ir – PwnDefend

Cyber Attack on Poland’s Electric System 2025

This week there’s been a lot of activity on reporting on a compromise which occurred in 2025 in Poland.

I’m neck deep inside some project work so I don’t have time to pour over this but I did spent a few minutes prompting GROK.

“On December 29, 2025, Poland experienced a coordinated and destructive cyber attack targeting its electric grid, specifically focusing on distributed energy resources (DERs) such as more than 30 wind farms, solar (photovoltaic) installations, and one major combined heat and power (CHP) plant that supplies heat to nearly half a million residents. The assault, which occurred amid harsh winter weather including low temperatures and snowstorms, exploited vulnerabilities like exposed FortiGate firewalls/VPNs lacking multi-factor authentication, default or weak credentials on devices (e.g., Hitachi RTUs, Mikronika controllers), and poor network segmentation. Attackers gained access to operational technology (OT) systems, deploying wiper malware (including variants like DynoWiper and LazyWiper), overwriting disks, deleting files, resetting configurations, and uploading corrupted firmware to “brick” certain hardware—resulting in permanent field-level impairment and complete loss of remote monitoring and control at affected sites. Despite these actions, no power outages or heat supply disruptions occurred, thanks to the grid’s coal-heavy inertia, resilient generation continuity, and partial mitigations such as endpoint detection and response (EDR) blocking wipers in the CHP environment.

Defense

Suspected Fortinet Zero Day Exploited in the Wild

This weeks been an interesting one, I’ve been doing quite a bit of research recently with my friend Simo from Defused defusedcyber.com. Simo has built a new emulated honeypot platform, and anyone that know’s me knows I love honeypots, deception and intel sharing to help defenders and to impose cost on the baddies! (technical terms here ok!)

Guides

Suspected Zero Day – What to do if you…

What do you do if someone says, there might be a zero day being used against your make/model of internet facing device (such as a VPN server)?

There’s always a challenge subject to the level of intelligence available about the specific scenario, the device and the way they function and the telemetry/capabilities you have.

Education

Business Email Compromise Check List

As part of my Cyber SOC GitHub repo I’ve put together lots of resources to try and help people with some common cyber security tasks, applicable to CISOs through to SOC analysts.

I also want to highlight one of the most common incident types if you are an Office 365 customer is a business email compromise scenario, so I’ve put together a high level view of the steps you might want to take after a BEC event is discovered:

Defence

Business Email Compromise: Impact Assessment

If you are are a victim of unauthorised mailbox access and/or attempted fraud via mailbox compromise (BEC) then you know that one of the tasks outside of understanding how the compromise has occurred, what configurations have been tampered with, removing devices and resetting usernames/passwords (and tokens/MFA) etc. is to start to understand the data breach impact.

If someone has logged into a mailbox it’s very very unlikely that zero data has been accessed!

Threat Intel

An evolution of threat actor

Motivation and a diverse network of people and capabilities can go a long way, then add in digital skills and winning steak… and you have: scattered spider!

There’s a big difference between zero day spraying the internet and planting webshells or copying someone’s open S3 bucket and say…. doxing staff, their families and attacking them and their assets in the real and digital worlds.

I think people won’t broadly grasp the effects that can be achieved (harm) when the adversary is motivated, dedicated, capable, resourced and has very little moral qualms.

There is no magic bullet to defend against an adversary like this, you need a whole of organisation defence (and to pursue even more than that!).

Defense

Minimum Data Requirements for Investigating Email Mailbox Compromise

When a suspected email mailbox compromise is reported, initiating an investigation promptly is critical. However, to ensure the investigation is effective, certain minimum intelligence requirements must be met. This blog outlines the bare minimum data needed to start investigating a suspected email mailbox compromise, whether the intelligence comes from an internal team or a third-party source.

Hacking

Mobile Device Malware Analysis

Mobile devices present interesting challenges when it comes to:

Incident Response
Malware Analysis
Digital Forensics

Defence

Planning to defend and respond to cyber threats

Everyone has a plan until they are cyber punched in the face! Or something like that!

People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.

Let’s be real here, you really don’t. But what you do need is a few things:

Authorisation
Time
Some ideas for cyber incidents to plan for

Defense

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)