Executive Summary
On December 29, 2025, coordinated cyberattacks targeted over 30 wind and photovoltaic farms, a manufacturing company, and a large combined heat and power plant in Poland. The attacks, attributed to the Russian state-sponsored group Static Tundra (also known as Berserk Bear or Dragonfly), aimed to disrupt energy infrastructure by deploying wiper malware designed to destroy data and disable systems. While the attacks caused communication disruptions, they did not interrupt energy production or heat supply to consumers. (cert.pl)
This incident underscores the escalating threat of nation-state cyberattacks on critical infrastructure, highlighting the need for enhanced cybersecurity measures and international cooperation to protect essential services from sophisticated adversaries.
Why This Matters Now
The recent cyberattacks on Poland's energy infrastructure highlight the increasing sophistication and frequency of nation-state cyber threats targeting critical infrastructure. This incident serves as a stark reminder for organizations worldwide to bolster their cybersecurity defenses and remain vigilant against evolving cyber adversaries.
Attack Path Analysis
Attackers exploited vulnerabilities in FortiGate appliances to gain initial access, escalated privileges by obtaining credentials from on-premises environments, moved laterally across networks to access critical systems, established command and control channels using anonymizing infrastructure, exfiltrated sensitive data related to OT networks and SCADA systems, and deployed wiper malware to disrupt operations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in FortiGate appliances to gain initial access to the networks of targeted organizations.
Related CVEs
CVE-2018-13379
CVSS 9.8A path traversal vulnerability in Fortinet FortiOS SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.
Affected Products:
Fortinet FortiOS – 5.6.3 to 5.6.7, 6.0.0 to 6.0.4
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Valid Accounts
Exploitation of Remote Services
Data Destruction
Inhibit System Recovery
Disable or Modify Tools
Web Protocols
Network Service Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
DORA – ICT Risk Management Framework
Control ID: Article 5
PCI DSS 4.0 – Identify Users and Authenticate Access to System Components
Control ID: Requirement 8
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Nation-state attacks targeting wind/solar farms expose critical vulnerabilities in renewable energy infrastructure, requiring enhanced SCADA system security and zero-trust segmentation.
Utilities
Combined heat and power plant targeting demonstrates utility sector's exposure to destructive cyber campaigns, necessitating encrypted traffic monitoring and egress security controls.
Industrial Automation
HMI computer compromise and controller firmware damage highlight industrial automation's susceptibility to wiper malware, demanding threat detection and anomaly response capabilities.
Computer/Network Security
FortiGate device exploitation reveals perimeter security weaknesses against advanced persistent threats, emphasizing need for multicloud visibility and inline intrusion prevention systems.
Sources
- CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farmshttps://thehackernews.com/2026/01/poland-attributes-december-cyber.htmlVerified
- Energy Sector Incident Report - 29 December 2025 | CERT Polskahttps://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/Verified
- New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sectorhttps://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, establish command and control channels, and exfiltrate sensitive data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial exploitation of vulnerabilities, it could limit the attacker's ability to leverage this access to escalate privileges or move laterally within the network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing trust relationships within the network.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely restrict lateral movement by monitoring and controlling internal traffic flows, thereby limiting unauthorized access to critical systems.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and constrain command and control communications by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling and monitoring outbound traffic, thereby reducing unauthorized data transfers.
While Aviatrix CNSF may not prevent the deployment of wiper malware, its segmentation and traffic control capabilities could likely limit the spread and impact of such malware within the network.
Impact at a Glance
Affected Business Functions
- Energy Distribution
- Industrial Control Systems
- Manufacturing Operations
Estimated downtime: N/A
Estimated loss: N/A
Sensitive operational information related to industrial control systems and energy distribution networks.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce Multi-Factor Authentication (MFA) on all remote access points to prevent unauthorized access.
- • Deploy Intrusion Prevention Systems (IPS) to detect and block exploitation attempts of known vulnerabilities.
- • Establish comprehensive monitoring and anomaly detection to identify unauthorized access and data exfiltration.
- • Regularly update and patch all systems, especially perimeter devices, to mitigate known vulnerabilities.
