Key Takeaways
If you don’t change your default credentials, you may be left out in the cold. Literally.
- Change default passwords
- Use multi-factor authentication
- Think of a cyberattack as a chain, you can break it at any link.
Polish Cyber Incident Report
CERT Polska just released an incident report about the cyberattacks on Polish energy infrastructure and powerplants that happened in late December of 2025. This is a very interesting read which provides a good look at common techniques that attackers are using to target critical infrastructure. I recommend reading the report in its entirety, but some sections jumped out that I wanted to add some context to.
The result of this incident was a disruption in communications between substations for renewable energy, plants. The second target of this incident was a combined heat and power (CHP) plant. This plant was attacked with destructive malware that could have knocked out power and heating for hundreds of thousands of people in a way that would be very difficult to repair quickly.
Destructive cyberattacks against critical infrastructure have increased since the mid 2010’s. In 2015, Russian-linked attackers disrupted communications of distribution control centers in Ukraine and knocked out power for 200k people in the western part of the country. [1] This 2025 attack on the Polish energy infrastructure appeared to follow a similar playbook of disrupting critical infrastructure communications of the electrical grid.
For more context, destructive wiper malware has been used in some of the most damaging and costly cyberattacks seen in recent years. This type of malware renders computers inoperable or “bricked” requiring the manual replacement of firmware and software on the affected machines. As you can imagine, this presents an enormous time and cost effort to get skilled technicians to repair the systems. The 2017 NotPetya wiper attacks destroyed an estimated 10% of all computers located in Ukraine causing around $10B in damages.[2] On the eve of the Russian invasion of Ukraine, a threat actor group disabled tens of thousands of Viasat KA-SAT modems using the ACID RAIN wiper malware to disrupt communications.[3] Another advantage of wiper malware is that it aids in the stealth profile of the attackers as it removes traces of their actions such as command logs, or malicious files downloaded onto the target system.
The 2025 attack targeted defenseless devices. The following excerpts of the report referenced default accounts and configurations that were not changed, lack of multi-factor authentication, and re-use of passwords and accounts.[7]
Not changing default credentials is an insecure practice that leaves the door open for malicious attackers. Earlier in 2025, more than 100 Iranian oil tankers and cargo ships were left without communications because an attacker remotely wiped the hard drives of satellite modems that hadn’t been changed from their default credentials.[4] Not using multi-factor authentication also opens up devices and infrastructure to easy access due to phished or guessed credentials. Using the same accounts and passwords across multiple systems opens the systems up for credential stuffing attacks or password spraying, where attackers make educated guesses for login credentials based on password lists, username lists or stolen username/password combination lists.
The advancement of Endpoint Detection and Response (EDR) tools make it more difficult for attackers to operate on a target system. One technique to bypass this is to use native tools that are built-into the target system to steal information rather than drop custom malware onto the disk which can be easily observed. These tools include legitimate remote management tools like Microsoft’s Remote Desktop (RDP) and native scripting languages like Powershell. Attackers used this technique against the Polish CHP plant to scan and move through the network without resistance.[7]
Offensive cyber operations follow a flow where access to one resource, be it an account, system, or network interface is continually leveraged to gain more access. Attackers steal system resources that contain information on users and passwords. Most passwords are stored as a hashed value, which may be able to be cracked, if generated insecurely, or used in a pass-the-hash attack to authenticate into other systems.[5] On Windows systems these are stored in the SAM database. In the 2025 CHP attack, the password hashes were accessed well as the Active Directory database file.
The report mentions an attempt to exfiltrate these resources.[7] It is not clear if the attackers successfully completed this or were blocked by defensive tools.
Just because an attacker is able to obtain access to a system or resource does not mean they are able to effectively compromise it. The phrase “The defenders have to get everything right while the attackers only have to get it right once” is an oversimplification which does not accurately describe the chain of events that must happen for an attacker to compromise a system and remote critical information.
