions, no power outages or heat supply disruptions occurred, thanks to the grid’s coal-heavy inertia, resilient generation continuity, and partial mitigations such as endpoint detection and response (EDR) blocking wipers in the CHP environment.

The incident represents the first major large-scale cyber operation against decentralized DER assets in a modern grid, highlighting an evolving threat landscape where adversaries opportunistically target internet-exposed edge infrastructure rather than centralized control systems. Attribution differs slightly across sources: Dragos assesses with moderate confidence that the Russian state-linked group ELECTRUM (overlapping with Sandworm/APT44, known from the 2015–2016 Ukraine grid attacks) was responsible, while CERT Polska attributes the infrastructure and activity to the “Static Tundra” cluster (also tracked as Berserk Bear, Dragonfly, or Energetic Bear, linked to Russia’s FSB Center 16). The attack underscores systemic weaknesses in OT security for distributed renewables—such as default credentials, inadequate logging, and insecure remote access—and serves as a stark warning of potential future escalations that could combine with physical stressors to cause widespread disruption if defenses remain unhardened.”

GROK Analysis

I used grok to analyse the Dragos and CERT reports and to come up with an analysis, as always take with a pinch of salt (when using an roboto)

Cyber Attack on Poland’s Electric System

29 December 2025 – Coordinated Destructive Campaign

Report Generated: 31 January 2026 | Sources: Dragos & CERT Polska

⚠️ Incident Overview

On 29 December 2025, a coordinated destructive cyber attack targeted more than 30 distributed energy resource sites in Poland — mainly wind farms and solar (photovoltaic) installations, one large combined heat and power (CHP) plant heating nearly 500,000 residents, and an opportunistic strike on a private manufacturing company.

The attackers exploited exposed FortiGate firewalls/VPNs without MFA, default/weak credentials on OT devices, and lack of segmentation to wipe data, corrupt configurations, overwrite disks, deploy wipers (DynoWiper, LazyWiper), and upload malformed firmware to brick hardware — causing permanent loss of remote visibility and control at many sites.

No power outages or heat disruptions occurred — thanks to coal-based grid inertia and partial EDR blocking in the CHP environment — but the incident marks a significant escalation against decentralized, internet-exposed edge assets in modern power systems.

🛤️ Attack Kill Chain

1. Reconnaissance & Research

Mapped common configurations, exposed FortiGate devices, default credentials, and site similarities. CHP-specific prep from March–July 2025 included credential theft (LSASS/NTDS.dit), domain recon, and Diamond Ticket attacks.

2. Initial Access

Compromised internet-facing FortiGate SSL-VPNs via missing MFA, default/weak/reused credentials, Tor proxies, and stolen configuration files.

3. Exploitation & Compromise

Gained control of Hitachi RTU 560, Mikronika controllers, Relion 650 IEDs, Moxa NPort serial servers, and Windows-based HMIs / domain controllers.

4. Lateral Movement & Scaling

Automated IP-ascending targeting + shared configs enabled simultaneous multi-site compromise. In CHP: used Active Directory / GPOs to spread wipers (partially blocked by EDR).

5. Discovery & Preparation

Limited OT logging obscured full visibility; attackers located firmware update paths, disk locations, and weak services for targeted destruction.

6. Actions on Objectives – Destruction

  • Data wiping: disk overwrites (dd), file deletion on Mikronika root, DynoWiper / LazyWiper deployment via GPOs (blocked in CHP)
  • Configuration corruption: factory resets (FortiGate, Moxa), IP/password changes, firewall rule modifications
  • Bricking / permanent impairment: corrupted firmware upload to Hitachi RTUs causing reboot loops and field-irreparable damage

Result: lasting loss of remote monitoring & control — no kinetic effects on generation achieved.

🔓 Key Weaknesses

  • Internet-exposed FortiGate VPNs without MFA
  • Default / hardcoded / reused credentials across sites
  • No effective network segmentation (IT ↔ OT)
  • Inadequate logging & monitoring of OT protocols
  • Unsigned / insecure firmware update mechanisms
  • Unnecessary services enabled (FTP, Telnet, etc.)
  • Limited preparedness for multi-site destructive attacks

🛡️ Recommended Preventive Controls

Secure Remote Access

  • Enforce MFA on all VPN / remote points
  • Time-bound & audited sessions
  • Restrict to trusted source IPs

Defensible Architecture

  • Strong OT/IT segmentation (DMZs, firewalls)
  • Apply zero-trust principles
  • Isolate edge / DER devices

Visibility & Monitoring

  • Enable OT protocol logging (IEC 104, DNP3…)
  • SIEM + EDR integration
  • Build anomaly detection rules

Vulnerability & Config Mgmt

  • Regular patching & firmware verification
  • Eliminate defaults & disable unused services
  • Centralized credential & config auditing

🔑 Known Default Credentials & Hardening Guidance

Device Description Default Credentials Hardening Actions
FortiGate Firewall/VPN Edge firewall & SSL-VPN gateway admin / blank Strong unique password + MFA; restrict admin IPs; patch regularly
Hitachi RTU 560 Substation RTU for grid control Default / Default Change immediately; brute-force lockout; segment network
Mikronika Controller Linux-based bay controller root / simple or blank Disable root or change; use SSH keys; disable FTP
Hitachi Relion 650 IED Protection & control IED Old (pre-2.2.4): PIN 8282 (fixed)
New: Changeable (reverts to 8282 on reset)		 Change PIN/password on deploy/reset; central auth; firmware signature check; use latest version
Mikronika HMI + Syndis Windows 10 HMI/SCADA interface Local admin defaults (often ‘admin’ or weak) Strong local passwords; deploy EDR; disable shares; isolate from IT
Moxa NPort Serial-to-Ethernet converter admin / moxa Change password; disable Telnet; use HTTPS/SSH; update firmware
Windows Domain Controller (OT) AD for OT authentication ‘Administrator’ often weak/blank initially Strong GPO policies; separate OT domain; MFA; restrict logon rights

Analysis based on public Dragos and CERT Polska reports • For defensive & educational purposes only • Harden distributed OT assets immediately

Questions

  • How vulnerable are we in the UK to these type of incident?
  • Have default creds even been changed? and if now why not?
  • Why is the status quo of weak cyber security posture seemingly ‘ok’ to society?

NCSC Guidance

https://www.ncsc.gov.uk/collection/operational-technology/secure-connectivity

https://www.ncsc.gov.uk/collection/operational-technology

https://www.ncsc.gov.uk/blog-post/understanding-ot-environment-1step-stronger-cyber-security

Summary

Ok so I used an LLM, look life is busy 😀 but I think the key point here is understanding how vulnerable we may or may not be… (every country needs to do this). There’s loads of lessons in what not to do…. but still we see time and time again incidents which remind us.. most orgs cyber postures are really, not that great! Perhaps it’s time to really change that!

References

https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf?hsCtaAttrib=205962111494

https://www.gov.pl/web/primeminister/poland-stops-cyberattacks-on-energy-infrastructure

https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025

Related articles

Copyright (c) Xservus Limited