2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .006 | Acquire Infrastructure: Web Services |
During the 2025 Poland Wiper Attacks, the adversaries configured the FortiGate devices to send notifications to an attacker-controlled Slack channel. During the 2025 Poland Wiper Attacks, the adversaries had also staged tools and files on services such as Dropbox and Pastebin.[1] |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
During the 2025 Poland Wiper Attacks, the adversaries compressed stolen files into a zip file prior to exfiltration.[1] |
| Enterprise | T1110 | .002 | Brute Force: Password Cracking |
During the 2025 Poland Wiper Attacks, the adversaries attempted to crack user passwords.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run |
| .004 | Command and Scripting Interpreter: Unix Shell |
During the 2025 Poland Wiper Attacks, the adversaries utilized the Linux |
||
| .008 | Command and Scripting Interpreter: Network Device CLI |
During the 2025 Poland Wiper Attacks, the adversaries leveraged the native CLI of the targeted FortiGate device.[1] |
||
| Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
During the 2025 Poland Wiper Attacks, the adversaries compromised infrastructure to use for C2.[4] |
| .003 | Compromise Infrastructure: Virtual Private Server |
During the 2025 Poland Wiper Attacks, the adversaries used compromised VPS servers for C2.[1] |
||
| .008 | Compromise Infrastructure: Network Devices |
During the 2025 Poland Wiper Attacks, the adversaries used compromised Cisco routers for network communications.[1] |
||
| Enterprise | T1555 | Credentials from Password Stores |
During the 2025 Poland Wiper Attacks, the adversaries configured a native CLI to gather a targeted elevated users password using |
|
| Enterprise | T1485 | Data Destruction |
During the 2025 Poland Wiper Attacks, the adversaries utilized wiper malware to overwrite files using a 16-byte buffer that fully overwrites files 16 bytes or smaller or partially overwrites files greater than 16 bytes to speed up the process.[3][4] |
|
| Enterprise | T1530 | Data from Cloud Storage |
During the 2025 Poland Wiper Attacks, the adversaries leveraged stolen credentials within cloud services to download targeted data from SharePoint, and Teams.[1] |
|
| Enterprise | T1602 | .002 | Data from Configuration Repository: Network Device Configuration Dump |
During the 2025 Poland Wiper Attacks, the adversaries gathered and used the FortiGate bookmarks defined in the configuration file to include the statically defined credentials that facilitated RDP connections to jump hosts.[1] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
During the 2025 Poland Wiper Attacks, the adversaries compiled discovery data locally on the victim host in a file located within |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
During the 2025 Poland Wiper Attacks, the adversaries decoded a Base64-encoded ZIP archive using the built-in certutil.[1] |
|
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
During the 2025 Poland Wiper Attacks, the adversaries observed that their malware was initially detected by the victims EDR solutions, so they modified the payload and attempted to execute the new version within the same day.[1][3][4] |
| Enterprise | T1006 | Direct Volume Access |
During the 2025 Poland Wiper Attacks, the adversaries copied volume shadow copies through executing |
|
| Enterprise | T1686 | .002 | Disable or Modify System Firewall: Network Device Firewall |
During the 2025 Poland Wiper Attacks, the adversaries modified security settings within the victims Fortigate device, utilizing the native CLI. During the 2025 Poland Wiper Attacks, the adversaries also disabled network traffic logging.[1] |
| Enterprise | T1484 | .001 | Domain or Tenant Policy Modification: Group Policy Modification |
During the 2025 Poland Wiper Attacks, the adversaries had leveraged Group Policy Objects to distribute wiper malware to victim devices through a network share.[1] |
| Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
During the 2025 Poland Wiper Attacks, the adversaries leveraged stolen credentials within cloud services to gather data and email messages from Exchange services related to OT topics and technical work carried out within organizations.[1] |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
