A coordinated campaign of destructive cyberattacks targeted Poland's energy infrastructure on December 29, 2025, impacting over 30 renewable energy facilities and a major combined heat and power plant. Attributed to the threat actor cluster known as Static Tundra (also referred to as Berserk Bear or Dragonfly), the attack utilized a custom 32-bit wiper malware dubbed DYNOWIPER. Initial access was obtained by exploiting exposed Fortinet FortiGate devices, allowing the attackers to perform extensive reconnaissance before deploying the destructive payload.
DYNOWIPER is designed for rapid file corruption, using a Mersenne Twister PRNG to overwrite file headers and strategic offsets with random data. To ensure the malware completes its mission before system failure, it avoids critical system directories and eventually forces a reboot. Analysis shows that behavioral detection strategies, specifically canary file monitoring within Elastic Defend, are highly effective at stopping this malware by detecting the indiscriminate modification patterns used during the wiping process.
Top comments (0)