DYNOWIPER: Destructive Malware Targeting Poland’s Energy Sector

Estimated reading time: 8 minutes

Key Takeaways:

  • Coordinated wiper attack targeting Polish energy infrastructure during peak winter demand.
  • Attributed to the Static Tundra (Berserk Bear) actor group, known for targeting ICS environments.
  • Initial access achieved through unpatched Fortinet FortiGate devices and lack of MFA.
  • Uses a selective file corruption method to maximize speed and bypass standard restoration tools.
  • Proactive defense requires canary files and specialized cyber threat intelligence.

Table of Contents

On December 29, 2025, during a period of extreme winter weather, a coordinated cyberattack targeted the Polish energy infrastructure. This operation utilized a custom-developed wiper malware, identified as DYNOWIPER, to cause irreversible data destruction across critical systems. The attack impacted more than 30 renewable energy facilities, including wind and solar farms, and a major combined heat and power (CHP) plant responsible for supplying heat to approximately 500,000 customers. A manufacturing firm was also affected, appearing to be an opportunistic target within the broader campaign.

The infrastructure used in this campaign has been attributed by CERT Polska to the threat cluster known by several designations: Static Tundra (Cisco Talos), Berserk Bear (CrowdStrike), Ghost Blizzard (Microsoft), and Dragonfly (Symantec). This actor group has a documented history of targeting critical infrastructure and industrial control systems (ICS). The deployment of DYNOWIPER represents a significant shift from data exfiltration toward active service disruption through data destruction.

Graphical analysis of DYNOWIPER malware targeting energy infrastructure

Technical Breakdown of DYNOWIPER

The analysis of DYNOWIPER reveals a focused, functional design intended for rapid disk corruption rather than complex evasion. The malware is a 32-bit Windows PE executable, compiled using Microsoft Visual C++ on December 26, 2025-only three days prior to the coordinated strikes.

Attack Vector and Initial Access

The threat actors secured initial access to the energy sector targets through edge devices, specifically Fortinet FortiGate appliances. Several factors contributed to the successful breach:

  • MFA Deficiencies: VPN interfaces allowed authentication without multi-factor authentication.
  • Credential Misuse: Attackers utilized reused credentials across different facilities, facilitating lateral movement.
  • Unpatched Vulnerabilities: Exploitation of known vulnerabilities in unpatched edge devices.

Post-compromise, the actors conducted months of reconnaissance within the Operational Technology (OT) and SCADA environments. During this period, they exfiltrated Active Directory databases and FortiGate configurations. This level of access suggests that a dark web monitoring service could have potentially identified the trade of compromised credentials or internal configurations prior to the destructive phase. The utilization of underground forum intelligence is often the only way to detect the pre-positioning of such actors before the impact phase begins.

Malware Architecture and Metadata

The analyzed sample (SHA256: 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5) is 167,424 bytes in size. A notable artifact in the binary is the PDB path: C:\Users\vagrant\Documents\Visual Studio 2013\Projects\Source\Release\Source.pdb. The “vagrant” user suggests the malware was developed within a virtualized environment managed by Vagrant.

DYNOWIPER lacks several features common in modern malware:

  • No C2 Communication: The malware is entirely standalone.
  • No Persistence: It does not attempt to survive a system reboot.
  • No Anti-Analysis: There are no obfuscation or anti-debugging checks.
  • No Shell Invocations: All destructive actions are performed through direct Windows API calls.

The Destruction Mechanism

DYNOWIPER employs a systematic approach to drive enumeration and file corruption to ensure maximum damage in the shortest possible window.

Drive Enumeration: The malware calls the GetLogicalDrives() API to identify all available drive letters (A-Z). It filters these results to target specific drive types using GetDriveTypeW(), focusing exclusively on DRIVE_FIXED (internal hard drives) and DRIVE_REMOVABLE (external storage).

Strategic File Corruption: To maximize speed, DYNOWIPER does not overwrite entire files. Instead, it utilizes the Mersenne Twister pseudorandom number generator (PRNG) to create sequences of random data for targeted corruption. The process follows these steps:

  1. Attribute Modification: It removes read-only or system protection attributes via SetFileAttributesW.
  2. Access: It opens the file for write access using CreateFileW.
  3. Header Overwrite: The first 16 bytes of the file are overwritten with random data.
  4. Strategic Offsets: For files larger than the header, the malware generates up to 4,096 random offsets throughout the file and overwrites 16-byte blocks at each location.

