C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
Analyst context for executives and security teams
This campaign matters because ATT&CK describes destructive activity against Polish energy-related organizations, including distributed energy resources, where communications with the distribution system operator were disrupted even though generation and heat supply were not. For leaders, the decision point is not only malware prevention; it is whether identity, Windows administration, Group Policy, remote access, and OT visibility are governed well enough to stop or contain a wiper-enabled intrusion before it becomes an operational resilience event.
Executive priority
Prioritize this as a resilience and cyber-physical risk scenario: destructive tooling was distributed through malicious Group Policy Objects, access reportedly existed for months at a CHP plant, and the relationship set includes valid accounts, external remote services, discovery, lateral movement-style tooling, and ICS loss-of-view/loss-of-control concepts. Executives should ask whether critical sites can prove segmentation, privileged account control, GPO change governance, backup/recovery readiness, and incident decision paths between IT, OT, operations, legal, and communications teams.
Technical view
ATT&CK provides no campaign-level detection text, platforms, or tactics, so defenders should validate coverage from the described behaviors and relationships. Focus on Windows and Active Directory evidence where supported by related software: PsExec, certutil, Rubeus, Impacket, Tasklist, Ping, Arp, netstat, DynoWiper, and LazyWiper. For OT/ICS context, validate monitoring for external remote services, CLI/GUI access, valid account use, remote system and network connection discovery, port or broadcast discovery, screen capture, device restart/shutdown, data destruction, and loss of view/control indicators. Incident responders should also treat malicious GPO use as a key pivot for scoping affected hosts and administrative paths.
Likely telemetry
- Active Directory and Group Policy change logs, including creation, modification, linking, and execution of GPO-delivered scripts or binaries
- Windows endpoint process creation and command-line telemetry for PowerShell, PsExec, certutil, tasklist, ping, arp, netstat, and similar administrative utilities
- PowerShell script block/module logging where available, especially for file overwrite or deletion behavior consistent with LazyWiper-related descriptions
- Kerberos and authentication telemetry relevant to valid account abuse and Rubeus-like activity
- Remote service and administrative access logs, including VPN/Citrix-like external remote services where present
Detection direction
- Start with GPO governance detections: alert on unusual GPO creation, modification, linking, startup/logon script changes, and rapid propagation to critical Windows systems.
- Tune detections for dual-use tools in context rather than by tool name alone; PsExec, tasklist, ping, arp, netstat, certutil, Impacket, and Rubeus-related behaviors can be legitimate but become higher risk when clustered with new admin logons, discovery, remote execution, or GPO changes.
- Correlate identity events with remote access and lateral movement indicators, especially valid-account use from unusual sources, privileged account use outside maintenance windows, and Kerberos anomalies.
- For OT environments, validate that SOC and operations teams can see loss-of-view conditions and communications disruptions, not just malware alerts on IT endpoints.
- Build destructive-behavior analytics around rapid file overwrite/delete activity and PowerShell-based destructive scripts, while accounting for administrative maintenance, backup, and deployment tools as false-positive sources.
Mitigation priorities
- Harden identity and privileged access first: restrict and monitor administrative accounts, service accounts, Kerberos-sensitive activity, and external remote services used to reach critical environments.
- Apply strict Group Policy change control, peer review, alerting, and recovery procedures for GPOs affecting critical Windows and OT-adjacent systems.
- Segment IT, OT, and site networks so compromise of administrative Windows infrastructure cannot easily propagate destructive actions into operational environments.
- Limit and monitor dual-use administration tools; ensure PsExec-like remote execution, PowerShell, certutil, and Impacket-style activity are controlled and logged rather than assumed benign.
- Maintain tested, offline or otherwise resilient backups and restoration procedures for systems where data destruction would affect operations or recovery time objectives.
Analyst notes and limits
The supplied ATT&CK object is a campaign, not a single technique, and it has no official detection section. Its value for defenders comes from the described destructive wiper deployment, malicious Group Policy distribution, long-lived access at one facility, and the related software/ICS technique relationships. Attribution should be handled carefully: the official description notes Russian state-sponsored activity and cites differing reporting that associates the activity with FSB-linked Dragonfly/STATIC TUNDRA or GRU-linked ELECTRUM/Sandworm Team.
Platforms and tactics are not specified at the campaign level, and ATT&CK does not provide detection logic for this object. The guidance above is therefore framed as validation direction from the official description and relationships, not guaranteed detection coverage. Local architecture, logging maturity, OT visibility, remote access design, and change-management evidence are required to determine actual exposure and control effectiveness.
