Escalation of Cyber Sabotage
What Happened?

On the morning and afternoon of December 29, 2025, a lone attacker launched coordinated attacks on several critical infrastructure facilities across Poland. These attacks impacted at least 30 wind and solar farms, a private manufacturing company, and a large combined heat and power plant supplying heat to nearly 500,000 customers.

The main objective was to destroy data irreversibly and disrupt operations. The attacks impacted traditional information technology (IT) and operational technology (OT) systems, representing a significant escalation in cyber sabotage. The attackers succeeded in disrupting communications between wind farms and distribution system operators (DSOs). At the combined heat and power plant and the manufacturing company, the attackers used sophisticated "wiper" malware designed to permanently delete files and render systems inoperable.

Theft & Irreversible Destruction of Data | What Are the Consequences?

The consequences of these attacks are serious, ranging from operational failures to potential threats to public safety. Although power generation at the renewable energy plants was not immediately shut down, the loss of remote monitoring and control by the distribution system operator created a high-risk environment. It was possible to disconnect the 30 attacked plants from the power grid.

In the case of the combined heat and power plant, the sabotage targeted systems that were used during a period of high heating demand due to sub-zero temperatures. The irreversible destruction of data on workstations and servers could lead to long-term outages and massive costs for restoring the infrastructure. In addition, the theft of sensitive technical information related to SCADA systems and the modernization of OT networks could provide attackers with the information they need to carry out even more damaging attacks in the future.

Power Grid of Poland, OMICRON

Polish Power Grid

Source: Openstreetmaps and ENTSO-E

Inadequate Password Hygiene
How Did the Attackers Gain Access?

In almost all cases, the primary entry point for attackers was the exploitation of perimeter edge devices, particularly FortiGate firewalls and VPN concentrators. In renewable energy parks, these devices were exposed to the internet and lacked multi-factor authentication (MFA) in their authentication methods. Some of these devices had historical vulnerabilities, including remote code execution flaws that remained unpatched for extended periods.

A recurring problem was the use of default credentials and poor password management. Many OT systems were configured with factory default accounts, such as "Default." 

In the manufacturing sector, an attacker obtained a device's configuration after it was made public in an online criminal forum. Additionally, the industry practice of reusing the same passwords for multiple facilities enabled the attacker to move from one compromised website to many others.

Destruction of OT and IT
What Happened Next?

After gaining access to the networks, the attackers methodically conducted reconnaissance and persistence before ultimately destroying them.

Reconnaissance and lateral movement

They used built-in Windows utilities, such as “ping” and “nslookup,” as well as specialized tools, such as “Advanced Port Scanner,” to map the internal networks. They moved laterally using the Remote Desktop Protocol (RDP).

Data 
exfiltration
 

Before launching destructive payloads, they stole key security resources, including the Active Directory database (ntds.dit), registry hives (SAM and SYSTEM), and FortiGate configuration files. This allowed them to obtain credentials for high-level administrator accounts.

Destructive 
activities (OT)
 

At wind and solar farms, they uploaded corrupted firmware to Hitachi RTU560 controllers, causing the controllers to enter an infinite reboot loop. On Mikronika controllers, the attackers used SSH access to execute commands that deleted all system files. They reset Moxa devices to factory settings and assigned them unreachable IP addresses to delay recovery.

Destructive 
activities (IT)
 

They used two types of malware: DynoWiper, a native C++ binary file, and LazyWiper, a PowerShell script likely generated by an LLM. These wipers targeted specific file extensions and overrode data with pseudo-random sequences to render it unrecoverable.

How can the Damage of Such 
Cyber Attacks Be Reduced?

It is difficult to protect yourself from an attack. However, you can reduce the impact of such attacks by using common security measures.

Remove 
default 
credentials

Change factory-set passwords immediately after deploying industrial and network devices.

