CERT Polska reports a sustained campaign of destructive attacks against Poland’s energy sector that targeted renewable facilities, a large CHP plant, and a manufacturing supplier, using wiper malware to disrupt OT and distribution connections. Investigators identified two bespoke destructive families, DynoWiper and LazyWiper, and traced infrastructure overlap to the state-linked cluster Static Tundra while noting possible links to Sandworm, signaling a shift from espionage to active sabotage. #DynoWiper #LazyWiper #StaticTundra #MoxaNPort #CERTPolska
Keypoints
- CERT Polska documented coordinated late‑2025 attacks against renewable energy sites, a large CHP plant, and a sector-related manufacturer.
- Attackers seized control of a facility’s GCP (Grid Control Point), causing loss of communication and disruption to the distribution grid.
- Moxa NPort serial-to-Ethernet converters were targeted with password changes and corrupted firmware that prevented controller startup.
- Two destructive wipers, DynoWiper and LazyWiper, were deployed to irrecoverably delete files from RTU controllers and act as redundant destructive tools.
- Attribution favors the state-linked cluster known as Static Tundra based on infrastructure overlaps, with possible but inconclusive similarities to Sandworm.
Read More: https://securityonline.info/grid-sabotage-static-tundra-hits-polands-energy-sector-with-dynowiper/