2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1529 | System Shutdown/Reboot | During the 2025 Poland Wiper Attacks, the adversaries forced victim devices to reboot to finalize destruction of impacted systems.CitationESET DynoWiper JAN 2026CitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1053 | Scheduled Task/Job | During the 2025 Poland Wiper Attacks, the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly.CitationCERT Polska |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries had leveraged Group Policy Objects to distribute wiper malware to victim devices through a network share.CitationCERT Polska |
| Enterprise | T1059.008 | Network Device CLI Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries leveraged the native CLI of the targeted FortiGate device.CitationCERT Polska |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries exfiltrated data to an actor-controlled infrastructure using HTTP POSTs.CitationCERT Polska |
| Enterprise | T1006 | Direct Volume Access | During the 2025 Poland Wiper Attacks, the adversaries copied volume shadow copies through executing `vssadmin` in order to dump the `NTDS.dit` file.CitationCERT Polska |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2.CitationCERT Polska |
| Enterprise | T1571 | Non-Standard Port | During the 2025 Poland Wiper Attacks, the adversaries had created a Reverse SOCKS Proxy and communicated over the non-standard port 8008.CitationCERT PolskaCitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1567.004 | Exfiltration Over Webhook Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries leveraged an attacker-controlled Slack channel to exfiltrate data.CitationCERT Polska |
| Enterprise | T1584.001 | Domains Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries compromised infrastructure to use for C2.CitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1049 | System Network Connections Discovery | During the 2025 Poland Wiper Attacks, the adversaries identified network connections utilizing `netstat -nao` and `netstat -r`.CitationCERT Polska |
| Enterprise | T1558 | Steal or Forge Kerberos Tickets | During the 2025 Poland Wiper Attacks, the adversaries used the Rubeus tool to forge a Diamond Ticket that is a modified legitimate Kerberos ticket.CitationCERT Polska |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries utilized a Base64-encoded ZIP archive to prevent content analysis.CitationCERT Polska |
| Enterprise | T1602.002 | Network Device Configuration Dump Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries gathered and used the FortiGate bookmarks defined in the configuration file to include the statically defined credentials that facilitated RDP connections to jump hosts.CitationCERT Polska |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During the 2025 Poland Wiper Attacks, the adversaries decoded a Base64-encoded ZIP archive using the built-in certutil.CitationCERT Polska |
| Enterprise | T1587.001 | Malware Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries observed that their malware was initially detected by the victims EDR solutions, so they modified the payload and attempted to execute the new version within the same day.CitationCERT PolskaCitationESET DynoWiper JAN 2026CitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries compressed stolen files into a zip file prior to exfiltration.CitationCERT Polska |
| Enterprise | T1090 | Proxy | During the 2025 Poland Wiper Attacks, the adversaries utilized the rsocx tool identified as `r.exe` and `rsocx.exe` to tunnel within the internal infrastructure using a Reverse SOCKS Proxy.CitationCERT PolskaCitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1530 | Data from Cloud Storage | During the 2025 Poland Wiper Attacks, the adversaries leveraged stolen credentials within cloud services to download targeted data from SharePoint, and Teams.CitationCERT Polska |
| Enterprise | T1555 | Credentials from Password Stores | During the 2025 Poland Wiper Attacks, the adversaries configured a native CLI to gather a targeted elevated users password using `grep`.CitationCERT Polska |
| Enterprise | T1570 | Lateral Tool Transfer | During the 2025 Poland Wiper Attacks, the adversaries had placed the malicious payload on an accessible network share to facilitate propagation.CitationCERT PolskaCitationESET DynoWiper JAN 2026CitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries had communicated to both Dropbox and Pastebin.CitationCERT Polska |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries attempted to reuse password hash values to gain access to other systems.CitationCERT Polska |
| Enterprise | T1584.008 | Network Devices Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries used compromised Cisco routers for network communications.CitationCERT Polska |
| Enterprise | T1016 | System Network Configuration Discovery | During the 2025 Poland Wiper Attacks, the adversaries gathered network configuration details utilizing `arp -a` and `nslookup` commands. CitationCERT Polska |
| Enterprise | T1105 | Ingress Tool Transfer | During the 2025 Poland Wiper Attacks, the adversaries downloaded malicious payloads to the victim server.CitationCERT Polska |
| Enterprise | T1110.002 | Password Cracking Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries attempted to crack user passwords.CitationCERT Polska |
| Enterprise | T1059.004 | Unix Shell Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries utilized the Linux `dd` command to overwrite portions of the disks with random data.CitationCERT Polska |
| Enterprise | T1057 | Process Discovery | During the 2025 Poland Wiper Attacks, the adversaries enumerated current running processes using `tasklist`.CitationCERT Polska |
| Enterprise | T1556.006 | Multi-Factor Authentication Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries modified two-factor settings within the FortiGate solution to `unset`.CitationCERT Polska |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | During the 2025 Poland Wiper Attacks, threat actors utilized privileged accounts to access the FortiGate VPN solution and subsequent subnets.CitationCERT Polska |
| Enterprise | T1133 | External Remote Services | During the 2025 Poland Wiper Attacks, threat actors leveraged the FortiGate VPN interface that was exposed to the internet to gain access to the victim environment.CitationCERT PolskaCitationDragos ELECTRUM JAN 2026 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries leveraged stolen credentials from on-premises environments to access cloud services.CitationCERT Polska |
