They Didn't Cut the Power. They Cut the Visibility.
On December 29, 2025, a coordinated cyberattack hit Poland’s energy sector. Over 30 sites were compromised simultaneously: wind farms, solar dispatch centers, a combined heat and power plant serving nearly half a million people, and a manufacturing facility. The attackers didn’t cut the power. They took away the operators’ ability to see and control their own infrastructure.
How They Got In
The entry point was specific. Attackers exploited exposed FortiGate devices, a VPN and firewall product widely deployed at energy sites to manage remote network access. Many were running outdated firmware with known, publicly documented vulnerabilities that had never been patched. Most had no multi-factor authentication enabled, meaning a single compromised credential was enough to open the door.
But weak passwords were only half the problem. Without MFA on OT-adjacent devices, any credential compromise becomes a direct path into the operational environment. The question isn’t just whether your passwords are strong. It’s whether a single stolen credential gives an attacker a direct path into the operational environment.
Once inside one site, credential reuse opened the rest. Operators were using the same usernames and passwords across multiple facilities. The same credentials that worked at one substation worked at the next. This is how a breach at a single device became simultaneous access across more than 30 sites.
This is not a Poland-specific failure. Distributed energy infrastructure is built on equipment designed for connectivity first and security as an afterthought. Thousands of devices across hundreds of sites, many internet-reachable, many unpatched, most running credentials that any attacker with a product manual can guess. For European operators, this sits squarely within the scope of NIS2 and the EU Cyber Resilience Act. For US operators, CISA’s Binding Operational Directive 26-02 flags outdated edge devices as a critical risk. Poland is what that risk looks like in practice.
What the Attackers Actually Did
After gaining access, the attackers used Active Directory and Group Policy, standard network management tools, to push their malware automatically to every connected machine. One command triggered simultaneous destructive actions across more than 30 sites. The scale was a function of how the tools worked, not how many people were behind the operation.
The malware had two components.
- DynoWiper, analyzed by ESET, overwrites files with random data, making recovery impossible. It has no command-and-control, no persistence, and no concealment. It exists for one purpose: permanent destruction.
- The second tool, LazyWiper, is a PowerShell script that partially overwrites files to render them unusable. Researchers noted it appears to have been partially written using AI tools.
The industrial devices targeted were Hitachi remote terminal units, Mikronika controllers, Moxa serial communication devices, and protection relays. RTU firmware corruption is not a temporary outage. It requires physical replacement. Protection relays, which guard equipment against electrical faults independently of any software layer, were also disabled.
What CERT Polska’s investigation also revealed is that December 29 was not the beginning. It was the detonation. The attackers had spent significant time inside the CHP plant environment beforehand, mapping infrastructure, acquiring privileged accounts, and collecting operational data. The visible attack was the end of a patient campaign. That changes the question operators need to ask: not only ‘how do we block intrusions?’ but ‘how would we know if someone were already inside our OT environment, moving slowly?’
Why This Applies to Your Network
At the combined heat and power plant, EDR software detected and blocked the wiper. That worked because the attackers had to traverse a corporate IT environment where endpoint agents could run. At the wind and solar farms, there was no such layer. The attackers went directly from edge device to RTU, with nothing in between. Most OT devices cannot run endpoint agents. That is not a deployment gap. It is an architectural one. The Poland attack made that exposure concrete.
CERT Polska is direct on one additional point: OT devices without firmware verification can be permanently damaged during an intrusion. If your incident response plan does not account for field devices that are physically destroyed, not temporarily offline but unrecoverable, it is not prepared for this class of attack.
Three Actions to Take Now
- Patch and harden internet-facing devices, and enforce MFA. The FortiGate devices used as entry points in Poland had known, unpatched vulnerabilities. Apply updates, enable multi-factor authentication, and disable remote access services not actively in use. Require this from integrators and OT suppliers as a condition of deployment, not a recommendation.
- Eliminate credential reuse across sites. Unique credentials per site, enforced by policy and verified in practice, close the path that turned one compromised device into thirty compromised sites. The same logic that governs user account hygiene applies here. Shared credentials across OT sites are a single point of failure at scale.
- Enforce access at the operational layer, not just the IT perimeter. The Hitachi RTUs, Mikronika controllers, and Moxa serial devices destroyed in Poland were reachable and unmonitored. The control layer needs its own enforcement: device identity validation, behavioral monitoring, and the ability to isolate a compromised device before it reaches critical equipment. OneLayer operates at this layer, connecting device identity to access policy before a single packet reaches the network.
The Adversary Is Already Inside
The attack was attributed by CERT Polska to Berserk Bear, operating within Russia’s Federal Security Service. ESET’s analysis pointed to Sandworm, Russian military intelligence. Attribution is contested, but the type of adversary is not. Nation-state actors operate on strategic timelines. OT access is a long-game asset, cultivated over time and activated when geopolitically useful.
Operators who model their threat as opportunistic cybercrime are preparing for the wrong attack. The adversary in Poland was inside weeks before anyone looked. That timeline is the real lesson.
Stopping an adversary who is already inside means containing what they can reach, not only blocking how they got in. That is what proper segmentation does: it turns a single compromised device into a dead end instead of a doorway to the next thirty sites. For OneLayer’s take on getting segmentation right, read The Right Path to Private Cellular Segmentation.