Coordinated Wiper Attacks Hit 30+ Renewable Farms, Sparking Grid Security Concerns
CERT Polska disclosed a coordinated, destructive cyber campaign on Dec 29, 2025 that hit more than 30 wind/solar farms and a CHP plant, disrupting substation communications but not stopping electricity or heat delivery. The attackers deployed wipers (DynoWiper, LazyWiper) via compromised Fortinet devices and Active Directory, used multiple accounts with no two-factor authentication, and leveraged Tor/IPs to access energy networks, with several variants and likely LLM involvement; data was also exfiltrated from OT/cloud services. Attribution to Static Tundra tied to Russia's FSB is stated by CERT Polska, though some researchers link activity to Sandworm.
