Summary On December 29, 2025, a coordinated campaign of destructive cyberattacks targeted Poland's energy infrastructure, affecting over 30 renewable energy facilities and a major combined heat and power (CHP) plant A custom wiper malware dubbed DYNOWIPER was used to irreversibly destroy data across compromised networks CERT Polska attributes the attack infrastructure to the threat cluster Cisco refers to as Static Tundra, Crowdstrike refers to as Berserk Bear, Microsoft calls Ghost Blizzard, and Symantec labels as Dragonfly Elastic Defend's ransomware protection successfully detects and prevents DYNOWIPER execution using canary file monitoring Background The coordinated destructive campaign against critical energy infrastructure occurred on December 29, 2025, during a period of severe winter weather in Poland. According to CERT Polska’s report, the campaign targeted: 30+ wind and solar farms across Poland A major CHP plant supplying heat to nearly half a million customers A manufacturing sector company characterized as an opportunistic target Attack Vector The threat actor reportedly gained initial access through Fortinet FortiGate devices exposed to the internet prior to December 29th, exploiting: VPN interfaces allowing authentication without multi-factor authentication Reused credentials across multiple facilities Historical vulnerabilities in unpatched devices Attackers conducted months-long reconnaissance of industrial automation systems, specifically targeting SCADA systems and OT networks. During this time, they exfiltrated Active Directory databases, FortiGate configurations, and data related to OT network modernization. DYNOWIPER Details Elastic Security Labs independently analyzed a DYNOWIPER sample from open sources. The sample is similar to one of the variants documented by CERT Polska. Sample Metadata Property Value SHA256 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5 SHA1 4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6 MD5 a727362416834fa63672b87820ff7f27 File Type Windows PE32 Executable (GUI) Architecture 32-bit x86 File Size 167,424 bytes Compiler Visual C++ (MSVC) Compilation Date 2025-12-26 13:51:11 UTC Destruction Mechanism Drive Enumeration The malware enumerates all logical drives (A-Z) using GetLogicalDrives() and targets only DRIVE_FIXED (hard drives) and DRIVE_REMOVABLE (USB drives, SD cards) types. File Corruption DYNOWIPER employs a Mersenne Twister PRNG to generate pseudorandom data for file corruption. Rather than overwriting entire files (which requires time), it strategically corrupts files by: Removing file protection attributes via SetFileAttributesW(FILE_ATTRIBUTE_NORMAL) Opening files with CreateFileW for read/write access Overwriting the file header with 16 bytes of random data For larger files, generating up to 4,096 random offsets and overwriting each with 16-byte sequences This approach allows rapid corruption of many files while ensuring data is unrecoverable. Directory Exclusion List The malware deliberately avoids system-critical directories to maintain system stability during the attack: windows , system32 program files , program files(x86) boot , appdata , temp recycle.bin , $recycle.bin perflogs , documents and settings This design choice maximizes data destruction before the system becomes unstable, ensuring the wiper completes its mission. Forced Reboot After corruption and deletion phases complete, DYNOWIPER: Obtains a process token via OpenProcessToken() Enables SeShutdownPrivilege via AdjustTokenPrivileges() Forces system reboot with ExitWindowsEx(EWX_REBOOT | EWX_FORCE) Notable Characteristics DYNOWIPER is distinguished by several characteristics: No persistence mechanism - The malware does not attempt to survive reboots No C2 communication - Completely standalone, no network callbacks No shell command invocations - All operations performed via Windows API No anti-analysis techniques - No attempts to evade detection or debugging Characteristic PDB path: C:\Users\vagrant\Documents\Visual Studio 2013\Projects\Source\Release\Source.pdb The use of "vagrant" in the PDB path suggests development occurred in a Vagrant-managed virtual machine environment. Version Differences CERT Polska documented two DYNOWIPER versions (A and B). The sample we analyzed corresponds to version A. Version B removed the system shutdown functionality and added a 5-second sleep between corruption and deletion phases. Elastic Defend Protection During testing of DYNOWIPER samples, Elastic Defend successfully detected and mitigated the malware before it could cause damage. Detection Alert { "message": "Ransomware Prevention Alert", "event": { "code": "ransomware", "action": "canary-activity", "type": ["info", "start", "change", "denied"], "category": ["malware", "intrusion_detection", "process", "file"], "outcome": "success" }, "Ransomware": { "feature": "canary", "version": "1.9.0" } } How Canary Protection Works Elastic