A coordinated cyberattack that targeted Poland's energy infrastructure in late December 2025 has prompted cybersecurity agencies to issue urgent warnings to critical national infrastructure operators on both sides of the Atlantic.

The attack, which Poland's Computer Emergency Response Team compared to "deliberate arson," targeted approximately 30 wind and solar farms, a heat and power plant, and several renewable energy generators at a critical time when the country was battling cold temperatures and snowstorms.

Polish authorities have concluded that the infrastructure used overlapped significantly with that of the Dragonfly hacking group (also known as Static Tundra or Berserk Bear), long linked to the Russian government.

According to the Polish CERT report, hackers deployed wiper malware that destroyed data on computer systems, corrupted firmware on operational technology devices, and damaged remote terminal units.

While the affected renewable energy systems continued to produce power, operators found that they had lost the ability to monitor or control them remotely - a serious safety concern.

Industrial control systems security firm Dragos described the incident as the first major coordinated attack to target distributed energy resources at scale, warning that over-reliance on remote connectivity widens the attack surface.

For understandable reasons, the attack on the Polish energy grid has triggered responses from cybersecurity agencies in other countries.

In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) published an alert, highlighting OT/ICS lessons from the CERT Polska report, with particular emphasis on hardening internet-facing edge devices used in industrial environments.

Meanwhile, in the UK, the National Cyber Security Centre (NCSC) issued its own warning. In a LinkedIn post, Jonathon Ellison, the NCSC's director for national resilience, did not mince his words:

"Cyberattacks disrupting everyday essential services may sound far-fetched, but we know it's not."

Ellison went on to urge the UK's critical national infrastructure operators (such as energy, water, transportation, health, and telecommunications) to take immediate action. He pointed to the NCSC's Cyber Assessment Framework as a helpful resource.

The incident in Poland highlights several important areas.

Edge devices remain a critical vulnerability. The attackers gained their initial foothold through internet-facing network equipment that often receives less security attention than core systems.

Furthermore, the shift toward renewable energy has meant a more distributed architecture, with numerous smaller sites requiring remote connectivity. These systems are now proving to be valid targets for sophisticated hackers.

Finally, the destructive nature of the incident is significant. Wiper malware is deployed to corrupt data and wipe systems, making recovery as difficult and expensive as possible.

Both CISA and the NCSC have published guidance for critical infrastructure operators, recommending that known vulnerabilities (particularly on edge devices) be patched, that strong access controls, including multi-factor authentication, be implemented, that secure-by-design principles be applied, and that incident response plans be tested before they are needed.

As Ellison noted in his LinkedIn post, defensive actions "require careful preparation and forethought - they cannot be improvised under pressure."

For critical infrastructure operators it is clear that the threat is real.

The Poland incident demonstrates that sophisticated adversaries are actively targeting critical energy infrastructure, and distributed systems that may have previously seemed too small to attract attention are now firmly in the firing line.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.