Firmware 
and patch 
management

Companies must adhere to an effective process for patching edge devices and OT environments. Patching is particularly complex in OT environments due to their real-time requirements. Therefore, thoroughly assessing vulnerabilities and defining appropriate alternative security measures where necessary is essential.

Multi-factor 
authentication
 

All external services, especially VPNs and cloud services, must require multi-factor authentication to prevent unauthorized access via stolen or guessed passwords.

Network 
segmentation
 

Enforce robust network segmentation to prevent attackers from moving freely between IT and OT environments, even if they obtain administrator rights on a single gateway.

Enhanced Resilience for Greater Protection

To strengthen the resilience of OT in the energy sector, we recommend the following measures :

Use advanced 
monitoring

Protect the perimeter and security zones with seamless monitoring and evaluate the information. A multi-layered defense concept also includes monitoring network traffic within a security zone. If attackers have managed to overcome perimeter protection, anomaly or signature detection can be used to identify and alert malicious activity. Network monitoring (attack detection, intrusion detection systems) can also be a complementary security measure if patching OT systems is not possible.

Secure devices
 

Disable unnecessary services on industrial devices, such as web interfaces or FTP servers, if they are not required for operation.

Check configurations
 

Regularly check firewall rules, VPN access, and assigned permissions to prevent unauthorized and undetected access to critical systems.

Conduct credential 
hygiene

Prohibit the reuse of administrator passwords across different geographic locations or facilities.

Plan incident detection & response

Prepare for security incidents. First and foremost, this includes the ability to detect them in a timely manner. The response, i.e., alerting the right people and knowing what to do (e.g., via playbooks), should be defined in advance and practiced regularly.

Did You Know?

We provide cybersecurity consulting and expert-led trainings for IT and OT.

Contact Us!

We’re looking forward to helping you.

  • Have a question?
  • Need more information?
  • Would you like to request a demo?
Send Us a Message

Resources

Cyber Attack on Poland, OMICRON
30. January 2026

Explained: OT Cyber Attack on Poland

On December 29, 2025, the Polish energy sector was the target of a series of highly coordinated and destructive cyberattacks.

Read this story
StationGuard’s Role in IEC 62443 Cybersecurity
11. December 2025

Where Compliance Meets Visibility

StationGuard’s Role in IEC 62443 Cybersecurity

Read this story
Swiss Regulations, Tibor Külkey
04. November 2025

Swiss Cybersecurity Regulations in the Energy Sector

In order to ensure long-term security of supply, Switzerland has developed specific regulations in recent years that provide operators of critical infrastructure with a clear framework for action.

Read this story
Podcast Episodes with Simon Rommer
03. November 2025

Why Should You Talk About Incident Response?

In our cybersecurity podcast miniseries, experts share why talking about incident response today is key to being prepared tomorrow.

Read this story
Lessons learned from IDS Deployments in Over 100 Energy Facilities
27. October 2025

Lessons learned from IDS Deployments in Over 100 Energy Facilities

This paper presents a comprehensive analysis of the security issues found in over 100 global energy facilities, including substations, power plants, and control centers.

Read this story
IEC 61850 and OMICRON - a long-lasting connection
15. October 2025

A long-lasting connection

IEC 61850 and OMICRON - a long-lasting connection.

Read this story
22. September 2025

Navigating Cybersecurity in Power Systems

In this episode, Simon Rommer explores the critical role of TI and OT power systems cybersecurity with Jose Paredes.

Read this story
Risk Management OT - IT, Jaron Stammler
26. August 2025

Differences in Risk Management Between IT and OT

Understanding risks in operational technology requires a different mindset than in IT — because in OT, digital vulnerabilities can quickly translate into physical consequences.

Read this story
CISA Asset Inventory Guidance
20. August 2025

Asset Inventory Guidance from CISA and BSI

The CISA, in collaboration with the German BSI and other organizations, published recommendations for managing asset inventories.

Read this story
22. July 2025

Major Updates for StationGuard Sensor and GridOps

The new versions of StationGuard Sensor and GridOps are here — with features that further simplify operations and detection across your OT network.

