A December 2025 campaign compromised at least 30 Polish wind and solar farms by exploiting default credentials, lack of multi‑factor authentication, and outdated or misconfigured OT and network devices. CERT Polska attributed the incident to Static Tundra while noting DynoWiper similarities to Sandworm-linked wipers, and reported attackers abused exposed FortiGate VPNs, static accounts, and configuration changes to pivot and exfiltrate credentials. #DynoWiper #StaticTundra
Keypoints
- Attackers exploited default and static credentials and the absence of MFA to gain access to multiple facilities.
- At least 30 wind and solar farms lost communication with distribution operators, though generation and grid stability were not disrupted.
- CERT Polska attributed the campaign to Static Tundra, while Dragos linked related activity to Sandworm/ELECTRUM and destructive wiper similarities.
- Exposed FortiGate SSL‑VPNs, bookmarked jump hosts, and scripted configuration changes enabled credential theft and persistence.
- The incident highlights that distributed energy resources with extensive remote connectivity and limited cybersecurity investment are attractive targets.
Read More: https://thecyberexpress.com/default-credentials-polish-energy-grid-attack/