Defend's ransomware protection employs canary files (strategically placed decoy files) that trigger alerts when modified. DYNOWIPER's indiscriminate file corruption approach caused it to modify a canary file. When the wiper attempted to corrupt this canary file, Elastic Defend immediately: Detected the suspicious modification pattern Blocked further execution Generated a high-confidence ransomware alert (risk score: 73) While Elastic Defend was not the EDR solution used in this incident, this form of defense-in-depth protection was critical in the real-world intrusion. According to CERT Polska, the EDR solution deployed at the CHP plant, using the same canary protection technology highlighted above, halted data overwriting on more than 100 machines where DYNOWIPER had already begun executing. Why Behavioral Detection is Crucial Destructive malware can present unique challenges to minimizing risk: They may not establish C2 connections (no network indicators) They may not use persistence mechanisms (limited forensic artifacts) They execute quickly and destructively Static signature-based detection may miss new variants Behavioral protection, such as through canary files, provides a crucial layer of defense that can catch destructive malware regardless of its novelty. Indicators of Compromise File Hashes (DYNOWIPER) SHA256 Filename 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5 dynacom_update.exe 65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c Source.exe 60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b schtask.exe d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160 schtask.exe Distribution Scripts SHA256 Filename 8759e79cf3341406564635f3f08b2f333b0547c444735dba54ea6fce8539cf15 dynacon_update.ps1 f4e9a3ddb83c53f5b7717af737ab0885abd2f1b89b2c676d3441a793f65ffaee exp.ps1 Network Indicators IP Address Context 185.200.177[.]10 VPN logins, direct DYNOWIPER execution 31.172.71[.]5 Reverse proxy for data exfiltration 193.200.17[.]163 VPN logins 185.82.127[.]20 VPN logins 72.62.35[.]76 VPN and O365 logins YARA Rule rule DYNOWIPER { meta: author = "CERT Polska" description = "Detects DYNOWIPER data destruction malware" severity = "CRITICAL" reference = "https://mwdb.cert.pl/" strings: $a1 = "$recycle.bin" wide $a2 = "program files(x86)" wide $a3 = "perflogs" wide $a4 = "windows\x00" wide $b1 = "Error opening file: " wide $priv = "SeShutdownPrivilege" wide $api1 = "GetLogicalDrives" $api2 = "ExitWindowsEx" $api3 = "AdjustTokenPrivileges" condition: uint16(0) == 0x5A4D and filesize < 500KB and 4 of ($a*, $b1) and $priv and 2 of ($api*) } Recommendations Immediate Actions Deploy behavioral ransomware protection - Signature-based detection alone is insufficient against novel wipers Enable MFA on all VPN and remote access solutions - The attackers exploited accounts without MFA Audit FortiGate and edge device configurations - Check for unauthorized accounts, rules, and scheduled tasks Review default credentials - Industrial devices (RTUs, HMIs, serial servers) often ship with default passwords Detection Opportunities Monitor for: GetLogicalDrives API calls followed by mass file operations SetFileAttributesW calls setting FILE_ATTRIBUTE_NORMAL at scale Privilege escalation for SeShutdownPrivilege followed by ExitWindowsEx GPO modifications creating scheduled tasks with SYSTEM privileges Unusual file modifications across multiple drives simultaneously Recovery Considerations Restore from offline/air-gapped backups - Online backups may have been targeted Verify backup integrity before restoration Assume credential compromise - Reset all passwords, especially domain admin accounts Audit all removable media that may have been connected to affected systems Conclusion The December 2025 attacks on Poland's energy sector represent a significant escalation in destructive cyber operations against critical infrastructure. DYNOWIPER, while not technically sophisticated, proved effective at rapid data destruction when combined with the threat actor's extensive pre-positioned access. The incident underscores the importance of defense-in-depth strategies, particularly behavioral detection capabilities that can identify destructive malware regardless of its novelty. Elastic Defend's ransomware protection—specifically its canary file monitoring—proved effective at detecting and blocking DYNOWIPER before it could complete its destructive mission. Organizations in critical infrastructure sectors should review their security posture against the TTPs documented in this report and CERT Polska's comprehensive analysis. References CERT Polska: Energy Sector Incident Report – 29 December Cisco Talos: Static Tundra FBI IC3: PSA250820 MITRE ATT&CK Mapping Tactic Technique ID Execution Scheduled Task/Job T1053.005 Defense Evasion File and Directory Permissions Modification T1222 Discovery Local Storage Discovery T1680 Impact Data Destruction T1485 Impact System Shutdown/Reboot T1529