A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team.
The new
report underscores the difficulty of securing critical infrastructure systems, which frequently rely on outdated devices that are difficult to update. In the Polish energy grid attack, credential and configuration errors compounded the vulnerabilities.
CERT Polska attributed the campaign to
Static Tundra, a group linked to Russia’s Federal Security Service (FSB) Center 16 unit, but a Dragos
report on one of the Polish energy grid incidents attributed the activity to the ELECTRUM subgroup of
Sandworm, a threat group linked to the GRU, Russia's military intelligence service, that was implicated in destructive attacks on the Ukraine power grid a decade ago.
The Polish report notes that the DynoWiper
malware used in the latest attacks “contains certain similarities to wiper-type tools3 associated with the activity cluster publicly known as ‘Sandworm’ and ‘SeashellBlizzard,’” but the report adds, “Despite identifying commonalities in behavioral characteristics and overall architecture, the level of similarity is too low to attribute DynoWiper to previously used wiper families.”
The attackers’ activities began between March and May 2025, months before the December 29 attack.
Polish Energy Grid Attack Could Have Been Worse
The CERT Polska report said the December attack “resulted in a loss of communication between the facilities and distribution system operators (DSOs), but it did not affect ongoing electricity generation” or impact the stability of the Polish power system.
“It should be noted, however, that given the level of access obtained by the attacker, there was a
risk of causing a disruption in electricity generation at the affected facilities,” the report said. “Even if such a disruption had occurred, analyses indicate that the combined loss of capacity across all 30 facilities would not have affected the stability of the Polish power system during the period in question.”
Dragos noted that in its
incident response case, the attackers “gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site,” an attack the company called “very alarming.”
“This is the first major
cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP facilities being added to grids worldwide,” Dragos said. “Unlike the centralized systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less
cybersecurity investment. This attack demonstrates they are now a valid target for sophisticated adversaries.”
“An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it,” Dragos added. “It is unfortunate that those who attack these systems appear to deliberately choose timing that maximizes impact on civilian populations.”
Credential and Configuration Mistakes Exploited in Polish Energy Grid Attack
In the Polish energy grid attack, the attackers exploited a long list of outdated and misconfigured devices and default and static credentials that weren’t secured with MFA.
The Polish report noted that in each affected facility, a FortiGate device served as both a VPN concentrator and a
firewall. “In every case, the
VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication,” the report said.
The report noted that it’s a common practice in the industry to reuse the same accounts and passwords across multiple facilities. “In such a scenario, the compromise of even a single account could have enabled the
threat actor to identify and access other devices where the same credentials were used,” CERT Polska said.
The networks of the targeted facilities often contained segregated VLAN subnets, but as the attackers had administrative privileges on the device, “These privileges were likely used to obtain credentials for a VPN account with access to all subnets,” the report said. “Even if no such account had existed, the attacker, having administrator-level access, could have modified the device configuration to enable equivalent access.”
In one incident, the attacker gained access to the SSL‑VPN portal service of a FortiGate device located at the organization’s network perimeter by using “multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled.”
After gaining access, the attackers used bookmarks defined in the configuration file to access jump hosts via RDP, the report said. Analysis of a FortiGate device configuration file indicated that some users had statically configured target user credentials, which enabled connections to the jump host from the SSL‑VPN portal without the need for additional local or domain user credentials.
The attacker also made configuration changes that included a new rule that allowed connections using any protocol and IP address to a specified device and disabling network traffic logging. Using the Fortinet scripting mechanism, the attacker also created scripts for further credential exfiltration and to modify
security settings, which were executed weekly.
The report also detailed numerous out-of-date or misconfigured operational technology (OT) devices, many with default credentials, such as Hitachi and Mikronika controllers, and secure update features that weren’t enabled. In the case of Hitachi Relion 650 v1.1 IEDs, the default FTP account hadn’t been disabled in accordance with the manufacturer’s recommendations.
In cases where an HMI used unique credentials for the local administrator account, “unsuccessful password‑breaking attempts were observed. In those cases, the HMI was not damaged.”
The attackers also pivoted to cloud services, the report said.
Login
