Threat Overview

On 29 December 2025 a coordinated wave of destructive cyber‑attacks struck the Polish energy sector, targeting over 30 wind and photovoltaic farms, a private manufacturing firm and a large combined heat and power (CHP) plant that supplies heat to nearly half a million customers. The incidents were unprecedented in their scope, affecting both information technology (IT) and operational technology (OT) systems and resulting in permanent hardware damage, system downtime and loss of critical control functions. The attacker’s objective was clearly sabotage, not espionage, and the attacks were carried out with a high degree of automation and persistence.

Attack Vectors

Every compromised site hosted a FortiGate device that served as a VPN concentrator and firewall. The VPN interfaces were exposed to the Internet and authenticated using accounts defined in the configuration without multi‑factor authentication. Attackers gained administrative privileges on the FortiGate, enabling them to modify device configuration, reset the device to factory settings and erase logs. In many cases the same usernames and passwords were reused across multiple sites, allowing a single compromise to provide access to dozens of facilities.

Within the network, the attacker leveraged VLAN segmentation but retained full administrative control. This allowed them to obtain VPN credentials that granted access to all subnets. In the absence of such an account, the attacker could have simply modified the FortiGate configuration to enable equivalent access. The factory reset performed on the day of the attack was a deliberate attempt to impede recovery and erase footprints.

Destructive Activities on OT Devices

Hitachi RTU560 controllers were the most frequently targeted OT devices. These units ran firmware versions 12.6.6.0, 12.7.3.0, 13.1.1.0 and 13.5.2.0 and were configured with default credentials, including a “Default” user. The attacker logged into the web interface using this account and uploaded corrupted firmware in ELF format. By inserting 240 bytes of 0xFF at the program entry point, the processor executed an invalid instruction, causing a reboot loop. The modified firmware claimed to be version 13.5.3.0, which had never been deployed, indicating that the attacker sourced firmware from external repositories.

Secure update was available in firmware 13.2.1 but was not enabled on any device. Even if enabled, a CVE‑2024‑2617 vulnerability would have allowed bypass of the digital signature check. The vulnerability was fixed in firmware 13.7.7, but none of the affected units had applied the patch.

Mikronika controllers, based on Linux, were exploited via SSH using default root credentials. The attacker executed a command that deleted all system files, rendering the device inoperable. The command was not preserved in the shell history, suggesting that the attacker used techniques to clear evidence.

Hitachi Relion 650 IEDs were attacked through the default FTP service. The built‑in FTP account allowed the attacker to delete essential system files, causing device shutdown. According to manufacturer guidance, the FTP account would have been disabled by default in a properly configured deployment.

Mikronika HMI computers running Windows 10 were compromised via the Remote Desktop service using an account with a default administrator password. The attacker enabled administrative shares, created a firewall rule named “Microsoft Update” allowing TCP port 445, and performed network reconnaissance using PowerShell scripts. On 29 December 2025, a malicious executable named Source.exe was created at C:\Source.exe and executed, causing irreversible data damage. This file was identified as the DynoWiper malware, which also appeared in the CHP plant incident.

Moxa NPort 6xxx serial device servers were reset to factory defaults, passwords changed, and IP addresses set to unreachable values (e.g., 127.0.0.1). These actions disabled remote management and prolonged recovery time.

Indicator of Compromise (IOC) Summary

• FortiGate devices with exposed VPN interfaces and no MFA.
• Default “Default” user accounts on Hitachi RTU560.
• Corrupted firmware files with 0xFF injection at entry point.
• Unpatched CVE‑2024‑2617 on Hitachi RTUs.
• Default root SSH access on Mikronika controllers.
• Default FTP account on Hitachi Relion IEDs.
• Administrator shares and port 445 firewall rule in Windows HMI.
• DynoWiper executable Source.exe.
• Factory resets and IP re‑configuration on Moxa NPort devices.

Recommendations for Security Analysts

1. Secure FortiGate VPNs: Disable Internet‑exposed VPN interfaces or restrict access to known IP ranges. Enforce MFA for all VPN users and enforce strong password policies.

1. Credential Hygiene: Eliminate default credentials on all OT devices. Implement unique, complex passwords and change them regularly. Use password management solutions that support OT environments.

2. Patch Management: Deploy firmware updates promptly. Ensure that secure update features are enabled and that firmware signatures are validated. Monitor for known CVEs such as CVE‑2024‑2617 and apply patches without delay.

3. Network Segmentation and Least Privilege: Separate IT and OT networks with robust firewalls. Restrict administrative access to only those who require it. Use VLANs and role‑based access controls to limit lateral movement.

4. Logging and Monitoring: Enable comprehensive syslog forwarding from FortiGate, RTUs, HMI computers and serial servers to a SIEM. Correlate logs for anomalous firmware uploads, factory resets and unauthorized configuration changes.

5. Incident Response Preparation: Develop playbooks for OT sabotage scenarios. Conduct tabletop exercises that include factory reset detection, firmware integrity checks and rapid restoration procedures.

6. Backup and Redundancy: Maintain offline backups of critical firmware and configuration files. Deploy redundant control paths where possible to maintain operation during device failure.

7. Vendor Coordination: Maintain active communication with device manufacturers (Hitachi, Mikronika, Moxa) and security teams (CERT Polska). Share indicators and leverage vendor‑provided patches and hardening guides.

By implementing these controls and maintaining a continuous monitoring posture, security analysts can significantly reduce the risk of destructive cyber‑attacks on the energy sector and mitigate the impact of future incidents.