On December 29, 2025, a coordinated series of destructive cyberattacks struck Poland’s energy sector during a period of severe winter weather. The attackers targeted a mix of renewable energy farms, a manufacturing company, and a combined heat and power plant that serves nearly 500,000 customers. Despite the scale of the operation, the immediate impact on the national power grid was limited; however, the incidents exposed critical vulnerabilities in how industrial control systems (ICS) are protected and managed.
The attackers exploited vulnerable FortiGate perimeter devices, leveraging stolen credentials and default passwords to gain foothold in the network. Once inside, they deployed multiple strains of wiper malware – DynoWiper and LazyWiper – that systematically destroyed data across both IT and OT environments. The malware’s destructive payload included disk wiping, configuration modification, and deletion of forensic artefacts, making post‑incident recovery difficult.
Below is a structured threat report that security analysts can use to understand the tactics, techniques, and procedures (TTPs) employed, identify indicators of compromise (IOCs), and implement defensive measures.
1. Attack Overview
- Targeted assets: 30 wind and solar farms, a manufacturing company, a combined heat and power plant.
- Primary vector: FortiGate edge devices accessed via stolen credentials.
- Malware used: DynoWiper, LazyWiper.
- Operational context: Severe winter conditions increased stakes for power generation continuity.
2. Threat Actor Attribution
- Known threat clusters: Static Tundra, Ghost Blizzard, potential ties to Sandworm.
- Indicators of a well‑resourced, state‑backed adversary with industrial sabotage capabilities.
3. Architecture of Targeted Renewable Facilities
- Wind turbines and PV arrays feed a Power Substation (GCP).
- Voltage stepped up to 110 kV via transformer.
- Distribution System Operator (DSO) monitors GCP for stability.
4. Initial Access and Persistence
- Exploitation of FortiGate VPN with default or stolen credentials.
- Use of FortiGate scripts to harvest administrator passwords.
- Creation of scheduled tasks on FortiGate devices to maintain persistence.
5. Execution and Privilege Escalation
- Deployment of DynoWiper via scheduled tasks (T1053.005).
- Execution of PsExec for command execution (T1569.002).
- Privilege escalation through token manipulation and LSASS credential dumping (T1134, T1003).
6. Defense Evasion and Impact
- Modification of FortiGate firewall rules to disable security functions (T1562.013).
- Deletion of wiper artefacts to remove forensic evidence (T1070.004).
- Massive data destruction: file corruption, RAID reconfiguration, device shutdown (T1485, T1561.002, T1529).
7. Network and System Discovery
- Enumeration of SMB shares, network services, and active processes.
- Mapping of routing tables and ARP cache to understand network topology.
8. Lateral Movement and Command & Control
- Use of RDP and SSH to move across the internal network.
- Reverse SOCKS proxy and Tor for obfuscated traffic.
- Exfiltration over HTTP to attacker‑controlled servers and Slack webhook for command dissemination.
9. Indicators of Compromise (IOCs)
- SHA‑256 hashes of known wiper samples:
8759e79cf3341406564635f3f08b2f33,65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c, etc. - Malicious IP addresses: 185.200.177.10, 31.172.71.5, 193.200.17.163, etc.
- File names: dynacom_update.ps1, exp1.ps1, Source.exe, dynacom_update.exe, schtask.exe.
10. Recommendations for Defense
- Change all default and stolen credentials on FortiGate and other edge devices immediately.
- Implement multi‑factor authentication on VPN and administrative console access.
- Segregate IT and OT networks with strict firewall rules and zero‑trust policies.
- Deploy endpoint detection and response (EDR) solutions capable of detecting scheduled task creation, PsExec usage, and file deletion.
- Regularly backup critical configuration files and store them offline.
- Conduct active threat hunting for the listed IOCs and monitor for anomalous privilege escalation.
- Educate staff on phishing and credential reuse to reduce credential theft risk.
- Establish an incident response playbook that includes rapid isolation of compromised FortiGate devices and rollback of malicious configurations.
- Integrate real‑time threat intelligence feeds to detect emerging variants of DynoWiper and LazyWiper.
By understanding the structure and tactics of this incident, security teams can better prepare for future attacks on critical energy infrastructure and mitigate the risk of data loss, operational disruption, and physical damage.

