Context:
On 29 December 2025, during the morning and afternoon hours, coordinat‑
ed attacks occurred in Poland’s cyberspace. The attacks targeted numer‑
ous wind and solar farms, a private company in the manufacturing sector, and
a combined heat and power (CHP) plant supplying heat to nearly half a mil‑
lion customers in Poland. All of the attacks were purely destructive in nature –
by analogy to the physical world, they can be compared to deliberate acts of
arson. It is worth noting that this period coincided with low temperatures and
snowstorms affecting Poland, shortly before New Year’s Eve. Based on tech‑
nical analysis, it can be concluded that all of the aforementioned attacks were
carried out by the same threat actor.
These events affected both information systems (IT) and physical indus‑
trial equipment (OT), which is rarely observed in attacks reported publicly
to date. We are publishing this report to share knowledge about the course
of events and the techniques used by the attacker. We hope that this will in‑
crease awareness of the real risks associated with cyber sabotage. These at‑
tacks represent a significant escalation compared to the incidents we have
observed so far.
Mitre ATT&CK Mapping
References
https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
Context:
On 29 December 2025, during the morning and afternoon hours, coordinat‑
ed attacks occurred in Poland’s cyberspace. The attacks targeted numer‑
ous wind and solar farms, a private company in the manufacturing sector, and
a combined heat and power (CHP) plant supplying heat to nearly half a mil‑
lion customers in Poland. All of the attacks were purely destructive in nature –
by analogy to the physical world, they can be compared to deliberate acts of
arson. It is worth noting that this period coincided with low temperatures and
snowstorms affecting Poland, shortly before New Year’s Eve. Based on tech‑
nical analysis, it can be concluded that all of the aforementioned attacks were
carried out by the same threat actor.
These events affected both information systems (IT) and physical indus‑
trial equipment (OT), which is rarely observed in attacks reported publicly
to date. We are publishing this report to share knowledge about the course
of events and the techniques used by the attacker. We hope that this will in‑
crease awareness of the real risks associated with cyber sabotage. These at‑
tacks represent a significant escalation compared to the incidents we have
observed so far.
Mitre ATT&CK Mapping
References
https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf