On December 29, 2025, CERT Polska disclosed a series of coordinated cyber attacks targeting more than 30 renewable energy farms (wind and photovoltaic), a manufacturing sector company, and a large combined heat and power (CHP) plant supplying heat to nearly half a million customers in Poland. The attacks have been attributed to the Russian state-sponsored threat cluster known as Static Tundra, linked to Russia's FSB Center 16, with some reports also associating the activity with the Sandworm group. The attackers gained initial access primarily through exploitation of vulnerable Fortinet perimeter devices, including FortiGate appliances, which lacked two-factor authentication and contained statically defined accounts. Using these footholds, the adversaries conducted reconnaissance and deployed destructive wiper malware variants: DynoWiper on Mikronika HMI computers in energy facilities and LazyWiper, a PowerShell-based wiper, in the manufacturing company. The malware overwrote and corrupted files to render systems inoperable but lacked persistence mechanisms or command-and-control communication, indicating a focus on destruction rather than stealth or long-term control. In the CHP plant, attackers engaged in long-term data theft dating back to March 2025, enabling privilege escalation and lateral movement within the network. They also attempted to exfiltrate data from cloud services such as Microsoft 365, focusing on files related to OT network modernization and SCADA systems. Despite disruption to communication between renewable energy farms and distribution operators, electricity production and heat supply were not interrupted. The attackers used Tor nodes and compromised IP addresses to mask their activities. CERT Polska noted some code similarities between DynoWiper and Sandworm’s wipers but did not confirm direct involvement. This incident underscores the vulnerability of critical infrastructure to sophisticated, state-sponsored cyber attacks exploiting known vulnerabilities and weak security controls in OT and IT environments.

For European organizations, especially those operating critical infrastructure in the energy sector, this threat demonstrates the significant risk posed by state-sponsored cyber adversaries targeting OT environments. Disruption of communication between renewable energy farms and grid operators could degrade situational awareness and operational coordination, potentially leading to delayed responses to grid anomalies. Although the attacks did not halt electricity or heat production, the destructive nature of the wiper malware could cause prolonged outages if successful, impacting millions of end users and critical services. The theft of sensitive data related to OT modernization and SCADA systems could enable future attacks or espionage, undermining trust and competitive advantage. Manufacturing sector companies are also at risk from opportunistic exploitation of vulnerable perimeter devices, which could lead to operational downtime and intellectual property theft. The use of compromised Fortinet devices and weak authentication highlights systemic vulnerabilities in European critical infrastructure networks. The incident may also increase geopolitical tensions and prompt regulatory scrutiny, affecting operational continuity and compliance requirements across the EU and neighboring countries.

European organizations should immediately audit and harden perimeter security devices, particularly Fortinet FortiGate appliances, ensuring all default or static accounts are removed and two-factor authentication is enforced. Regularly apply security patches and firmware updates to all OT and IT systems to close known vulnerabilities. Implement network segmentation between IT and OT environments to limit lateral movement opportunities for attackers. Deploy robust monitoring solutions capable of detecting anomalous PowerShell activity, unauthorized access attempts, and unusual network traffic, including connections via Tor or suspicious IP addresses. Conduct thorough credential hygiene reviews, including rotation of privileged account passwords and disabling unused accounts. Enhance incident response capabilities with playbooks tailored to wiper malware and destructive attacks, ensuring rapid containment and recovery. Engage in threat intelligence sharing with national CERTs and industry peers to stay informed about emerging tactics and indicators of compromise. Finally, perform regular penetration testing and red team exercises simulating similar attack scenarios to validate defenses and response readiness.