ISJ hears exclusively from By Itay Glick, General Manager of OT Security and Hardware Engineering at OPSWAT.
Poland’s energy sector woke up on 29 December 2025 to coordinated destruction.
A single threat actor, operating across multiple attack chains simultaneously, hit at least 30 wind and solar farms, a combined heat and power (CHP) plant supplying heat to nearly half a million residents and a manufacturing company.
The timing was deliberate, coming in deep winter with snowstorms across the country and days before New Year’s Eve.
The objective was not financial. There was no ransomware demand. Every action was designed purely to destroy.
In every affected facility, the initial access vector was identical. FortiGate devices – serving as VPN concentrators and firewalls – had their SSL-VPN interface exposed to the internet.
Accounts were statically defined in the device configuration.
None required multi-factor authentication. CERT Polska’s analysis notes that some devices had been vulnerable to remote code execution vulnerabilities over extended prior periods.
The lesson is not that FortiGate is uniquely flawed. Rather, it’s that any internet-exposed remote access interface, operated without MFA and carrying reused credentials, is an open door.
This is not a new finding. It remains the most common initial access vector in operational technology (OT) breaches globally.
The easiest path into critical infrastructure
The energy sector, like many other fields, still faces widespread default-credential issues, one of the most persistent and avoidable weaknesses in industrial environments.
Internal systems, including OT components, network devices and management servers, are still deployed with default credentials that aren’t updated or shared administrative accounts.
Attackers actively look for these gaps first because they offer the fastest and quietest route into a network.
When a default password still works, the attacker simply logs in. There is no need for sophisticated exploits or noisy intrusion attempts.
This is particularly dangerous in OT environments, as internal systems are often widely trusted once access is granted.
From there, attackers can harvest additional credentials, modify configurations and move deeper into operational systems without immediately raising alarms.
In CERT Polska’s report, it’s clear that once inside the network, default credentials were present and active on every class of OT device encountered.
The attack exploited multiple devices, including remote terminal unit (RTU) controllers, servers and human machine interface (HMI) devices.
Meanwhile, in every case where non-default credentials had been configured, the attack failed.
Long dwell, timed detonation
In contrast to attacks on other sectors where attackers tend to flood the networks, those targeting critical infrastructure tend to move quietly and blend into normal activity once the initial breach is achieved.
The CHP plant attack demonstrates this calculated long-game approach.
CERT Polska’s forensic reconstruction documents that the attacker had access to the plant’s network from at least March 2025.
Between March and July, the attacker conducted reconnaissance focused on industrial automation systems, captured screenshots of SCADA interfaces, enumerated domain resources and exfiltrated the entire Active Directory database using standard Windows utilities including vssadmin and certutil.
The attacker also accessed Microsoft 365 services using on-premises credentials, downloading files from Exchange, Teams and SharePoint.
The material of interest: OT network modernisation plans, SCADA documentation and technical work records. This is intelligence collection in preparation for a destructive operation – a pattern consistent with state-sponsored sabotage.
In late December, the attacker returned, gained privileged domain access and deployed DynoWiper, a purpose-built wiper with no C2, no persistence mechanism and no ransom capability, via Group Policy to over 100 machines simultaneously.
A separately deployed LazyWiper written in PowerShell was used against the manufacturing company through the same GPO mechanism.
At the CHP plant, the EDR solution blocked execution through a canary file mechanism – files whose modification triggers an immediate alert.
This intervention halted data destruction across more than 100 machines already running the wiper.
The attacker attempted a modified variant the same day; it was also blocked. EDR saved the plant. The renewable energy farms, with no equivalent endpoint protection on OT devices, were not so fortunate.
The elaborate attack chain demonstrates the kind of subtle, slow-moving threats the energy sector is facing.
Attackers are operating with more resources and patience than normal profit-oriented cyber-criminal groups.
What security teams must do now
Attacks targeting the energy sector often involve highly capable attackers and destructive malware.
Yet their success depends on weaknesses that are far less sophisticated.
There are multiple steps that can be take now to start closing the foundational weaknesses these attacks seek to exploit.
One of the most immediate priorities is to enforce multi-factor authentication (MFA) on every remote access interface without exception.
Accounts without two-factor authentication are an open door, regardless of network segmentation claims.
Eliminating default credentials is another step that will drastically improve resilience to these attacks.
Change default credentials on every OT device at deployment.
As with the attacks in Poland, threat actors will readily and exploit multiple devices with factory defaults.
Securing these devices should be seen as a basic deployment checklist item, not a security programme.
Related to this, it’s important to audit credential reuse across facilities. Cross-facility credential reuse was identified as the likely mechanism that enabled the simultaneous compromise of 30 installations.
Single-facility credential hygiene is redundant when credentials are shared across a fleet.
Additionally, teams should enable and verify firmware signature verification on remote terminal unit controllers.
These systems are critical to OT environments and are a highly vulnerable target if left outdated and unpatched.
Finally, it’s important to instrument the network for behavioural anomaly detection, not just perimeter rules.
The CHP plant attacker operated inside the environment for nine months.
The reconnaissance was visible in the logs: lateral RDP movement, SMB access to machines with “scada” in their names, LSASS memory dumps, ntds.dit exfiltration via vssadmin and outbound PowerShell to attacker-controlled IPs.
None of these are subtle, and all are detectable through network traffic analysis and protocol-aware OT monitoring.
ICS-specific network visibility tools can baseline normal Modbus, DNP3 and IEC 101 communication patterns and alert on deviations, including the IP-to-serial gateway reconnaissance documented across the renewable energy farms.
In this incident, the absence of behavioural monitoring gave the attacker nine months of uncontested dwell time.
Perimeter firewalls alone did not compensate for that gap.
The standard has changed
For years, the security community has described OT environments as difficult to protect: legacy protocols, air-gap assumptions, patch-averse operational teams, long device lifecycles.
All of that is real. None of it is an excuse for what the CERT Polska report documents.
Default credentials on production RTUs. FortiGate VPN portals with no MFA. Firmware signature verification disabled.
A threat actor with nine months of undetected access to critical heating infrastructure. These are not advanced attack techniques defeating sophisticated defences.
They are basic hygiene failures meeting a determined, well-resourced adversary.
The 29 December attacks targeted Poland.
The vulnerabilities they exploited exist in OT networks across every country, sector and operator type.
CERT Polska has provided the forensic detail. The question for every OT security team is whether this report changes their posture – or becomes another data point filed and forgotten.
The attacker already knows which side of that decision most organisations land on.
