Poland's energy sector hit by network compromise
Incident
Summary
Hide ▲
Show ▼
A wiper attack hit Poland's energy sector on Dec. 29 and 30, 2025, damaging OT visibility and firmware across more than 30 renewable energy farms and other facilities. The operation mattered because it targeted decentralized energy resources (DERs) and created the potential for wider control failures even though the affected systems reportedly kept producing power. Later technical reporting tied the intrusion path to vulnerable Internet-facing edge devices and confirmed loss of view and control, destroyed HMI data, and corrupted firmware.
Related Happenings
Iranian hackers' ATG cyberattack campaign
Campaign
First: 18.05.2026 18:41
Last: 18.05.2026 18:41
Sources 1
About this happening:
Iranian threat groups launched a **barrage of cyberattacks** after the conflict began, broadening pressure on **US gas-station fuel-monitoring systems** and signaling continued ri...
Iranian hackers' ATG cyberattack campaign
CampaignAbout this happening: Iranian threat groups launched a **barrage of cyberattacks** after the conflict began, broadening pressure on **US gas-station fuel-monitoring systems** and signaling continued ri...
US government warning on Iran-affiliated critical infrastructure disruption risk
Public Sector Action
First: 18.05.2026 18:41
Last: 18.05.2026 18:41
Sources 1
About this happening:
The **US government** warned that **Iran-affiliated threat actors** were disrupting **US critical infrastructure** through attacks on **Internet-exposed OT devices** across **mult...
US government warning on Iran-affiliated critical infrastructure disruption risk
Public Sector ActionAbout this happening: The **US government** warned that **Iran-affiliated threat actors** were disrupting **US critical infrastructure** through attacks on **Internet-exposed OT devices** across **mult...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 23.04.2026 23:52
Last: 23.04.2026 23:52
Sources 1
About this happening:
**China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
Internet-facing Modbus OT devices with unauthenticated access remain exposed
Target Trend
First: 10.04.2026 16:30
Last: 10.04.2026 16:30
Sources 1
About this happening:
**Internet-facing Modbus OT devices** remain exposed to **unauthenticated access**, with a scan finding **at least 179 devices** and highlighting a broader **critical-infrastructu...
Internet-facing Modbus OT devices with unauthenticated access remain exposed
Target TrendAbout this happening: **Internet-facing Modbus OT devices** remain exposed to **unauthenticated access**, with a scan finding **at least 179 devices** and highlighting a broader **critical-infrastructu...
Iranian-affiliated US CNI OT attack campaign
Campaign
First: 08.04.2026 11:15
Last: 08.04.2026 11:15
Sources 1
About this happening:
An **Iranian-affiliated** campaign is actively targeting **US critical national infrastructure providers**, creating **operational disruption** and **financial loss** across multi...
Iranian-affiliated US CNI OT attack campaign
CampaignAbout this happening: An **Iranian-affiliated** campaign is actively targeting **US critical national infrastructure providers**, creating **operational disruption** and **financial loss** across multi...
Timeline
-
17.02.2026 23:31 1 articles · 3mo ago
Wiper attacks begin against Poland's energy sector
Exploitation ObservedA destructive wiper operation against Poland's energy sector began on Dec. 29, 2025, targeting renewable energy farms, a private manufacturing company, and a combined heat and power plant. The campaign was described as the first large-scale attack against decentralized energy resources (DERs) such as wind turbines and solar farms.
Show sources
- Poland Energy Survives Attack on Wind, Solar Infrastructure — www.darkreading.com — 17.02.2026 23:31
-
17.02.2026 23:31 1 articles · 3mo ago
Wiper campaign continues on Dec. 30
Exploitation ObservedThe destructive wiper campaign against Poland's energy sector continued on Dec. 30, 2025, extending destructive activity against renewable energy farms, a private manufacturing company, and a combined heat and power plant. The same operation remained focused on decentralized energy resources (DERs) such as wind turbines and solar farms.
Show sources
- Poland Energy Survives Attack on Wind, Solar Infrastructure — www.darkreading.com — 17.02.2026 23:31
-
17.02.2026 23:31 2 articles · 3mo ago
CISA and Dragos detail OT compromise path and attribution
Technical Analysis UpdateCISA said attackers gained initial access through vulnerable Internet-facing edge devices before deploying wipers that damaged remote terminal units (RTUs), destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices in the affected Polish energy sector. CISA advised OT operators to prioritize firmware-verification updates and change default passwords on edge devices, while Dragos assessed with moderate confidence that the activity reflects Electrum tradecraft overlapping with Sandworm and CERT Polka said elements of the attack overlapped with Berserk Bear.
Show sources
- Poland Energy Survives Attack on Wind, Solar Infrastructure — www.darkreading.com — 17.02.2026 23:31
- Poland Energy Survives Attack on Wind, Solar Infrastructure — www.darkreading.com — 17.02.2026 23:31