Back

Coordinated Cyberattack on Polish Renewable Energy Infrastructure

Severity: High (Score: 75.5)

Sources: www.pv-magazine.com, Ess-News

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: cyber, solar, winter, attack, against, polish, grid

Summary

In December 2025, a cyberattack targeted approximately 30 wind and solar sites in Poland, impacting communications and control systems. The attack, attributed to Russian hackers, exploited vulnerabilities in internet-facing edge devices, allowing access to remote terminal units (RTUs). While generation assets continued to operate, the incident raised alarms about the safety of battery energy storage systems, as attackers could manipulate charge rates and temperatures, risking thermal runaway. The event highlighted a significant gap in cyber-insurance coverage for physical damage resulting from cyber incidents. Experts noted that the attack represented a shift from targeting centralized SCADA systems to coordinated assaults on distributed assets. The insurance market faces challenges due to the overlap between cyber and property policies, complicating claims for damages. This incident serves as a wake-up call for energy asset operators regarding the evolving threat landscape. Key Points: • A cyberattack in December 2025 affected 30 renewable energy sites in Poland. • Attackers exploited vulnerabilities in edge devices, targeting remote terminal units (RTUs). • The incident highlighted gaps in cyber-insurance coverage for battery storage systems.

Detailed Analysis

**Impact** Approximately 30 wind and solar sites across Poland were affected by the incident on December 29, 2025, disrupting communications and control system visibility between generation assets and distribution system operators. Generation was not directly manipulated, but the attack exposed vulnerabilities in battery energy storage systems, which could lead to thermal runaway and physical damage. The attack targeted distributed renewable energy infrastructure, impacting multiple smaller operators rather than centralized control, increasing the risk of widespread operational disruption and potential blackouts. No direct physical damage or data breaches were reported. **Technical Details** The attack exploited internet-facing edge devices lacking multi-factor authentication and using reused credentials to gain access to remote terminal units (RTUs), protection relays, and operator interfaces. Attackers coordinated simultaneous intrusions across multiple sites, focusing on RTUs to disrupt real-time data collection and control. The communications protocol IEEE 1547, lacking native authentication and integrity, was a contributing factor. No specific malware, CVEs, or IOCs were disclosed. The kill chain involved initial access through compromised credentials, lateral movement to control systems, and manipulation of control parameters. **Recommended Response** Implement multi-factor authentication and eliminate credential reuse on all internet-facing devices controlling renewable energy assets. Harden RTU and edge device configurations, including network segmentation and strict access controls. Monitor for anomalous access patterns and coordinated attacks targeting distributed control systems. Review and update cyber-insurance policies to cover cyber-physical risks specific to battery energy storage systems. Further specific detection rules or patches were not detailed in the available information.

Source articles (2)

  • Polish grid attack reveals cyber-insurance gap for battery storage — Ess-News · 2026-06-04
    A cybersecurity incident affecting approximately 30 wind and solar sites across Poland on Dec. 29, 2025, provided underwriters with a real-world example of an attack pathway against distributed renewa…
  • Solar And The Cyber Winter — www.pv-magazine.com · 2026-06-04
    Cyber winter is a metaphorical concept describing a profound, structural shift in the nature of cyber threats and cyber-physical risks, particularly against critical infrastructure. The term was coine…

Timeline

  • 2025-12-29 — Cyberattack on Polish renewable energy sites: Approximately 30 wind and solar facilities were targeted, affecting communications and control systems.
  • 2026-06-04 — Analysis of attack reveals insurance gaps: Experts discuss the implications of the attack on cyber-insurance policies for energy assets, highlighting risks of thermal runaway.
  • 2026-06-04 — Shift in attack strategies noted: Experts emphasize the transition from centralized SCADA attacks to coordinated field-level assaults on distributed energy systems.

Related entities

  • DDoS (Attack Type)
  • Ransomware (Attack Type)
  • Israel (Country)
  • Poland (Country)
  • Spain (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • Energy (Industry)
  • T1021 - Remote Services (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • IEEE 1547 (Platform)
  • Scada (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed