Overview
- CERT Polska detailed a coordinated December 29 attack on more than 30 wind and solar sites, a manufacturing firm, and a combined heat and power plant serving nearly 500,000 customers.
- Investigators said the operation was purely destructive and used wiper malware, yet electricity generation continued and heat service was not disrupted after defenses blocked the attempt at the CHP plant.
- The report attributes the campaign to the FSB-linked cluster known as Static Tundra or Berserk Bear, while ESET and Dragos highlight overlaps with Sandworm, leaving attribution contested.
- Attackers exploited static accounts without multi-factor authentication and vulnerable FortiGate appliances, used Tor and compromised infrastructure, and deployed wipers including DynoWiper and a PowerShell-based tool dubbed LazyWiper.
- CERT Polska described disruptions to monitoring and damage to some devices at renewable facilities, noted long-term data theft at the CHP dating to March 2025, and found no evidence of command-and-control or persistence in the DynoWiper variants.