---

When IT Meets OT: Lessons from the December 29, 2025 Polish Power Grid Cyberattack

On 29 December 2025, a coordinated cyberattack struck multiple components of Poland’s energy infrastructure, including more than 30 wind and photovoltaic farms as well as a large combined heat and power (CHP) plant. Although the attack did not cause widespread blackouts, it demonstrated a serious escalation in how threat actors are targeting industrial control systems and critical operational technology (OT) environments.

What Happened?

According to a detailed Energy Sector Incident Report by CERT Polska and subsequent analyses by cybersecurity researchers, attackers gained unauthorized access to internal networks controlling distributed energy resources and attempted to deploy destructive wiper malware (often referred to as DynoWiper) on industrial devices. The malware was observed deleting system files and corrupting firmware, impairing communication between field devices and control systems. Safety protections prevented more severe outcomes, but the intent was clearly to disrupt or damage energy operations.

Security analysts have attributed the attack with medium confidence to a Russian state-aligned advanced persistent threat (APT) group commonly known as Sandworm — a group with a history of targeting energy infrastructure and other critical sectors.

Key Vulnerabilities Exploited

Investigations highlighted several factors that made the infrastructure vulnerable:

• Insufficient network segmentation between IT and OT systems, allowing attackers to pivot from one network segment to another.
• Use of outdated or poorly configured remote access devices, including VPNs and exposed gateways without adequate multi-factor authentication.
• Weak access control policies and default or shared administrative credentials on industrial equipment.

These weaknesses reflect a broader industry challenge: OT environments have historically lagged behind traditional IT in adopting modern cybersecurity best practices, despite being directly tied to physical outcomes.

Practical Prevention & Response Steps

For organizations looking to strengthen their cyber posture — especially those with blended IT/OT environments — there are several best practices that can significantly reduce risk:

1. Robust Network Segmentation
2. Segregating IT and OT networks prevents attackers from moving laterally from user systems into operational control systems. Deploy firewalls and micro-segmentation to isolate critical devices.
3. Strong Identity and Access Management
4. Enforce multi-factor authentication (MFA) for all remote access points, retire default credentials, and implement role-based access control (RBAC) to limit privileges.
5. Continuous Monitoring & Threat Detection
6. SOC-level monitoring with real-time alerting helps detect abnormal behavior early. Managed Detection and Response (MDR) services can rapidly escalate suspicious activity before it turns into a full breach.
7. Patch & Configuration Management
8. Regular vulnerability scanning and timely application of security patches to both IT and OT assets drastically reduce the window of opportunity for attackers.
9. Incident Preparedness and Simulation Drills
10. Periodic tabletop exercises and OT-specific incident response planning help ensure teams understand their roles and can respond swiftly in a real crisis.

Role of High-Quality MSPs Like Modena360

A proactive Managed Service Provider (MSP) such as Modena360 plays a critical role in protecting customers from sophisticated attacks. By delivering end-to-end IT and OT cybersecurity services, including continuous monitoring, automated patching, controlled access enforcement, and incident response preparedness, an MSP helps organizations stay ahead of evolving threats.

In the case of infrastructure like Poland’s energy grid, early detection of anomalous activity or unauthorized access — backed by quick containment — could have limited the attacker’s foothold before destructive malware could be deployed.

By partnering with an MSP focused on defense-in-depth strategies and OT-aware security operations, businesses and critical service providers can reduce risk, strengthen resilience, and respond more effectively if a breach occurs.

To enhance your organisation’s cybersecurity posture against advanced threats like OT-targeted attacks, contact Modena360 today. Our expert team helps businesses detect, prevent, and respond to cyber incidents with tailored strategies that protect both IT and operational environments.