Poland experienced a significant cybersecurity incident on December 29, 2025, when over 30 wind and solar farms, along with a major combined heat and power plant and a manufacturing facility, were targeted by coordinated cyberattacks. This sophisticated assault, aimed at disrupting critical energy infrastructure during severe winter weather, marks a concerning new phase in cyber threats against European energy security.
The attacks predominantly focused on damaging industrial automation devices within power substations, which serve as crucial connection points between renewable energy sources and the national distribution network. This strategic targeting of operational technology (OT) systems, including remote terminal units, human-machine interfaces, protection relays, and network infrastructure, underscores the destructive intent of the actors involved.
Wiper Malware Deployment and Infection Mechanism
Evidence gathered by Cert.pl analysts indicates a strong connection between the attack infrastructure and known sophisticated threat groups, including those previously identified by major cybersecurity firms as “Static Tundra,” “Berserk Bear,” “Ghost Blizzard,” and “Dragonfly.” These groups have historically shown a focus on the energy sector and possess advanced capabilities in compromising industrial control systems.
The operation deployed identical wiper malware across multiple targets, a custom-built destructive software designed for irreversible data destruction once attackers gained privileged access through prolonged infiltration. This indicates meticulous planning and preparation, with attackers establishing covert presence within target environments for weeks before executing their final payload.
Attackers prepared partially automated sequences that could be activated simultaneously, demonstrating a high level of coordination. For instance, when the wiper malware was deployed against the combined heat and power plant, its execution was successfully blocked by pre-existing endpoint detection and response (EDR) technology. Similarly, the manufacturing facility faced a coordinated assault, though its specific objective reportedly differed from the energy sector targets.
The cybersecurity incident has revealed a concerning tactical shift, with public analysis suggesting this is the first documented destructive operation attributed to this particular cluster of threat actors. Unlike previous attacks that may have focused on espionage or data theft, the primary objective here was infrastructure damage. The disruption of communication channels between affected farms and the distribution system operator was noted, though electricity generation itself was reported to have continued unaffected.
This incident highlights the growing vulnerability of critical infrastructure to well-resourced and determined adversaries. The ability of these actors to infiltrate industrial networks and deploy destructive malware without being detected for an extended period raises significant concerns about the resilience of current cybersecurity defenses in the energy sector. The complex nature of these coordinated cyberattacks necessitates a comprehensive and multi-layered approach to security, encompassing both IT and OT environments.
Moving forward, the focus will likely be on further attribution of the attack and strengthening the defenses of Polish and broader European energy infrastructure. Cybersecurity agencies will be scrutinizing the methods employed by the attackers to develop more robust detection and prevention strategies. The incident also underscores the need for greater collaboration and information sharing between public and private entities to mitigate such sophisticated threats to national security.