Read this story
Dr Marie Moe, Mandiant Consulting
30. June 2025

Recovery and Decision-Making in Cybersecurity Incident Response

In this episode, Simon Rommer discusses the critical cybersecurity incident response steps of recovery and decision-making with his guest Dr. Marie Moe.

Read this story
OMI­CRON Con­tributes to Nmap Plug-In
02. June 2025

Po­si­tion Pa­per: BSI Cal­ls For More Cy­ber­se­cu­rity in the En­ergy Sec­tor

In the position paper, the German Federal Office for Information Security (BSI) expresses concern over the critical threat situation in the energy sector.

Read this story
Cybersecurity Podcast, Simon Rommer, Stephan Mikiss
02. May 2025

Containment, Eradication and Recovery in Cybersecurity Incident Response

In this episode of the miniseries, Simon Rommer & Stephan Mikiss discuss the steps of containment, eradication & recovery in the incident response process.

Read this story
18. April 2025

Reliable Vulnerability Management in OT systems - Even Without CVE?

On 16 April, funding for the CVE and CWE programs is coming to an end, and with it the continued existence of the CVE database.

Read this story
From NIS2 to StromVV, OMICRON
18. April 2025

From NIS2 to StromVV

The EU's NIS2 Directive and similar regulations in the USA, Singapore, Australia, and Switzerland aim to enhance security measures across various sectors.

Read this story
Cybersecurity Podcast, Simon Rommer, Johann Stockinger
05. March 2025

The Importance of Identification in Cybersecurity Incident Response

Simon Rommer and Johann Stockinger speak about the importance of identification, which is the second step in the incident response process.

Read this story
BSI Handlungsempfehlung
21. February 2025

New Recommended Actions by the BSI

The German Federal Office for Information Security (BSI) has published new recommendations for securing the OT of distribution network operators.

Read this story
Glitre Nett & OMICRON Success Story
29. January 2025

OT Cybersecurity for the South of Norway

Over the next decade, we protect Glitre Nett's operations with StationGuard, providing comprehensive protection against cyber threats in their OT networks.

Read this story
Cybersecurity Podcast, Simon Rommer, Tibor Kuelkey
29. January 2025

Cy­ber­se­cu­rity Pre­pared­ness in the En­ergy Sec­tor

In this episode, Simon Rommer speaks with Tibor Külkey from ALSEC Cybersecurity Consulting, Simon and Tibor discuss the critical importance of preparation.

Read this story
22. January 2025

CISA Releases 13 OT Security Advisories

CISA published 13 security advisories for OT systems. These security advisories describe vulnerabilities in systems that are used in power grids worldwide.

Read this story
OMICRON OT Vulnerability Report 2024
17. December 2024

OMICRON OT Vulnerability Report 2024

By analyzing thousands of vulnerabilities, this report highlights trends in publication, predominant weaknesses, and attack vectors in the OT sector.

Read this story
ISO/IEC 27019:2024 and ISO/IEC 27001:2022, OMICRON
22. November 2024

New Standards for OT Security

A new version of the ISO 27019 standard has just been released. This standard is highly relevant for information security certifications.

Read this story
How to Protect OT Networks from Cyber Attacks
03. November 2024

Unmasking 802.1x Vulnerabilities

Without network access control (NAC), hackers can plug into the Ethernet switches of critical control networks in substations and control centers.

Read this story
NIS2 Directive, OMICRON
16. October 2024

NIS2 - Is It a Miss Too?

Today, October 17, 2024, is the deadline for EU Member States to transpose the NIS2 Directive (2022/2555) into national law.

Read this story
Why Patch Man­age­ment in Power Grid Sub­sta­tions Is Chal­leng­ing?
14. October 2024

Patch Management in Power Grid Substations

Patching assets in power grid substations is a complex task fraught with challenges unique to the OT environment.

