DYNOWIPER: Destructive Malware Targeting Poland's Energy Sector

总结

• On December 29, 2025, a coordinated campaign of destructive cyberattacks targeted Poland's energy infrastructure, affecting over 30 renewable energy facilities and a major combined heat and power (CHP) plant
• A custom wiper malware dubbed DYNOWIPER was used to irreversibly destroy data across compromised networks
• CERT Polska attributes the attack infrastructure to the threat cluster Cisco refers to as Static Tundra, Crowdstrike refers to as Berserk Bear, Microsoft calls Ghost Blizzard, and Symantec labels as Dragonfly
• Elastic Defend's ransomware protection successfully detects and prevents DYNOWIPER execution using canary file monitoring

背景

The coordinated destructive campaign against critical energy infrastructure occurred on December 29, 2025, during a period of severe winter weather in Poland.

According to CERT Polska’s report, the campaign targeted:

• 30+ wind and solar farms across Poland
• A major CHP plant supplying heat to nearly half a million customers
• A manufacturing sector company characterized as an opportunistic target

Attack Vector

The threat actor reportedly gained initial access through Fortinet FortiGate devices exposed to the internet prior to December 29th, exploiting:

• VPN interfaces allowing authentication without multi-factor authentication
• Reused credentials across multiple facilities
• Historical vulnerabilities in unpatched devices

Attackers conducted months-long reconnaissance of industrial automation systems, specifically targeting SCADA systems and OT networks. During this time, they exfiltrated Active Directory databases, FortiGate configurations, and data related to OT network modernization.

DYNOWIPER Details

Elastic Security Labs independently analyzed a DYNOWIPER sample from open sources. The sample is similar to one of the variants documented by CERT Polska.

Sample Metadata

Destruction Mechanism

Drive Enumeration

The malware enumerates all logical drives (A-Z) using GetLogicalDrives() and targets only DRIVE_FIXED (hard drives) and DRIVE_REMOVABLE (USB drives, SD cards) types.

File Corruption

DYNOWIPER employs a Mersenne Twister PRNG to generate pseudorandom data for file corruption. Rather than overwriting entire files (which requires time), it strategically corrupts files by:

1. Removing file protection attributes via SetFileAttributesW(FILE_ATTRIBUTE_NORMAL)
2. Opening files with CreateFileW for read/write access
3. Overwriting the file header with 16 bytes of random data
4. For larger files, generating up to 4,096 random offsets and overwriting each with 16-byte sequences

This approach allows rapid corruption of many files while ensuring data is unrecoverable.

Directory Exclusion List

The malware deliberately avoids system-critical directories to maintain system stability during the attack:

• windows, system32
• program files, program files(x86)
• boot, appdata, temp
• recycle.bin, $recycle.bin
• perflogs, documents and settings

This design choice maximizes data destruction before the system becomes unstable, ensuring the wiper completes its mission.

Forced Reboot

After corruption and deletion phases complete, DYNOWIPER:

1. Obtains a process token via OpenProcessToken()
2. Enables SeShutdownPrivilege via AdjustTokenPrivileges()
3. Forces system reboot with ExitWindowsEx(EWX_REBOOT | EWX_FORCE)

Notable Characteristics

DYNOWIPER is distinguished by several characteristics:

• No persistence mechanism - The malware does not attempt to survive reboots
• No C2 communication - Completely standalone, no network callbacks
• No shell command invocations - All operations performed via Windows API
• No anti-analysis techniques - No attempts to evade detection or debugging
• Characteristic PDB path: C:\Users\vagrant\Documents\Visual Studio 2013\Projects\Source\Release\Source.pdb

The use of "vagrant" in the PDB path suggests development occurred in a Vagrant-managed virtual machine environment.

Version Differences

CERT Polska documented two DYNOWIPER versions (A and B). The sample we analyzed corresponds to version A. Version B removed the system shutdown functionality and added a 5-second sleep between corruption and deletion phases.

Elastic Defend Protection

During testing of DYNOWIPER samples, Elastic Defend successfully detected and mitigated the malware before it could cause damage.

