In December 2025, a coordinated cyberattack attributed to Russian state-sponsored group Sandworm hit Poland’s energy infrastructure — a combined heat and power plant serving nearly 500,000 customers plus roughly 30 wind, solar, and heating facilities. Operators lost visibility and control. In some cases, ICS devices were permanently damaged. DynoWiper was deployed. Firmware was corrupted. Devices were reset to factory settings.
It was the most destructive cyberattack on a NATO member’s energy sector on record.
How did they get in? Vulnerable internet-facing FortiGate devices. Default credentials. No multi-factor authentication.
This is the entry point that comes up in almost every OT incident post-mortem. Not a zero-day. Not a sophisticated supply chain compromise. A device sitting on the perimeter with factory credentials that nobody changed.
The attack did not cause a blackout — but it took away the ability to see and control what was happening. Operators were flying blind across 30 sites simultaneously. That is not a detection failure. That is what happens when the only layer between an attacker and physical infrastructure is a single perimeter device with no compensating controls behind it.
250% increase in cyberattacks against Poland in 2025 compared to the prior year. The December attack came roughly ten years after Sandworm first disrupted Ukraine’s power grid. They did not stop. They got better.