On December 29, 2025, major cyber attackers launched a coordinated offensive on over 30 renewable energy plants across Poland. For their onslaughts, they used a unique custom wiper malware dubbed DynoWiper to destroy targets’ data. These attacks, attributed to a threat cluster known as Static Tundra, have been targeting operations in the renewable energy sector. This group is referred to by other monikers, such as Berserk Bear and Sandworm. Combined with reports that attackers penetrated the internal systems of electric substation control points tied to these establishments, they executed reconnaissance and destructive damage — all with the purpose of undermining system integrity.
The malware has already proven how damaging it can be by bricking the firmware of controllers and wiping out important system files. ESET, a global leader in cybersecurity, has discovered at least four different versions of DynoWiper. This finding is another reminder of just how rapidly this threat is evolving. At the same time, CERT Polska published in-depth analyses about the occurrences, exposing the targeted malicious objectives behind the attacks.
Nature and Objectives of the Attacks
According to CERT Polska, “All attacks had a purely destructive objective.” The attackers targeted communication channels for 27 renewable energy facilities and their distribution system operator (DSO). Although these disruptions were alarming, they did not affect the continued ability to produce electricity. The Institute’s reports show that the ecological degradation resulting from the attack on the combined heat and power plant missed its intended target. It largely missed changing or upsetting the heat supply to final users.
The attackers had particular interest in files pertaining to operational technology (OT) network modernization. They focused on email communications related to SCADA systems. This indicates a more focused effort specifically intended to disrupt critical infrastructure’s life-cycle management activities. Attackers leveraged credentials from the on-premises environment in an attempt to access cloud services. This should alarm all of those working in these organizations about the security practices they uphold.
Techniques and Access Methods
The attackers used innovative approaches to gain access to the renewable energy sites. They did so by gaining access through various accounts that the device configurations used, many of which were hard-coded and thus didn’t have two-factor authentication enabled. Then they took advantage of this gap in order to communicate through several different Tor nodes. Like before, they leaked IP addresses connected to the compromised infrastructure, both domestic and foreign.
As CERT Polska pointed out, the attackers had primarily destructive objectives. They had cutting edge techniques, but they didn’t address data exfiltration. “The attacker was particularly interested in files and email messages related to OT network modernization,” underscoring the specificity of their targets within the organization’s operational framework.
The Role of DynoWiper
DynoWiper’s core wiping functionality has raised red flags among cybersecurity experts. This makes them hopeful that its development would build on progress in areas like large language models (LLMs). This alarming development is just a glimpse into an advancing battleground where cyber threats have grown more complex and adaptable. ESET’s analysis suggests moderate confidence that Sandworm, a Russian state-sponsored hacking group, is responsible for engaging in these practices. This group, known as Fancy Bear, is infamous for their aggressive cyber operations.
The mercurial advancement of malware tools such as DynoWiper makes it all the more difficult for cybersecurity professionals to protect critical infrastructure. As new variants of this malware continue to appear, organizations need to stay one step ahead and become proactive in their cybersecurity approach to stay prepared for threats securely.