During the 2025 Poland Wiper Attacks, the adversaries exfiltrated data to an actor-controlled infrastructure using HTTP POSTs.[1] |
| Enterprise | T1567 | .004 | Exfiltration Over Web Service: Exfiltration Over Webhook |
During the 2025 Poland Wiper Attacks, the adversaries leveraged an attacker-controlled Slack channel to exfiltrate data.[1] |
| Enterprise | T1133 | External Remote Services |
During the 2025 Poland Wiper Attacks, threat actors leveraged the FortiGate VPN interface that was exposed to the internet to gain access to the victim environment.[1][2] |
|
| Enterprise | T1083 | File and Directory Discovery |
During the 2025 Poland Wiper Attacks, the adversaries obtained the contents of users’ directories using |
|
| Enterprise | T1495 | Firmware Corruption |
During the 2025 Poland Wiper Attacks, adversaries performed a factory-reset on compromised devices that hampered forensic investigations.[1] |
|
| Enterprise | T1590 | .006 | Gather Victim Network Information: Network Security Appliances |
During the 2025 Poland Wiper Attacks, the adversaries obtained details on the configuration of the victim Fortinet perimeter device to include publicly disclosed details on an online forum used by criminal communities.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
During the 2025 Poland Wiper Attacks, the adversaries downloaded malicious payloads to the victim server.[1] |
|
| Enterprise | T1490 | Inhibit System Recovery |
During the 2025 Poland Wiper Attacks, the adversaries deleted Windows Volume Shadow Copies using |
|
| Enterprise | T1570 | Lateral Tool Transfer |
During the 2025 Poland Wiper Attacks, the adversaries had placed the malicious payload on an accessible network share to facilitate propagation.[1][3][4] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
During the 2025 Poland Wiper Attacks, the adversaries created rules that mimicked the name of an institution already present in the network device configuration to avoid detection.[1] |
| Enterprise | T1556 | .006 | Modify Authentication Process: Multi-Factor Authentication |
During the 2025 Poland Wiper Attacks, the adversaries modified two-factor settings within the FortiGate solution to |
| Enterprise | T1046 | Network Service Discovery |
During the 2025 Poland Wiper Attacks, the adversaries utilized Ping, the Advanced Port Scanner and Advanced IP Scanner to enumerate network devices.[1] |
|
| Enterprise | T1571 | Non-Standard Port |
During the 2025 Poland Wiper Attacks, the adversaries had created a Reverse SOCKS Proxy and communicated over the non-standard port 8008.[1][4] |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
During the 2025 Poland Wiper Attacks, the adversaries utilized a Base64-encoded ZIP archive to prevent content analysis.[1] |
| Enterprise | T1588 | .007 | Obtain Capabilities: Artificial Intelligence |
During the 2025 Poland Wiper Attacks, the adversaries generated custom script with an LLM.[1] |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
During the 2025 Poland Wiper Attacks, the adversaries attempted to dump credentials utilizing LSASS.[1][4] |
| .002 | OS Credential Dumping: Security Account Manager |
During the 2025 Poland Wiper Attacks, the adversaries had stolen Security Account Manager (SAM) and SYSTEM registry hives.[1] |
||
| .003 | OS Credential Dumping: NTDS |
During the 2025 Poland Wiper Attacks, the adversaries dumped the entire Active Directory database by extracting the contents of the ntds.dit file.[1] |
||
| Enterprise | T1057 | Process Discovery |
During the 2025 Poland Wiper Attacks, the adversaries enumerated current running processes using |
|
| Enterprise | T1090 | Proxy |
During the 2025 Poland Wiper Attacks, the adversaries utilized the rsocx tool identified as |
|
| .003 | Multi-hop Proxy |
During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2.[1] |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
During the 2025 Poland Wiper Attacks, adversaries utilized RDP to log into jump hosts and then moved laterally to other victim devices to include a domain controller.[1] |
| Enterprise | T1053 | Scheduled Task/Job |
