Polandβs CERT reported a Russia-linked attack on the national power grid that compromised communication and control systems at about 30 sites, allowing attackers to access ICS, upload malicious firmware, deploy wipers, and permanently damage some devices without causing electrical outages. The initial vector was internet-exposed Fortinet FortiGate devices using default credentials, and vendors Hitachi, Moxa, and Mikronika were targeted; security firms attributed the operation to groups including Sandworm and related actors. #Sandworm #DynoWiper
Keypoints
- The attack affected roughly 30 sites, including CHP plants and renewable energy dispatch centers.
- Exposed Fortinet FortiGate devices with default credentials and no MFA served as the initial entry vector.
- Targeted ICS vendors included Hitachi Energy (RTU560, Relion), Moxa (NPort), and Polandβs Mikronika.
- Attackers uploaded malicious firmware and deployed wipers (e.g., DynoWiper), damaging some devices but not causing outages.
- Attribution varies: ESET linked the incident to Sandworm, Dragos to Electrum, and CERT.PL referenced groups like Static Tundra/Berserk Bear.