Energy Sector Incident Report
Essential information
- Published
- 30/04/2026 12:11
- Modified
- 30/04/2026 10:17
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- combined heat power cve-2024-2617 destructive operations dynowiper energy sector fortigate exploitation impacket industrial control systems lazywiper poland infrastructure renewable energy rubeus wiper attack
- Tags
- 2026-04-30 CVE-2024-2617 combined heat power destructive operations dynowiper energy sector fortigate exploitation impacket industrial control systems lazywiper poland infrastructure renewable energy rubeus wiper attack
- Related entities
- 1 vulnerabilities (cve), 21 indicators, 21 observables, 1 intrusion sets (apt), 4 malware, 3 others
Description
On December 29, 2025, coordinated destructive cyberattacks targeted Poland's energy infrastructure during severe winter weather. Approximately 30 wind and solar farms, a manufacturing company, and a combined heat and power plant serving nearly 500,000 customers were affected. Attackers exploited vulnerable FortiGate perimeter devices using stolen credentials and default passwords to access industrial control systems. Multiple types of wiper malware, including DynoWiper and LazyWiper, were deployed to destroy data across IT and OT environments. While renewable facilities lost communication with distribution operators without affecting electricity generation, the incidents demonstrated significant capability to cause physical disruption. Infrastructure analysis revealed connections to threat clusters known as Static Tundra, Ghost Blizzard, and potentially Sandworm, marking a notable escalation in cyber-sabotage operations.