Digital Arson in the Physical World: An Examination of Coordinated Cyber Sabotage Targeting Poland’s Energy and Industrial Infrastructure in December.

[Khushal]

Content source

https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf

On 29 December 2025, a series of coordinated cyber incidents took place across Poland during the morning and afternoon. The attacks targeted multiple wind and solar power installations, a privately owned manufacturing enterprise, and a combined heat and power (CHP) facility that provides heating to nearly 500,000 customers nationwide. Each incident was exclusively destructive in intent and effect; in physical terms, they are best likened to acts of intentional arson. Notably, the attacks occurred amid severe winter conditions, including low temperatures and snowstorms, in the days leading up to New Year’s Eve. Technical analysis indicates with high confidence that all of these operations were conducted by a single threat actor.

https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf

 

[Bot]

Your quoted passage matches the report’s own “Introduction” and is consistent with what CERT Polska publicly posted on 30 January 2026 about the 29 December 2025 incidents.

What CERT Polska says happened (high-level)

• Targets: at least 30 wind/PV sites (via grid connection point substations), one large combined heat & power (CHP) plant (nearly ~500k heat customers), and one manufacturing company.
• Intent: explicitly destructive (“deliberate arson” analogy).
• Impact (as described): renewable sites lost monitoring/remote control communications with the DSO, but electricity generation continued; the CHP wiper attempt was blocked before it could cause the intended disruption.

Notable technical details (what makes this report valuable)

• Edge access / exposure: FortiGate SSL-VPN exposure is repeatedly referenced; CERT notes authentication to configured accounts without MFA in multiple cases, and that device logs were often unrecoverable due to destructive actions (including factory resets on the day of attack).
• OT device destruction at renewable sites:
  • Hitachi RTU560: default credentials (including a “Default” account) used to log in and upload intentionally corrupted firmware that caused reboot loops; “secure update” signature verification existed but wasn’t enabled where available, and CERT also notes a bypass CVE affecting secure update in some versions.
  • Mikronika RTUs: default credentials via SSH to a root-privileged account, followed by destructive deletion of system files.
  • Moxa devices: default web credentials used to factory reset, change passwords, and set unreachable IPs (e.g., 127.0.0.1) to delay recovery.
• CHP intrusion chain (IT-to-OT risk context): long-term compromise behavior is described (credential dumping from LSASS, Kerberos abuse with Rubeus and a “Diamond Ticket”, dumping ntds.dit), followed by attempted wiper deployment via GPO. CERT states EDR stopped execution at runtime using canary files, halting overwrites on 100+ machines already reached.
• Destructive tooling: CERT analyzes two wipers (“DynoWiper” as a Windows binary and “LazyWiper” as PowerShell) and provides IoCs and detection rules (including a YARA rule).
• Attribution (carefully worded): CERT reports infrastructure overlap with the activity cluster known by multiple vendor names (Static Tundra / Berserk Bear / Ghost Blizzard / Dragonfly) and notes this is the first publicly described destructive activity they attribute to that cluster.

Defender takeaways (practical)

• Treat Internet-exposed VPN/edge devices as critical OT safety components: enforce MFA, remove shared/static accounts, and monitor VPN logins aggressively.
• Eliminate default credentials on OT/IIoT/field devices and require a commissioning checklist (including “no defaults”, “no unauthenticated web/SSH”, and “management only from admin VLAN/jump host”).
• For devices that support signed firmware/secure update: enable it (and verify versions/patch levels that address known bypasses).
• Have a wiper playbook (offline backups, rapid isolation, GPO/script auditing, and EDR “canary”/anti-ransomware controls tested ahead of time).

Key takeaway
This CERT Polska publication is a concrete, technically detailed example of coordinated destructive activity spanning both IT and OT, where basic gaps (exposed remote access, lack of MFA, default credentials) materially increased attacker leverage—even though worst-case physical/energy outcomes were not realized in this case.

Sources

• Energy Sector Incident Report - 29 December 2025
• https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
• Poland Power Grid Attack Targets Distributed Energy Facilities
• Russian hackers breached Polish power grid thanks to bad security, report says | TechCrunch

 

[Divergent]

Technical Analysis & Remediation

Attack Vector & Kill Chain
The primary intrusion vector was exposed FortiGate SSL-VPN appliances. Attackers exploited accounts lacking Multi-Factor Authentication (MFA) or leveraged known vulnerabilities (likely CVE-2024-21762 or similar legacy RCEs) to gain initial access. Once inside, they pivoted to OT networks using valid credentials reused across multiple sites.

OT Destructive Techniques (ICS/SCADA)
The attackers executed a "bricking" campaign against specific industrial devices:

Hitachi RTU560
Authenticated using the default user Default and uploaded corrupted firmware (ELF format with 240 bytes of 0xFF injected at the entry point), causing boot loops. This exploited the lack of "Secure Update" enforcement.

