CERT Polska reported coordinated destructive cyber attacks on December 29, 2025 that targeted more than 30 wind and photovoltaic farms, a manufacturing company, and a large combined heat and power (CHP) plant serving nearly half a million customers. The intrusions involved wiper malware (notably DynoWiper and LazyWiper), exploitation of vulnerable Fortinet/FortiGate devices, and have been attributed to the threat cluster Static Tundra; #DynoWiper #StaticTundra
Keypoints
- Coordinated destructive attacks on Dec 29, 2025 affected over 30 renewable energy sites, a manufacturing firm, and a large CHP plant serving ~500,000 customers.
- CERT Polska attributed the activity to Static Tundra (linked to FSB Center 16), while ESET and Dragos separately associated similar activity with Sandworm.
- Attackers gained access via vulnerable Fortinet/FortiGate appliances and reused on‑premises credentials lacking two‑factor authentication, often connecting through Tor and compromised IPs.
- Multiple DynoWiper variants and a PowerShell-based LazyWiper were used to corrupt and delete files, with DynoWiper using a Mersenne Twister PRNG and lacking persistence or C2 functionality.
- Adversaries also exfiltrated M365 data—targeting OT modernization and SCADA-related files—though attempts to disrupt electricity and heat supply ultimately failed.
Read More: https://thehackernews.com/2026/01/poland-attributes-december-cyber.html