During the 2025 Poland Wiper Attacks, the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly.[1] |
|
| Enterprise | T1113 | Screen Capture |
During the 2025 Poland Wiper Attacks, the adversaries captured screenshots of devices using |
|
| Enterprise | T1608 | .002 | Stage Capabilities: Upload Tool |
During the 2025 Poland Wiper Attacks, the adversaries had staged tools and files for use on Dropbox and Pastebin.[1] |
| Enterprise | T1558 | Steal or Forge Kerberos Tickets |
During the 2025 Poland Wiper Attacks, the adversaries used the Rubeus tool to forge a Diamond Ticket that is a modified legitimate Kerberos ticket.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
During the 2025 Poland Wiper Attacks, the adversaries gathered network configuration details utilizing |
|
| Enterprise | T1049 | System Network Connections Discovery |
During the 2025 Poland Wiper Attacks, the adversaries identified network connections utilizing |
|
| Enterprise | T1529 | System Shutdown/Reboot |
During the 2025 Poland Wiper Attacks, the adversaries forced victim devices to reboot to finalize destruction of impacted systems.[3][4] |
|
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
During the 2025 Poland Wiper Attacks, the adversaries attempted to reuse password hash values to gain access to other systems.[1] |
| Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
During the 2025 Poland Wiper Attacks, threat actors utilized privileged accounts to access the FortiGate VPN solution and subsequent subnets.[1] |
| .004 | Valid Accounts: Cloud Accounts |
During the 2025 Poland Wiper Attacks, the adversaries leveraged stolen credentials from on-premises environments to access cloud services.[1] |
||
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
During the 2025 Poland Wiper Attacks, the adversaries had communicated to both Dropbox and Pastebin.[1] |
| ICS | T0892 | Change Credential |
During the 2025 Poland Wiper Attacks, the adversaries changed the login password of Moxa NPort Serial Device Servers to impede system recovery.[1] |
|
| ICS | T0807 | Command-Line Interface |
During the 2025 Poland Wiper Attacks, the adversaries executed PowerShell commands on the Human Machine Interface (HMI) to make configuration changes that enabled administrative shares and created a new firewall rule to enable traffic over port 445 as well as conducted network reconnaissance activities.[1] During the 2025 Poland Wiper Attacks, the adversaries executed PowerShell commands on the domain controller that collected and exfiltrated the SAM and SYSTEM registry hives and the Active Directory database (ntds.dit).[1] During the 2025 Poland Wiper Attacks, the adversaries logged into the Mikronika RTUs via SSH, with root privileges, and executed Linux commands to delete all the files on the system resulting in device failure.[1] |
|
| ICS | T0885 | Commonly Used Port |
During the 2025 Poland Wiper Attacks, the adversaries enabled TCP port 445 on Mikronika HMI devices creating a new firewall rule named "Microsoft Update".[1] |
|
| ICS | T0809 | Data Destruction |
During the 2025 Poland Wiper Attacks, the adversaries used DynoWiper and built-in commands to destroy data on Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations.[1] During the 2025 Poland Wiper Attacks, the adversaries used LazyWiper to destroy data at a manufacturing sector company.[1] |
|
| ICS | T0816 | Device Restart/Shutdown |
During the 2025 Poland Wiper Attacks, the adversaries corrupted the firmware in the Hitachi RTUs resulting in a fault that triggered a reboot loop.[1] |
|
| ICS | T0822 | External Remote Services |
During the 2025 Poland Wiper Attacks, the adversaries gained initial access by compromising Fortinet edge devices. [1] |
|
| ICS | T0823 | Graphical User Interface |
During the 2025 Poland Wiper Attacks, the adversaries used a graphical user interface (GUI) via the Remote Desktop Protocol (RDP) to access the Mikronika HMI and to execute commands.[1] During the 2025 Poland Wiper Attacks, the adversaries used a graphical user interface (GUI) to connect to the domain controller via the Remote Desktop Protocol (RDP) to collect and exfiltrate data and attempt to destroy data on the system.[1] |
|
| ICS | T1694 | .001 | Insecure Credentials: Default Credentials |