Intentional Directory Exclusions: DYNOWIPER maintains a list of directories it deliberately avoids, such as \windows, \system32, and \boot. The logic is to prevent the operating system from crashing prematurely, ensuring the environment remains stable enough to continue the destruction of user data and industrial configuration files across all targeted drives.

Behavioral Detection and Defense

The DYNOWIPER incident demonstrates that signature-based detection is insufficient for stopping bespoke destructive tools. Behavioral monitoring, specifically through canary file protection, proved effective in this case.

“Canary files are decoy objects placed in common directories. When DYNOWIPER’s indiscriminate corruption engine attempted to modify these files, it triggered an immediate block.”

Organizations utilizing a cyber threat intelligence platform that integrates real-time ransomware intelligence and live ransomware API feeds can better configure these behavioral triggers to identify “wiper-like” activity.

Contextual Threat Environment

The attack on Poland occurs alongside other significant industry shifts. CISA recently issued a directive requiring federal agencies to decommission end-of-life (EoL) edge devices. The DYNOWIPER vector-unpatched FortiGate devices-aligns perfectly with this concern. Furthermore, the automation of vulnerability discovery is accelerating. Anthropic’s Claude Opus 4.6 recently identified over 500 high-severity flaws in open-source libraries, making supply-chain risk monitoring a critical component of defensive operations.

Integrating brand leak alerting can help organizations identify when their systems or employee credentials have been compromised before they are used to deploy destructive payloads.

Practical Takeaways for Technical and Strategic Leaders

Technical Engineering Recommendations:

  • Implement Canary Files: Deploy decoy files across all file servers and monitor for unauthorized Write or Modify actions.
  • Monitor API Patterns: Configure monitoring for the sequence of GetLogicalDrives followed by SetFileAttributesW.
  • Enforce Hardware MFA: Remote access to OT and SCADA environments must require hardware-based multi-factor authentication.
  • Network Segmentation: Isolate the OT network from the corporate environment.

Strategic Business Recommendations:

  • Address End-of-Life Hardware: Prioritize the replacement of any edge devices that no longer receive security patches.
  • Verify Offline Backups: Ensure that backups are air-gapped and unreachable by malware on the primary network.
  • Incorporate Intelligence Services: Monitor for mentions of organizational assets on the dark web or Telegram via a dedicated platform.

PurpleOps Expertise and Services

The DYNOWIPER campaign underscores the necessity of proactive security measures. PurpleOps provides specialized services designed to identify and mitigate the vulnerabilities exploited in the Poland energy sector attacks.

Our red team operations simulate advanced reconnaissance and lateral movement techniques, allowing organizations to find weaknesses in their MFA and credential management. For critical infrastructure, our supply-chain information security and penetration testing services provide a deep dive into edge device security.

Explore our full range of services to evaluate your organization’s resilience:

Indicators of Compromise (IOCs)

DYNOWIPER File Hashes:

Filename SHA256
dynacom_update.exe 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5
Source.exe 65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c

Network Indicators:

  • 185.200.177[.]10
  • 31.172.71[.]5
  • 193.200.17[.]163
  • 72.62.35[.]76

Frequently Asked Questions

What is DYNOWIPER malware?
DYNOWIPER is a destructive 32-bit Windows executable designed to rapidly corrupt files and industrial control configurations on targeted systems without the possibility of recovery.

How did the attackers gain access to the Polish energy sector?
Attackers exploited unpatched Fortinet FortiGate edge devices, leveraging a lack of multi-factor authentication and reused credentials to move laterally through the networks.

Why does the malware exclude specific system directories?
By avoiding directories like \windows and \system32, the malware ensures the operating system stays stable enough to finish corrupting all user data and connected drive contents before the system finally reboots.

Can behavioral detection stop wiper malware?
Yes, techniques like canary file protection can detect the rapid, indiscriminate file modification patterns typical of wipers and block the process before significant damage occurs.