On December 29, 2025, a coordinated destructive campaign using a custom wiper called DYNOWIPER targeted Poland’s energy infrastructure, impacting more than 30 renewable sites and a major CHP plant. CERT Polska attributes the attack infrastructure to clusters tracked as Static Tundra / Berserk Bear / Ghost Blizzard / Dragonfly, and Elastic Defend’s canary-file ransomware protection successfully detected and blocked DYNOWIPER activity. #DYNOWIPER #CERTPolska
Keypoints
- On 2025-12-29, attackers executed a coordinated destructive campaign against Poland’s energy sector, affecting 30+ wind and solar farms and a major CHP plant.
- A custom wiper, DYNOWIPER, was used to irreversibly corrupt files using a Mersenne Twister PRNG and targeted fixed and removable drives.
- CERT Polska links the attack infrastructure to threat clusters identified by multiple vendors (Static Tundra / Berserk Bear / Ghost Blizzard / Dragonfly).
- Initial access exploited internet-exposed Fortinet FortiGate devices via VPN accounts without MFA, reused credentials, and unpatched vulnerabilities.
- DYNOWIPER intentionally avoids system-critical directories to preserve system stability while maximizing data destruction, then forces a reboot.
- Elastic Defend’s canary-file behavioral protection detected and prevented DYNOWIPER execution in testing and halted overwriting on 100+ machines in the field.
MITRE Techniques
- [T1053.005 ] Scheduled Task/Job – Actors used scheduled tasks and GPO modifications to run or deploy payloads and scripts; (‘GPO modifications creating scheduled tasks with SYSTEM privileges’)
- [T1222 ] File and Directory Permissions Modification – The wiper removes file protection attributes to enable overwriting files via SetFileAttributesW(FILE_ATTRIBUTE_NORMAL); (‘SetFileAttributesW(FILE_ATTRIBUTE_NORMAL)’)
- [T1680 ] Local Storage Discovery – DYNOWIPER enumerates logical drives to identify targets on fixed and removable media using GetLogicalDrives(); (‘GetLogicalDrives()’)
- [T1485 ] Data Destruction – The malware corrupts files by overwriting headers and random offsets with pseudorandom data to ensure unrecoverable destruction; (‘overwriting the file header with 16 bytes of random data’)
- [T1529 ] System Shutdown/Reboot – After corruption, the wiper elevates privileges and forces a system reboot to finalize the destructive impact; (‘ExitWindowsEx(EWX_REBOOT | EWX_FORCE)’)
Indicators of Compromise
- [File Hashes ] DYNOWIPER and related binaries – SHA256 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5 (dynacom_update.exe), 65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c (Source.exe), and 4 more hashes
- [File Names ] Executables observed in samples and distribution – dynacom_update.exe, schtask.exe, and other payload filenames observed in the report
- [PowerShell Scripts ] Distribution/deployment scripts – dynacon_update.ps1, exp.ps1
- [IP Addresses ] Infrastructure and login activity – 185.200.177[.]10 (VPN logins, direct DYNOWIPER execution), 31.172.71[.]5 (reverse proxy for data exfiltration), and 3 more IPs
- [PDB Path ] Build artifact indicating development environment – C:UsersvagrantDocumentsVisual Studio 2013ProjectsSourceReleaseSource.pdb (suggests Vagrant-managed VM)
- [YARA Rule ] Detection signature published by CERT Polska – rule name “DYNOWIPER” (meta reference: https://mwdb.cert.pl/), used to detect the wiper via strings and API artifacts