Okay mi gente, let’s talk about something serious. No hype, no Hollywood. This is real-world OT pain.
On 29 December 2025, Poland was hit by what we now know to be one of the clearest examples in years of a purely destructive cyberattack against energy infrastructure. We know this because CERT Polska later published a detailed public report laying it out, claro y sin drama. Not espionage. Not ransomware. Not “pay me and I go away.”
This was digital arson. Burn it and walk away.
The public report from CERT Polska doesn’t mince words, and as someone who’s lived in OT environments for many years, créeme, this one hits close to home.
Let me break it down for you. Claro and directo.
The attackers hit 30+ wind and solar farms, a large combined heat and power plant, and even a manufacturing company. But here’s the key point many headlines miss.
Electricity kept flowing.
The national grid stayed stable.
So why does this matter? Porque the goal wasn’t blackout drama. The goal was destruction of control, visibility, and trust.
At renewable sites, the attackers focused on grid connection point substations, the nerve center where generation talks to the distribution operator. They didn’t touch turbines or panels. They went after remote control and telemetry. Boom. Operators blind and hands tied.
Some industrial devices? Permanently damaged. Bricked. Finished.
That’s new territory, amigo.
A Hybrid IT + OT Smash
At the CHP plant and manufacturing company, the attackers tried something different. Classic enterprise-style wiper malware, designed to erase systems beyond recovery.
One of those attempts was stopped by EDR just in time. That detail alone should make every OT manager sit up straight.
This was not “OT-only” or “IT-only”. This was hybrid sabotage, mixing Windows domain abuse with physical device destruction.
That combination is where things get dangerous. Muy peligroso.
No Zero-Days. Just Bad Hygiene.
Here’s the part that hurts to say.
The attackers didn’t need fancy exploits.
They walked in through internet-exposed edge devices, mainly VPN and firewall gear, without MFA, sometimes protected by default credentials. From there, they pivoted straight into OT.
Inside substations, they found devices from well-known vendors like Hitachi Energy, Moxa, and Mikronika.
And what did they find?
Default passwords.
Vendor accounts that should’ve been disabled.
Management interfaces exposed like it’s still 2005.
Listen carefully, familia: default credentials are not a low-risk issue. In this case, they led directly to malicious firmware uploads, relay manipulation, and factory resets of serial servers that cut off legitimate access.
This is how OT gets hurt without touching a PLC ladder once.
Wipers in the Control Room
On the IT side, the attackers used two wiper families, DynoWiper and LazyWiper, deployed through Active Directory.
And this is where it gets extra spicy.
The malware was pushed using Group Policy from a domain controller, creating scheduled tasks with very boring names like “Custom GPO Task.” Nothing flashy. Nothing clever.
CERT Polska even notes that one of the scripts looks like it was largely LLM-generated. No signature style. No attribution breadcrumbs.
That should worry defenders. Because it means destructive malware is getting easier to write, not harder.
Who Did It? Carefully, With Discipline
Attribution is always tricky, and CERT Polska did something refreshing. They were disciplined.
Based mainly on infrastructure overlap, they link the activity to the cluster known publicly as Ghost Blizzard, also tracked as Static Tundra, Berserk Bear, or Dragonfly. Names change, tradecraft rhymes.
They also explicitly say: similarities to Sandworm-style wipers exist, but not enough to be confident.
That honesty matters. In security, overconfidence is a vulnerability too.
The Big OT Lesson, Mi Gente
Let me be very clear.
This incident teaches us three brutal truths:
- You can brick OT devices without zero-days.
- You can disrupt grid operations without stopping generation.
- You can blend IT and OT attacks into one destructive campaign.
If your substations rely on exposed management planes, shared credentials, or flat networks, you are not “low priority”. You are easy.
And attackers love fácil.
What You Should Be Doing Right Now
Not next year. Not after the audit. Now.
Immediately
- Kill all default credentials. Every RTU, relay, HMI, serial server. No excuses.
- Enforce MFA on VPNs and edge devices. Always.
- Pull OT management interfaces off the internet. Period.
Next
- Segment IT, DMZ, and OT like your job depends on it. Because it does.
- Lock down firmware updates. No unsigned images. No cowboy upgrades.
- Monitor Active Directory like an attacker lives there. Because sometimes, they do.
Always
- Know what OT assets you have.
- Know what’s exposed.
- Practice destructive incident recovery. Wipers and bricked gear, not just ransomware.
Final Thought
This wasn’t about money.
It wasn’t about data theft.
It was about sending a message.
And the message is simple: OT environments that rely on “nobody will target us” thinking are living on borrowed time.
Stay sharp, mi gente.
Secure the basics.
Because in OT, the basics are what keep the lights on.
Gracias for reading.
Javiertech 
Leave a comment