| Enterprise | T1495 | Firmware Corruption | During the 2025 Poland Wiper Attacks, adversaries performed a factory-reset on compromised devices that hampered forensic investigations.CitationCERT Polska |
| Enterprise | T1584.003 | Virtual Private Server Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries used compromised VPS servers for C2.CitationCERT Polska |
| Enterprise | T1490 | Inhibit System Recovery | During the 2025 Poland Wiper Attacks, the adversaries deleted Windows Volume Shadow Copies using `vssadmin delete shadows`.CitationCERT Polska |
| Enterprise | T1583.006 | Web Services Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries configured the FortiGate devices to send notifications to an attacker-controlled Slack channel. During the 2025 Poland Wiper Attacks, the adversaries had also staged tools and files on services such as Dropbox and Pastebin.CitationCERT Polska |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries compiled discovery data locally on the victim host in a file located within `C:\Windows\TEMP\outlog.txt`.CitationCERT Polska |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries attempted to dump credentials utilizing LSASS.CitationCERT PolskaCitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1113 | Screen Capture | During the 2025 Poland Wiper Attacks, the adversaries captured screenshots of devices using |
| Enterprise | T1485 | Data Destruction | During the 2025 Poland Wiper Attacks, the adversaries utilized wiper malware to overwrite files using a 16-byte buffer that fully overwrites files 16 bytes or smaller or partially overwrites files greater than 16 bytes to speed up the process.CitationESET DynoWiper JAN 2026CitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries leveraged stolen credentials within cloud services to gather data and email messages from Exchange services related to OT topics and technical work carried out within organizations.CitationCERT Polska |
| Enterprise | T1046 | Network Service Discovery | During the 2025 Poland Wiper Attacks, the adversaries utilized Ping, the Advanced Port Scanner and Advanced IP Scanner to enumerate network devices.CitationCERT Polska |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During the 2025 Poland Wiper Attacks, adversaries utilized RDP to log into jump hosts and then moved laterally to other victim devices to include a domain controller.CitationCERT Polska |
| Enterprise | T1083 | File and Directory Discovery | During the 2025 Poland Wiper Attacks, the adversaries obtained the contents of users’ directories using `dir /s /b C:\Users` command.CitationCERT Polska |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries created rules that mimicked the name of an institution already present in the network device configuration to avoid detection.CitationCERT Polska |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries had stolen Security Account Manager (SAM) and SYSTEM registry hives.CitationCERT Polska |
| Enterprise | T1588.007 | Artificial Intelligence Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries generated custom script with an LLM.CitationCERT Polska |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run `cmd.exe` commands on multiple victim machines.CitationCERT Polska |
| Enterprise | T1608.002 | Upload Tool Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries had staged tools and files for use on Dropbox and Pastebin.CitationCERT Polska |
| Enterprise | T1590.006 | Network Security Appliances Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries obtained details on the configuration of the victim Fortinet perimeter device to include publicly disclosed details on an online forum used by criminal communities.CitationCERT Polska |
| Enterprise | T1003.003 | NTDS Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries dumped the entire Active Directory database by extracting the contents of the ntds.dit file.CitationCERT Polska |
| Enterprise | T1686.002 | Network Device Firewall Sub-technique | During the 2025 Poland Wiper Attacks, the adversaries modified security settings within the victims Fortigate device, utilizing the native CLI. During the 2025 Poland Wiper Attacks, the adversaries also disabled network traffic logging.CitationCERT Polska |
Groups, software, and campaigns
S0160: certutil
S1071: Rubeus
S0029: PsExec
S0183: Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]
S0099: Arp
S0097: Ping
S9039: LazyWiper
LazyWiper is a destructive malware observed targeting a manufacturing sector company during the 2025 Poland Wiper Attacks. LazyWiper is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). LazyWiper overwrites files on the system using the C# function `WriteRandomBytes()` and can target multiple specific file types by their extensions.[1]
S0057: Tasklist
S9038: DynoWiper
DynoWiper is a destructive malware associated with the 2025 Poland Wiper Attacks in December of 2025. DynoWiper is a native Windows binary that is distributed by a PowerShell script and overwrites files using data generated by the Mersenne Twister algorithm before they are deleted from the system. Multiple variants of DynoWiper have been identified, with the primary differences being that one variant shuts down the system after completing its destructive operations, and another introduces a time delay between file overwriting and deletion.[1][2]
S0104: netstat
S0357: Impacket
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2a158d9fde1d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CERT Polska
CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
Open source URL -
[2]
Dragos ELECTRUM JAN 2026
https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf. (2026, January). ELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025. Retrieved April 22, 2026.
Open source URL -
[3]
ESET DynoWiper JAN 2026
ESET. (2026, January 30). Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers. Retrieved April 22, 2026.
Open source URL -
[4]
ESET DynoWiper Update JAN 2026
ESET. (2026, January 30). DynoWiper update: Technical analysis and attribution. Retrieved April 22, 2026.
Open source URL -
[5]
mitre-attack C0063Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.