Official Report on Inner Workings of the December 29th, 2025 Cyber Attack of Polish Power Grid Released

Written by Andy R. on January 31st, 2026.

Intro

On December 29th a massive cyber attack occurred against Poland’s power grid. Polish wind and solar farms, CHP (combined heat and power) plants, and a private manufacturing company were all attacked. The attack was destructive in nature and focused mostly on OT devices (operational technology used for the controlling of industrial machinery and equipment), some of which was successful but none of which had any sort of effect on the actual power grid. The attack is suspected, but not definitively verified, to be done by Russian hacker group Sandworm.

The following is a breakdown and summation of a new report done by the “CERT Polska” Polish emergency response team for cyber attackers.

Attack On Wind And Solar.

The attacker hit at least 30 Polish wind and solar farms, wrecking much of their OT devices, but only stopping remote communication with them, not the grid itself. Specifically, connection was lost between the GCP (grid connection points) and the DSOs (distribution system operators). The GCPs are where transformers transfer the voltage generated by the wind and solar farms to be used by the power grid. DSO operators have remote access to these unmanned substations to monitor and supervise them. During the attack on the solar and wind farms, this connection was severed. However, thanks to the use of DNP 3.0 and IEC 101 network security protocols, the attacker was not able to escalate control up to the DSO level.

The attacker gained access to the GCP via a public-facing FortiGate VPN device. The device has been known to have vulnerabilities in the past but the credentials for account access should have been private. Nonetheless, once the attacker gained access he escalated privilege and exerted control over all VLAN subnets. From here the attacker went on to upload corrupted firmware to Hitachi and Mikronika RTUs (remote terminal units are microprocessor devices used for remote monitoring and control of equipment) and wiped their entire file system, he gained access to them using default credentials. The attacker then used default credentials again to gain access to various Windows 10 machines, Hitachi Relion Protection and Control Relays (used for control and protection of power systems), and Moxa NPORT serial devices servers, wiping and corrupting as much system files as possible from all of these devices in an effort to make them permanently unusable.

If there is anything to take away from this incident, it is to ALWAYS change default passwords and logons (and if you’re able to, enable MFA).

Attack On CHP (Combined Heat and Power) Plant

Prior to the attack on the CHP plant, attackers were detected infiltrating and conducting reconnaissance on domain controllers, file systems, internal networks, and SCADA systems in March, May, July, and later 2025. Usually gaining access via a FortiGate VPN device and using RDP to hop from device to device to explore the network. At one point even stealing password hashes from a Microsoft Windows LSASS memory dump (LSASS is responsible for authentication within a Windows OS).

‍ ‍The December 29th attack was also launched from the FortiGate VPN device, again using RDP to jump host to host, before landing on the domain controller. Here the attack launched a “wiper” malware (malware designed to destroy files) known as “DynoWiper.” DynoWiper was specifically placed on the domain controller’s network share and pushed to as many computers as possible through the use of GPOs (group policy objects). While the executable file itself was not detected by antivirus, the execution of DynoWiper was detected by the EDR (endpoint detection and response) as soon as it was executed. Over 100 machines had their data overwriting successfully halted by the EDR. The attacker has also tried to destroy data on physical disks using various image and RAID disk configurations, but was unsuccessful.

Attack on Private Manufacturing Company.

‍ ‍Despite this attack being coordinated with other attackers who took on the HCP plant and GCP solar and wind substation, it is believed this attack was more opportunistic in nature, as compared to the other two attacks which were likely pre-planned for quite some time.

‍ ‍The attacker gained access via a historically vulnerable Fortinet perimeter device (the report doesn’t say specifically what this device was), whose configuration had already been leaked and disclosed in criminal forums. The attacker made changes to the device to allow for persistent access and sent scripts to exfiltrate credentials. The attacker then moved through the company’s internal systems using VPN tunnels with the freshly stolen credentials. After gaining access to the domain controller, the attacker used GPOs to push a PowerShell based wiper called “LazyWiper” to the network share, trying to wipe as many devices as possible (report does not say if it succeeded or failed).

‍ ‍The attacker also gained access to cloud services and downloaded as much data as possible from M365 Exchange, Teams, and Sharepoint regarding SCADA and OT systems.

Who Carried Out The Attack?

‍ ‍The DynoWiper malware used on the CHP plant shared similarities to wiper malware used by Russian hacker group “Sandworm.” The PowerShell script to run the DynoWiper malware also shares some similarities to tools linked with Sandworm.

‍ ‍The LazyWiper malware used on the private manufacturing company was determined to likely have been created by an LLM, thus having no major attribution or similarities to anything currently known.

‍ ‍Despite there being signs linking to the Russian Sandworm hacker group, who has a history of attacking Ukrainian power grids, the report could not certainly conclude them as responsible, saying: “CERT Polska cannot conclusively determine whether the actor behind the ‘Sandworm’ activity cluster participated in the attack to any extent.” Though given the similarities in the malware, it is not impossible.

‍ ‍A more indepth description of everything summarized here can be found on CERT Polska’s public English report on the matter: Energy Sector Incident Report – 29 December.