A better way to look at it is the “Swiss-Cheese” model used to describe aviation mishaps. In this model, there are a number of things that have to go wrong in an accident chain. The “holes” in the Swiss Cheese layers represent active failures of procedures, execution, procedures, or hardware/mechanical issues; any of which ,if not present, would prevent the accident from occurring.
To steal information the attackers first must be access the target system. If they are able to do this, they must then perform actions on that system. If they are able to do that, they work on attempting to move laterally through the target network to gain access to other machines. If they do that then they must find and access the resources/files that they want to steal or damage… Are you seeing the pattern? Finally to steal information they must remove the information from the system.
If any of these steps are not completed, the attack fails, or at the very least the impact is greatly reduced. From the attacker’s perspective, all they see is access to the target system is lost or their commands didn’t run as expected. As far as they are concerned this could be for any number of reasons; they were detected and stopped; their malware is faulty; they weren’t detected, but a routine server reboot caused them to lose access; they weren’t detected, but a construction crew digging a ditch for a pipe cut the cable from their data center; etc. The lack of feedback increases the effort required to determine what went wrong and how the attacker can remedy their lack of access or desired effect.
In the case of the 2025 Polish Energy cyberattack ,the most dangerous part of the attack, where wiper malware was deployed on the systems of the CHP plant, failed because the EDR system detected and stopped the execution of the malware when the malware hit a canary.[7]
Another thing that jumped out to me was the use of custom virtual machines on the target system to facilitate malicious actions.[7]
Chinese-linked threat actors used this technique in 2019 on a compromised system at the Australian National University, which is home to the Australian National Security College, to steal decades worth of student, HR, and financial data.[6] This use of virtual machines allows attackers to hide their actions as all records of command logs are on the VM that can be wiped after use. It also allows the installation of programs or tools that may be incompatible or blocked by the host operating system.
Finally, the report attributes the attack to the “Static Tundra” threat actor.[7] This assessment comes from overlaps in communication techniques with known Static Tundra operations. It also mentions similarities between the Dynowiper malware (Wiper malware used in this incident) with previous wiper malware used by the Russian-linked “Sandworm” group that targeted Ukrainian critical electrical infrastructure in 2015 and 2016, and developed and deployed the NotPetya wiper malware mentioned previously.[2]
This incident shows us that strong execution of basic defense measures such as changing default passwords, and using multi-factor authentication, goes a long way to increasing and maintaining the security of critical infrastructure systems.
Sources
[1] Shackelford, Scott J. and Sulmeyer, Michael and Craig, Amanda and Buchanan, Ben and Micic, Brian, From Russia with Love: Understanding the Russian Cyber Threat to U.S. Critical Infrastructure and What to Do about It (May 31, 2017). Nebraska Law Review, Vol. 96, 2017, Kelley School of Business Research Paper No. 17-42, Available at SSRN: https://ssrn.com/abstract=2978305
[2] “The Most Destructive Hack Ever Used: NotPetya,” Cybernews, Mar. 20, 2025. [Online]. Available: https://www.youtube.com/watch?v=3-MSlNVqzYY
[3] C. Vasquez and E. Groll, “Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault.” [Online]. Available: https://cyberscoop.com/viasat-ka-sat-hack-black-hat/
[4] “Cydome analyzes Lab Dookhtegan cyber attack on Iranian oil tankers, provides mitigation action.” [Online]. Available: https://industrialcyber.co/transport/cydome-analyzes-lab-dookhtegan-cyber-attack-on-iranian-oil-tankers-provides-mitigation-action/
[5] R. Joyce, “Disrupting Nation State Hackers.” [Online]. Available: https://www.usenix.org/sites/default/files/conference/protected-files/engima2016_transcript_joyce_v2.pdf
[6]“Incident Report on the Breach of the Australian National University Administrative System.” 2019. [Online]. Available: https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf
[7] “Energy Sector Incident Report – 29 December.” Jan. 30, 2026. [Online]. Available: https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf