CERT Polska (Poland’s national incident response team) said a coordinated set of destructive cyberattacks on December 29, 2025 hit 30+ wind and solar farms, a manufacturing company, and a combined heat-and-power (CHP) plant that supplies heat to nearly half a million customers. CERT Polska attributed the activity to a Russia-linked cluster it calls Static Tundra (also known under several other names) and stressed the goal was disruption rather than espionage—although some reporting from other security firms has linked the event to a different Russian group. Despite disrupted communications at some renewable sites, CERT said electricity generation and heat supply were not interrupted.

The report outlines multiple intrusion paths and wiping tools. In the energy cases, attackers got into internal networks tied to substations and operator environments, then attempted to break operations by damaging controller firmware, deleting files, and deploying a wiper (including variants of “DynoWiper”); CERT says the wiper attempt at the CHP ultimately failed, but the same CHP intrusion included long-term data theft going back to March 2025. For the manufacturing firm (and likely one grid-connection point), initial access appears tied to exploitation of vulnerable Fortinet FortiGate perimeter devices, followed by a PowerShell-based wiper (“LazyWiper”) that overwrote files to make recovery difficult. CERT also noted the attackers tried to reuse stolen on-prem credentials to access Microsoft 365 data (Exchange/Teams/SharePoint), focusing on material related to OT modernization and SCADA work—a hint that the destructive actions may have been paired with selective collection.

Source: https://thehackernews.com/2026/01/poland-attributes-december-cyber.html?m=1