Polish Energy Farms Targeted in Coordinated Cyber Attack Exposing Critical Security Weaknesses

A Coordinated Cyber Attack Exposes Critical Weaknesses in Polish Energy Infrastructure

A newly published report from CERT Polska reveals that attackers gained extensive access to the internal infrastructure of multiple energy farms in Poland. Despite the severity of the intrusion — which included administrative‑level access and destructive actions against industrial devices — the country’s electricity supply remained stable throughout the incident. According to the findings, even if the compromised facilities had been fully taken offline, the combined capacity loss would not have threatened the stability of the national grid.

Why This Incident Matters

The incident highlights recurring and systemic issues within operational technology (OT) environments, particularly in the renewable energy sector. While critical power disruption did not occur, the attack demonstrates how fragile many industrial control environments remain when exposed to basic misconfigurations or poor authentication practices. Against a backdrop of increasing global pressure on energy systems and a rise in state‑linked cyber activity, the findings serve as a stark warning that resilience cannot rely on good fortune.

How the Attackers Gained Access

The CERT Polska analysis indicates two likely intrusion vectors:

• exploitation of a vulnerability in an Internet‑facing VPN interface, or
• use of stolen administrator credentials on an environment that lacked multi‑factor authentication.

Each targeted site operated Fortigate devices acting as VPN concentrators and firewalls. Crucially, the VPN interface was exposed to the Internet and allowed authentication without any form of multi‑factor verification. With administrator‑level control of these devices, the attackers were able to access every reachable internal network segment, effectively granting them unrestricted lateral movement.

What Investigators Found Inside the Network

Once inside the internal networks, the attackers encountered — and exploited — a landscape characterised by poor configuration hygiene and widespread use of default credentials across a range of industrial devices.

1. Hitachi RTU560 Controllers

Most affected energy farms used Hitachi RTU560 devices. These controllers still held default accounts, including one with permissions to modify firmware. Attackers uploaded corrupted firmware images, intentionally damaging the boot sequence and forcing the devices into continuous restart loops.

2. Mikronika Controllers

In other facilities, Mikronika Linux‑based controllers were accessed via SSH using default root‑level credentials. The attackers executed commands to delete all system files, rendering the devices inoperable.

3. Hitachi Relion 650 Protection Devices

In two cases, field protection controllers were targeted. Default FTP accounts — which should have been disabled under recommended deployment guidance — allowed attackers to delete essential system files, preventing the devices from restarting.

4. Windows‑Based HMI Systems

Some human‑machine interface (HMI) workstations ran Mikronika Syndis on Windows 10. These retained a shared deployment password for the local administrator account. The attackers used Remote Desktop Protocol (RDP) to access the systems without requiring any password guessing.

5. Moxa Nport 6xxx Serial Servers

Every compromised site used Moxa serial port servers with active web interfaces and default credentials. Attackers restored these devices to factory settings, changed passwords, and set unreachable IP addresses to disrupt normal operation.

A Pattern of Preventable Failures

Taken together, the report paints a picture of widespread security oversights: unprotected remote access points, administrator accounts without multi‑factor authentication, and industrial devices left in default configurations. This combination allowed attackers not only to infiltrate the network but to execute destructive changes across multiple device families.

The attack was also timed alongside a separate intrusion into a Polish combined heat and power plant, underscoring a coordinated strategy aimed at energy infrastructure.

Conclusion

Although Poland’s national grid did not experience instability, the incident underscores how critical infrastructure can be placed at risk through avoidable misconfigurations and weak authentication practices. The report from CERT Polska stands as a reminder that securing energy infrastructure must evolve far beyond merely keeping systems online — it requires rigorous configuration management, strong identity controls, and proactive defence across all layers of industrial networks.

What do you think? Let me know in the comments.