During the 2025 Poland Wiper Attacks, the adversaries used default credentials to access Hitatchi RTUs, Mikronika RTUs, Hitachi Relion Protection and Control Relays, Mikronika HMI Computers, and Moxa NPort Serial Device Servers.[1] |
| ICS | T0827 | Loss of Control |
During the 2025 Poland Wiper Attacks, the adversaries damaged the Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations resulting in a loss of communications and control between the facility and the distribution system operators (DSO).[1] |
|
| ICS | T0829 | Loss of View |
During the 2025 Poland Wiper Attacks, the adversaries wiped devices and also damaged Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations resulting in a loss of communications and view between the facility and the distribution system operators (DSO).[1][2] |
|
| ICS | T1693 | .001 | Modify Firmware: System Firmware |
During the 2025 Poland Wiper Attacks, the adversaries corrupted the firmware in the Hitachi RTUs resulting in a fault that triggered a reboot loop.[1] |
| ICS | T0840 | Network Connection Enumeration |
During the 2025 Poland Wiper Attacks, the adversaries used |
|
| ICS | T0886 | Remote Services |
During the 2025 Poland Wiper Attacks, the adversaries gained initial access to the operational technology via the compromised Fortinet edge devices, and used used SSH, RDP, and SMB/Windows Admin Shares to connect to remote systems and execute commands.[1] |
|
| ICS | T0846 | Remote System Discovery |
During the 2025 Poland Wiper Attacks, the adversaries used |
|
| .001 | Port Scan |
During the 2025 Poland Wiper Attacks, the adversaries used Advanced Port Scanner and Advanced IP Scanner to conduct remote system discovery activities.[1] |
||
| .002 | Broadcast Discovery |
During the 2025 Poland Wiper Attacks, the adversaries used |
||
| ICS | T0888 | Remote System Information Discovery |
During the 2025 Poland Wiper Attacks, the adversaries remotely executed commands on systems using PsExec to gather information about running processes, network connections, routing tables, ARP cache, and contents of user directories.[1] |
|
| ICS | T0852 | Screen Capture |
During the 2025 Poland Wiper Attacks, the adversaries used the |
|
| ICS | T0882 | Theft of Operational Information |
During the 2025 Poland Wiper Attacks, the adversaries stole sensitive operational information that was used to plan the attack on the operational technology systems.[1] |
|
| ICS | T0859 | Valid Accounts |
During the 2025 Poland Wiper Attacks, the adversaries used valid accounts to access Hitatchi RTUs, Mikronika RTUs, Hitachi Relion Protection and Control Relays, Mikronika HMI Computers, and Moxa NPort Serial Device Servers.[1] |
|
Software
| ID | Name | Description |
|---|---|---|
| S0099 | Arp |
During the 2025 Poland Wiper Attacks, the adversaries used Arp to write to a file named outlog.txt, including: currently running processes, network connections, routing tables, ARP cache, and the contents of user directories.[1] |
| S0160 | certutil |
During the 2025 Poland Wiper Attacks, the adversaries decoded a Base64-encoded ZIP archive using the built-in certutil.[1] |
| S9038 | DynoWiper |
DynoWiper was used for destructive attacks during the 2025 Poland Wiper Attacks.[1][3] |
| S0357 | Impacket |
During the 2025 Poland Wiper Attacks, the adversaries used Impacket for lateral movement.[1] |
| S9039 | LazyWiper |
LazyWiper was used to conduct destructive attacks during the 2025 Poland Wiper Attacks.[1] |
| S0104 | netstat |
During the 2025 Poland Wiper Attacks, the adversaries used netstat to conduct reconnaissance, running |
| S0097 | Ping |
During the 2025 Poland Wiper Attacks, the adversaries had utilized Ping to enumerate network devices.[1] |
| S0029 | PsExec |
During the 2025 Poland Wiper Attacks, the adversaries used PsExec to execute programs on target machines.[1] |
| S1071 | Rubeus |
During the 2025 Poland Wiper Attacks, the adversaries used the Rubeus tool to forge a Diamond Ticket that is a modified legitimate Kerberos ticket.[1][4] |
| S0057 | Tasklist |
During the 2025 Poland Wiper Attacks, the adversaries used Tasklist for reconnaissance activities running |
| S0183 | Tor |
During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2.[1] |