Read this story
StationGuard Brochure, OMICRON
06. October 2024

StationGuard Solution

StationGuard simplifies OT security with advanced intrusion detection, asset and vulnerability management, and functional monitoring. This brochure tells you everything you need to know about our benchmark solution.

Read this story
30. September 2024

Which Logs to Collect in a Power Grid OT Environment?

When introducing a SIEM, it is crucial to consider how to integrate OT into the predominant IT system infrastructure.

Read this story
The Hidden Dangers of Windows in OT Networks
17. September 2024

The Hidden Dangers of Windows in OT Networks

Windows devices are omnipresent in information system environments. However, their presence comes with significant security challenges in OT networks.

Read this story
Past & fu­ture OT cy­ber in­ci­dent re­sponse
05. September 2024

Past & Future Disaster Recovery for the Power Grid

In the first episode of our miniseries, Andreas Klien & Simon Rommer explore the critical roles of IT & OT in cyber incident response & disaster recovery.

Read this story
EnergyTalks, Podcast Episode
05. September 2024

Cybersecurity Podcast Miniseries

This miniseries "Cybersecurity in the Power Grid" provides you with a 360-degree view of how you can best safeguard your infrastructure from cyber attacks.

Read this story
Internet Connected OT Devices
25. August 2024

Internet-Connected OT Devices

Are your operational technology (OT) devices connected to external networks? If yes, this presents an alarming but often overlooked threat.

Read this story
CVE-2024-37998
26. July 2024

Critical Vulnerability in Siemens OT Systems

NIST has identified a vulnerability in SICAM SCADA systems that could allow an unauthorized individual to gain administrator rights on the OT systems.

Read this story
Advisories and How to Use Them
12. July 2024

Advisories and How to Use Them

We look at the diverse world of security advisories and how to use them, and the wealth of experience of our experts in developing our OMICRON advisories.

Read this story
Marcel Ströhle, Podcast Episode, OMICRON
03. July 2024

Minimizing Cybersecurity Vulnerabilities at the Hardware Level

Why do hardware devices, in addition to software, need to be secured against cyber threats. OMICRON hardware developer Marcel Ströhle is the guest.

Read this story
Firewalls under Attack, Holger Skaus
20. June 2024

Firewalls Under Attack - How to Protect Your IT/OT Systems

Firewalls are the first line of defense in protecting critical infrastructures in cyberspace. This makes them particularly attractive to attackers.

Read this story
StationGuard 2.40, OMICRON
21. May 2024

StationGuard 2.40 – New Usability Upgrades

The new version brings along many usability upgrades, incl. MMS server availability, improved router behavior, and more …

Read this story
EnergyTalks, Podcast Episode, Part 7
21. May 2024

Cracking the Code: How to Uncover Cyber Attacks on Your System

Learn how the OMICRON cybersecurity experts analyze incoming alarms and reveal hidden dangers that threaten the safety and operations of an entire system.

Read this story
Vulnerability Management, Andreas Klien
14. May 2024

Vulnerability Management in Practice

Gath­er­ ad­vi­sories, up­date your GridOps vul­ner­a­bil­ity data­base, tend to your as­set in­ven­tory, vul­ner­a­bil­ity match­ing, & risk as­sess­ment.

Read this story
NIST - 2024
24. April 2024

NIST Cybersecurity Framework 2.0 at a Glance

On February 26, 2024 the National Institute of Standards and Technology (NIST) published the second version of the NIST Cybersecurity Framework (CSF 2.0).

Read this story
Cybersecurity Regulations
09. April 2024

State of the Art in Vulnerability Management

With the German IT Security Act, energy utility operators are required to adhere to the "state of the art" to manage cyber risks effectively.

Read this story
OMI­CRON Con­tributes to Nmap Plug-In
26. March 2024

OMI­CRON Con­tributes to Nmap Plug-In

We collaborated with the BSI and the Fraunhofer Institute to develop an nmap plug-in for OT networks, enhancing tools for power grid administrators.

