sales[ ]midnightblue[ ]nl PGP (0x9035856DF1D41F73) Overview On December 29th of 2025, a series of coordinated cyber attacks took place against a number of targets connected to Polands electric grid. These targets consisted of at least 30 wind and solar farms and a combined heat and power (CHP) plant supplying heat to nearly half a million customers.While the attack had no immedate impact on the grid, the extent of access, destructive activity, and timing (coinciding with low temperatures and snow storms) makes this a particularly worrying incident. What particularly caught our attention is that this incident involved a TTP which we have been warning about for years, namely bricking critical OT devices as an attack amplification strategy.Indeed it seems the threat actor behind this incident exploited a variant ofCVE-2024-8036, which Midnight Blue discovered in ABB equipment a few years ago.In this blogpost we will discuss the specific risks and technical aspects of attackers bricking embedded devices and the potential impact thereof, since there seems to be an uptick in adversary deployment of this TTP while remaining underappreciated among defenders. This blogpost will focus on some of the TTPs used in the attacks on the wind and solar farms. TheseDistributed Energy Resources(DERs) feed power into the electric grid and communicate with the regionalDistribution System Operators(DSOs) through so-calledGrid Connection Point(GCP) substations. At the GCP substation aRemote Terminal Unit(RTU) acts as the central telecontrol and supervision gateway interacting with the remote DSO SCADA system. Typically, the DSO SCADA system polls the RTU for measurements and status information and can send commands or setpoints to specify grid parameters, disconnect power, and regulate generation capacity. DSO SCADA communications with the RTUs was reported as occuring via DNP3.0 or IEC-101 protocols over cellular or wired router links sitting behind FortiGate integrated firewall & VPN concentrators. Reporting also incidates DSOs in Poland typically require communications between SCADA and GCPs to occur over serial links, with IP-to-RS232/485 serial converters being present in the substations as well. It is somewhat unclear from the reporting how this works exactly (since there won't be an actual point-to-point serial cable between RTU and SCADA) but from what could be gathered it seems the RTUs either were connected via serial links to routers with built-in serial-to-IP converters or they used another Ethernet connection with IP-to-serial-to-IP conversion in between. While this seems somewhat cumbersome, it makes sense to mandate serial interfaces only at security perimeters to limit the amount of exposed attack surface. After all, an attacker capable of talking to an IP stack across a security perimeter has the opportunity to exploit more parsing vulnerabilities or invoke more latent protocol functionality. The RTUs in turn communicate with various devices in the substation, including protection relays which govern fault detection, isolation, and the tripping of circuit breakers. The attacks resulted in a loss of communications between the GCPs and DSOs but such a loss of communications does not mean the DERs stop feeding power into the grid which has the potential to cause grid imbalances. For further background on the incident, we recommend the comprehensive technicalreport from CERT-PL, theESET writeupon the involved wiper, and a great deep-dive series on the (potential) cyber-physical impact scenarios by Ruben Santamarta [1,2]. ‍ During the incident, the attackers attempted to disrupt a variety of OT devices in each substation by probing them in ascending IP address order. That is, they attempted to render the devices functionally inoperable or at least unresponsive - includingbrickingsome in such a way that they would need to be physically replaced. Relion IEDs provide protection and control functionality within substations, such as controlling circuit breakers and switch gear and detecting fault conditions. The CERT-PL report mentions two cases of attackers connecting to IED's FTP service using default credentials in order to delete essential files in such a manner that the device was prevented from being properly restarted. This seems to closely match the "soft-bricking" approach toCVE-2024-8036, which Midnight Blue discovered in ABB equipment during a Red Team engagement for a DSO customer. Hitachi acquired over 80% of ABB's Power Grids division in 2020, resulting in its acquisition of theRelion 650 and 670series of IEDs, while other Relion series (such as the 611, 615, 620, and 630) remained with ABB. Architecturally, these devices all share quite a bit of their tech stack. This vulnerability results from an Improper Handling of Exceptional Conditions (CWE-755) when an FTP operation deletes critical configuration files but does not replace them with functional new ones. Such malformed configuration updates can put the ...