Moxa NPort
Factory reset via web interface, passwords changed, and IP addresses set to loopback (127.0.0.1) to complicate recovery.

Mikronika RTU
Accessed via SSH (root), followed by systemic file deletion.

Malware Profile
DynoWiper & LazyWiper

DynoWiper (Windows)
A C++ wiper deployed via GPO scheduled tasks (schtask.exe). It uses the Mersenne Twister RNG to generate a 16-byte buffer, overwriting files (header + random offsets) before attempting a system reboot. It has no C2 or persistence capabilities—it is a "fire and forget" weapon.

LazyWiper (PowerShell)
A script-based wiper used against the manufacturing target. It overwrites files with 32-byte pseudorandom sequences.

MITRE ATT&CK Mapping

T1133 (Initial Access)
External Remote Services; specifically targeting FortiGate SSL-VPNs without MFA.

T0857 (Impact)
System Firmware; focused on corrupting Hitachi RTU560 firmware.

T1485 (Impact)
Data Destruction; utilizing DynoWiper to overwrite disk sectors.

T1021 (Lateral Movement)
Remote Services; using RDP/SSH to transition from IT to OT networks.

T1562 (Defense Evasion)
Impair Defenses; executing FortiGate factory resets to clear logs.

Indicators of Compromise (IOCs)

Traffic & Infrastructure
185.200.177[.]10 (VPN/M365 access, DynoWiper execution)

31.172.71[.]5 (Additional attacker IP)

File Hashes (SHA-256)

DynoWiper (Sample) 65099f306d27c8bcdd7ba3062c012d24

Distribution Script (dynacon_update.ps1) 8759e79cf3341406564635f3f08b2f333b0547c444735dba54ea6fce8539cf15

Remediation - ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Audit Perimeter Devices
Immediately check FortiGate logs for connections from known malicious IPs (185.200.177[.]10). Look for unusual factory-reset events or disabled logging.

OT Integrity Check
Verify firmware checksums on Hitachi RTU560, Mikronika, and Moxa devices. If a device is unreachable or looping, assume compromise.

Isolate OT
Sever the IT-OT bridge immediately. If the GCP (Grid Connection Point) is compromised, switch to manual local control if safe.

Phase 2: Eradication

Firmware Restoration
"Bricked" RTUs must be flashed via local serial/JTAG interfaces using verified "gold" firmware images.

Wiper Cleanup
Reimage any Windows host touched by dynacon_update.ps1 or Source.exe. Do not attempt file recovery; trust the backup.

Credential Reset
Force a global password reset for all Active Directory and OT device accounts.

Phase 3: Recovery

Secure the Edge
Patch FortiGate devices to the latest firmware (addressing CVE-2024-21762 et al.) and enforce MFA on all VPN users.

Enable Secure Boot
On Hitachi RTUs, enable "Secure Update" to require signed firmware, mitigating future corruption attacks.

Phase 4: Lessons Learned

Eliminate Defaults
Audit all OT assets for default credentials (e.g., user Default).

Network Segmentation
Ensure DNP3/IEC-104 traffic passes through a strictly monitored DMZ, not direct VPN-to-RTU tunnels.

Remediation - HOME USER TRACK
While this attack targeted industrial infrastructure, the "wiper" methodology applies to home networks exposed via vulnerable routers.

Safety First (Router Hygiene)
If you use a FortiGate or similar prosumer firewall at home, update the firmware immediately.

Disable "Management from WAN" (Remote Administration).

Backup Strategy
Wipers like DynoWiper make data unrecoverable. Ensure you have an offline backup (external hard drive disconnected from the PC) of your critical photos/documents.

Identity
Ensure your router password is unique and not the default printed on the sticker.

Hardening & References

CIS Benchmark
CIS Fortigate Firewall Benchmark (Section 5: Logging and Auditing - Ensure logging is enabled and sent to a remote syslog server to prevent local log wiping).

NIST SP 800-82
Guide to Industrial Control Systems (ICS) Security (Focus on Section 6.2: Authentication and Access Control).

Relevant CVEs

CVE-2024-2617
Hitachi Energy RTU500 series Secure Update Bypass.

CVE-2024-21762
FortiOS Out-of-Bound Write (SSL-VPN).

Detection Query (YARA for DynoWiper)

rule DynoWiper_CERT_PL {
    meta:
        description = "Detects DynoWiper based on CERT Polska report"
        hash = "65099f306d27c8bcdd7ba3062c012d24"
    strings:
        $s1 = "Source.exe" wide
        $s2 = "dynacon_update.ps1" ascii
    condition:
        uint16(0) == 0x5A4D and any of them
}

Sources

CERT Polska Incident Report (Official PDF)

Technical Attribution References (from CERT Report)

Cisco Talos Intelligence

IC3 (Internet Crime Complaint Center)

 

[Halp2001]

Great post, a clear reminder of how critical basic security hygiene still is.