The article says the December 2025 attack on Polish energy facilities was damaging not because the attackers used a sophisticated new exploit, but because they were able to get in through very basic weaknesses. According to Poland’s CERT, the attackers first entered through internet-exposed Fortinet FortiGate devices that were still using default credentials and had no multi-factor authentication. From there, they moved into roughly 30 sites, including combined heat-and-power plants and renewable dispatch centers, and reached industrial control systems tied to communications, control, safety, and stability monitoring. Some ICS devices were permanently damaged, but the attack did not cause a power outage.

The report says the attackers then abused more default passwords and weak settings across several ICS products from Hitachi Energy, Mikronika, and Moxa. In different cases, they uploaded malicious firmware, changed configurations, deployed wipers on Windows HMI systems, and reset serial device servers so legitimate operators could no longer use them. SecurityWeek’s main takeaway is that this incident shows how industrial environments can still be seriously disrupted by attackers using poor cyber hygiene, not necessarily zero-days: default accounts left enabled, outdated firmware, disabled security features, and exposed management interfaces created the opening. The attribution remains somewhat mixed in the reporting, but the event is widely treated as a Russia-linked destructive operation.

‍

Source: https://www.securityweek.com/default-ics-credentials-exploited-in-destructive-attack-on-polish-energy-facilities/