Read this story
EnergyTalks, Podcast Episode, Ron Brash, Andreas Klien
13. February 2024

Chances & Risks of Operational Technology in the Energy and Aviation Sectors

Andreas Klien discusses the differences & similarities of using OT technology in the aviation & electrical power industry sectors with his guest Ron Brash.

Read this story
Sarah Fluchs, Andreas Klien, Podcast Episode
11. January 2024

Building trust in digital products used in the power grid

In this podcast episode, Andreas Klien, discusses the security engineering of digital products used in the power grid with his guest, Sarah Fluchs.

Read this story
OMICRON EnergyTalks - Podcast episode
10. January 2024

Experiences & Innovations in Developing Cybersecurity Products

In this podcast episode, Anastasiya and Jaques share their experiences, challenges, and innovations in developing our cybersecurity products.

Read this story
StationGuard Receives Security Certificate from the BSI
16. December 2023

StationGuard Receives Security Certificate from the BSI

The German Federal Office for Information Security (BSI) has tested our StationGuard and awarded us the IT security certificate (BSZ) as a result.

Read this story
CVE-2023-45871 - Finding and Patching a Critical Vulnerability in Linux, Eric Heindl
03. December 2023

At­ten­tion CVE-2023-45871 - Our Story of Finding and Patching a Critical Vulnerability in Linux

You think your linux devices are immune to cyber attacks just because there's no official security advisory? You might be wrong.

Read this story
EnergyTalks, Podcast Episode
05. November 2023

Solving Cybersecurity Problems in Electrical Power Networks

OMICRON cybersecurity analysts Christoph Rheinberger and Eric Heindl share their personal experiences for IT and OT security officers.

Read this story
OMICRON Podcast Episode with Thomas Wolf and Ozan Dayanc
04. October 2023

Why do OT networks need an IDS?

Discover the challenges faced by power providers and practical recommendations for enhancing OT network security.

Read this story
StationGuard Release 2.40
01. October 2023

StationGuard 2.30 – Improved Efficiency for Intrusion Detection

With StationGuard 2.30, you can imrove your workflows. The intrusion detection system (IDS) enables you to monitor Ethernet networks in the power grid.

Read this story
Podcast Episode 2, OMICRON
07. September 2023

Digital Transformation in the Power Industry

In this podcast episode, learn how to successfully implement cybersecurity into critical power system infrastructures with OMICRON cybersecurity experts.

Read this story
Podcast, Andreas Klien, OMICRON
07. September 2023

Vulnerability Management in Substations

Learn how vulnerability management tools ensure a more effective cybersecurity in power grids.

Read this story
Podcast Episode 1, OMICRON
01. September 2023

Bridging the gap between IT and OT

OMICRON cybersecurity expert Benjamin Teudeloff talks about the increasing necessity for power providers to improve their cybersecurity practices.

Read this story
OMICRON Magazine: Security Assessment Findings
29. August 2023

Security Assessment Findings in Substations and Power Plants

Our cybersecurity expert, Ozan Dayanc, reveals insights from global substation security assessments.

Read this story
Video: STW-Kempen
29. August 2023

Cybersecurity from the Control Center to the Substation

Cybersecurity from the Control Center to the Substation - Stadtwerke Kempen is Building a New Substation with OMICRON

Read this story
StationGuard Feature: Search In ZeroLine
18. August 2023

Feature Preview: Device Search in ZeroLine

StationGuard has a a new search feature that makes it easy to find all equipment information in your network.

Read this story
StationGuard Feature: Automatic Device Classification
18. August 2023

Feature Preview: Automatic Device Classification

StationGuard 2.30 will include a new feature that makes it easier than ever to assess and secure your OT network.

Read this story
OMICRON Threat Intelligence (OTI)

OMICRON Threat Intelligence (OTI)

The OTI service bridges the "knowledge gap" between IT and electrical engineering by combining traditional threat intelligence data with deep-seated OT expertise, original manufacturer information, and comprehensive protocol support.

Read this story