Static Tundra destructive campaign against Polish energy and manufacturing targets
Campaign
Summary
Hide ▲
Show ▼
The Static Tundra operation used destructive attacks against more than 30 wind and photovoltaic farms, a manufacturing company, and a CHP plant in Poland. The activity disrupted communications between renewable facilities and the grid operator and aimed to interrupt heat supply to end users. Attackers used wiper malware, including DynoWiper and LazyWiper, plus access through vulnerable Fortinet/FortiGate devices. The campaign also included long-term data theft and cloud credential abuse against M365, broadening the operational risk beyond immediate sabotage.
Related Happenings
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
CampaignAbout this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
Municipal water and drainage utility provider in Mexico hit by network compromise
Incident
First: 07.05.2026 17:00
Last: 07.05.2026 17:00
Sources 1
About this happening:
A **municipal water and drainage utility provider in Mexico** suffered a **significant IT compromise** that escalated into an attempted attack against **OT infrastructure**, raisi...
Municipal water and drainage utility provider in Mexico hit by network compromise
IncidentAbout this happening: A **municipal water and drainage utility provider in Mexico** suffered a **significant IT compromise** that escalated into an attempted attack against **OT infrastructure**, raisi...
FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
Campaign
First: 10.03.2026 18:21
Last: 10.03.2026 18:21
Sources 1
About this happening:
A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...
FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
CampaignAbout this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...
Fortinet FortiGate CyberStrikeAI-assisted hacking campaign
Campaign
First: 03.03.2026 02:06
Last: 03.03.2026 02:06
Sources 1
About this happening:
An **AI-assisted campaign** targeting **Fortinet FortiGate firewalls** has been tied to **CyberStrikeAI** infrastructure, suggesting automated tooling is helping scale attacks aga...
Fortinet FortiGate CyberStrikeAI-assisted hacking campaign
CampaignAbout this happening: An **AI-assisted campaign** targeting **Fortinet FortiGate firewalls** has been tied to **CyberStrikeAI** infrastructure, suggesting automated tooling is helping scale attacks aga...
FortiGate exposed management interface exploitation wave
Exploitation Wave
First: 21.02.2026 16:49
Last: 21.02.2026 16:49
Sources 1
About this happening:
**FortiGate** management interfaces were hit by an **automated exploitation wave** that abused **internet-exposed ports** and **commonly reused credentials** to compromise **600+...
FortiGate exposed management interface exploitation wave
Exploitation WaveAbout this happening: **FortiGate** management interfaces were hit by an **automated exploitation wave** that abused **internet-exposed ports** and **commonly reused credentials** to compromise **600+...
Timeline
-
31.01.2026 09:05 1 articles · 3mo ago
Destructive intrusion on Polish energy and industrial targets
Exploitation ObservedOn December 29, 2025, coordinated destructive activity targeted more than 30 wind and photovoltaic farms, a private manufacturing company, and a large combined heat and power plant in Poland. The attackers gained access through vulnerable Fortinet and FortiGate devices, moved through power-substation and Active Directory environments, and deployed wiper malware including DynoWiper and LazyWiper, while attempts to detonate the wipers were unsuccessful.
Show sources
- CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms — thehackernews.com — 31.01.2026 09:05
-
31.01.2026 09:05 1 articles · 3mo ago
Communications disruption without power or heat outage
Victim Impact UpdateOn December 29, 2025, destructive activity against Polish renewable-energy infrastructure disrupted communication between affected facilities and the distribution system operator, but electricity production continued. The combined heat and power plant did not lose heat supply to end users, so the operational impact remained limited to communications and attempted sabotage rather than achieved service outages.
Show sources
- CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms — thehackernews.com — 31.01.2026 09:05
-
31.01.2026 09:05 2 articles · 3mo ago
CERT Polska disclosure and attribution update
Initial DisclosureOn January 31, 2026, CERT Polska publicly disclosed the coordinated campaign against Polish energy and industrial targets, attributed it to Static Tundra linked to Russia's FSB Center 16 unit, and noted that ESET and Dragos had associated the activity with Sandworm at moderate confidence. The disclosure also described long-term data theft in the combined heat and power plant case dating back to March 2025, use of credentials from on-premises systems to access M365 services such as Exchange, Teams, and SharePoint, and the deployment of DynoWiper and LazyWiper through FortiGate, SSL-VPN, and Active Directory paths.
Show sources
- CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms — thehackernews.com — 31.01.2026 09:05
- CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms — thehackernews.com — 31.01.2026 09:05