In the world of cybersecurity, some of the most alarming threats are those aimed at the very systems that power our daily lives. I’m Kendra Haines, and today we’re speaking with Rupert Marais, our in-house security specialist, to dissect a recent, sophisticated campaign against Poland’s energy sector. We’ll explore the complex world of state-sponsored attack attribution, unpack why these destructive attempts ultimately failed, and discuss the persistent security gaps that leave our critical infrastructure vulnerable. We’ll also delve into the attackers’ long-term strategies, their use of multiple malware variants, and the growing risks at the intersection of IT and operational technology.
Attribution for major attacks can be complex, with some pointing to groups like Static Tundra and others to Sandworm. What technical factors lead to these differing conclusions, and how should security teams practically use such conflicting intelligence to strengthen their defenses?
It’s a classic intelligence challenge, and it really boils down to what evidence you prioritize. One team, like ESET or Dragos, might see a familiar pattern in the malware’s behavior or its deployment tactics that strongly suggests Sandworm. Another agency, like CERT Polska, might focus on the infrastructure used, like the C2 servers or IP addresses, and find links to Static Tundra’s known footprint. The article mentions that the code similarities between DynoWiper and other Sandworm tools were considered “general,” which shows you how subjective this can be. For the defenders on the ground, the name is secondary. The actionable intelligence is in the “how”: they exploited a vulnerable FortiGate device, they used stolen credentials without 2FA, and they moved laterally to deploy wipers. That’s the blueprint you defend against, regardless of who signed the code.
The recent attacks had destructive intent but ultimately failed to disrupt core services like electricity or heat. What does this reveal about the attackers’ capabilities versus the grid’s resilience? How should organizations measure the severity of a sophisticated but ultimately unsuccessful attack?
This is a critical point. While the attackers failed to cause a blackout, we absolutely cannot dismiss this as a failure on their part. It tells us two things: first, that layered defenses and inherent grid resilience can work, which is the good news. But it also shows a chilling level of intent and access. These weren’t script kiddies; they were inside the network of a combined heat and power plant that serves almost half a million people. They had the access and the tools to cause immense disruption. The severity isn’t just measured by the final outcome. We have to measure it by the potential impact. How deep did they get? How long were they there—in one case, over nine months? What sensitive data, like OT network modernization plans, did they steal? That’s the real damage. The fact that the final payload failed is a lucky break, not a sign of a weak adversary.
Attackers often gain entry through vulnerable perimeter devices and accounts lacking two-factor authentication. Based on your experience, why do these fundamental security gaps persist in critical sectors? Could you outline a three-step process for an organization to immediately harden these common weak points?
It’s frustrating to see these same entry points used time and again, but it often comes down to the immense complexity and age of these environments. You have legacy systems mixed with modern ones, and the operational pressure to maintain uptime often outweighs the pressure to patch or reconfigure. It feels risky to change something that’s working. However, the risk of inaction is far greater. A simple three-step hardening process would be: first, immediate and aggressive patch management on all internet-facing devices like the FortiGate appliances mentioned here. No exceptions. Second, enforce mandatory multi-factor authentication (MFA) on all remote access portals, especially VPNs. The attackers walked right in using accounts without it. Third, conduct a thorough audit of all user accounts, especially statically defined ones in device configurations, and disable any that are not absolutely essential. These simple steps eliminate the low-hanging fruit these advanced attackers feast on.
This campaign used different wipers like DynoWiper and the PowerShell-based LazyWiper. What strategic advantages does an attacker gain by using multiple, distinct malware families? With speculation that one was LLM-assisted, how is this changing the landscape of malware development and detection?
Using multiple wipers is a sophisticated strategy that gives an attacker flexibility and a greater chance of success. Each malware has different characteristics. DynoWiper was deployed directly on HMI machines in one case, but via Active Directory in another. LazyWiper was PowerShell-based. This diversity can help them evade specific security tools; if one wiper is detected and blocked, another might get through. It also complicates attribution, making it harder for us to definitively link the attacks. The speculation about an LLM being used to generate LazyWiper’s core function is a game-changer. It dramatically lowers the barrier to entry for creating custom, effective malware. We’re moving from a world where attackers need deep coding expertise to one where they just need to write a good prompt. For defenders, this means we can no longer rely solely on known signatures; we must double down on behavioral detection to catch what the malware does, not just what it is.
In one case, an adversary stole data for over nine months before attempting a disruptive attack. What does this long-term reconnaissance suggest about their objectives? Please walk us through the signs of such a prolonged, low-and-slow intrusion that security teams might miss.
A nine-month dwell time is terrifying; it signals an adversary with strategic, not opportunistic, objectives. They aren’t just looking for a quick smash-and-grab. They are mapping the entire network, learning the organization’s procedures, and identifying the most critical assets to cause maximum damage. They were specifically hunting for documents on OT network modernization and SCADA systems. This is intelligence gathering for a future, potentially catastrophic, attack. The signs are incredibly subtle, which is why they’re so often missed. You’re not looking for a loud alarm; you’re looking for whispers. Things like a legitimate account logging in from an unusual IP address, even via a Tor node, or accessing files outside of its normal job function. It could be small, anomalous data transfers to the cloud or PowerShell scripts running on a domain controller at an odd time. Without a vigilant, 24/7 security operations center actively hunting for these faint signals, they become invisible.
Attackers leveraged credentials from an on-premises environment to steal sensitive OT-related documents from cloud services like M365. How does this blurring of IT and OT environments create new attack paths? What are the key controls for protecting critical operational data stored in IT systems?
This is the new frontline of industrial cybersecurity. For years, we operated under the assumption of a strong air gap between the IT business network and the OT operational network. That wall has crumbled. The attackers here masterfully demonstrated the risk: they compromised the on-prem IT network and used those credentials to pivot into the M365 cloud environment. There, they found the crown jewels—schematics, modernization plans, and technical details about the SCADA systems. To secure this, organizations must first adopt a zero-trust mindset. Assume credentials can be stolen. Second, implement strict access controls and data classification within cloud services. Why does an account that doesn’t work in engineering need access to SharePoint sites containing OT blueprints? Finally, you need robust monitoring that correlates activity between your on-prem and cloud environments to spot an attacker using credentials in both places.
What is your forecast for cyber attacks targeting renewable energy infrastructure?
I believe attacks on renewable energy sources will escalate significantly in both frequency and sophistication. As we’ve seen with the attacks on over 30 wind and solar farms in Poland, this sector is now squarely in the crosshairs of state-sponsored actors. These facilities are becoming more critical to the grid, but they are also highly distributed and digitally connected, which expands the attack surface. We’re going to see attackers move beyond simple disruption and attempt to manipulate energy generation to cause grid instability. They will continue to exploit the convergence of IT and OT systems, using vulnerabilities in one to attack the other. The future of these attacks will be stealthier, more patient, and aimed not just at a single facility, but at the fragile trust that holds our entire energy ecosystem together.