Detection Alert

{  
  "message": "Ransomware Prevention Alert",  
  "event": {  
    "code": "ransomware",  
    "action": "canary-activity",  
    "type": ["info", "start", "change", "denied"],  
    "category": ["malware", "intrusion_detection", "process", "file"],  
    "outcome": "success"  
  },  
  "Ransomware": {  
    "feature": "canary",  
    "version": "1.9.0"  
  }  
}

How Canary Protection Works

Elastic Defend's ransomware protection employs canary files (strategically placed decoy files) that trigger alerts when modified. DYNOWIPER's indiscriminate file corruption approach caused it to modify a canary file.

When the wiper attempted to corrupt this canary file, Elastic Defend immediately:

1. Detected the suspicious modification pattern
2. Blocked further execution
3. Generated a high-confidence ransomware alert (risk score: 73)

While Elastic Defend was not the EDR solution used in this incident, this form of defense-in-depth protection was critical in the real-world intrusion. According to CERT Polska, the EDR solution deployed at the CHP plant, using the same canary protection technology highlighted above, halted data overwriting on more than 100 machines where DYNOWIPER had already begun executing.

Why Behavioral Detection is Crucial

Destructive malware can present unique challenges to minimizing risk:

• They may not establish C2 connections (no network indicators)
• They may not use persistence mechanisms (limited forensic artifacts)
• They execute quickly and destructively
• Static signature-based detection may miss new variants

Behavioral protection, such as through canary files, provides a crucial layer of defense that can catch destructive malware regardless of its novelty.

Indicators of Compromise

File Hashes (DYNOWIPER)

Distribution Scripts

Network Indicators

YARA Rule

rule DYNOWIPER {  
    meta: 
        author = "CERT Polska"
        description = "Detects DYNOWIPER data destruction malware"  
        severity = "CRITICAL"  
        reference = "https://mwdb.cert.pl/"  
          
    strings:  
        $a1 = "$recycle.bin" wide  
        $a2 = "program files(x86)" wide  
        $a3 = "perflogs" wide  
        $a4 = "windows\x00" wide  
        $b1 = "Error opening file: " wide  
        $priv = "SeShutdownPrivilege" wide  
        $api1 = "GetLogicalDrives"  
        $api2 = "ExitWindowsEx"  
        $api3 = "AdjustTokenPrivileges"  
          
    condition:  
        uint16(0) == 0x5A4D  
        and filesize < 500KB  
        and 4 of ($a*, $b1)  
        and $priv  
        and 2 of ($api*)  
}

Recommendations

Immediate Actions

1. Deploy behavioral ransomware protection - Signature-based detection alone is insufficient against novel wipers
2. Enable MFA on all VPN and remote access solutions - The attackers exploited accounts without MFA
3. Audit FortiGate and edge device configurations - Check for unauthorized accounts, rules, and scheduled tasks
4. Review default credentials - Industrial devices (RTUs, HMIs, serial servers) often ship with default passwords

Detection Opportunities

Monitor for:

• GetLogicalDrives API calls followed by mass file operations
• SetFileAttributesW calls setting FILE_ATTRIBUTE_NORMAL at scale
• Privilege escalation for SeShutdownPrivilege followed by ExitWindowsEx
• GPO modifications creating scheduled tasks with SYSTEM privileges
• Unusual file modifications across multiple drives simultaneously

Recovery Considerations

• Restore from offline/air-gapped backups - Online backups may have been targeted
• Verify backup integrity before restoration
• Assume credential compromise - Reset all passwords, especially domain admin accounts
• Audit all removable media that may have been connected to affected systems

结论

The December 2025 attacks on Poland's energy sector represent a significant escalation in destructive cyber operations against critical infrastructure. DYNOWIPER, while not technically sophisticated, proved effective at rapid data destruction when combined with the threat actor's extensive pre-positioned access.

The incident underscores the importance of defense-in-depth strategies, particularly behavioral detection capabilities that can identify destructive malware regardless of its novelty. Elastic Defend's ransomware protection—specifically its canary file monitoring—proved effective at detecting and blocking DYNOWIPER before it could complete its destructive mission.

Organizations in critical infrastructure sectors should review their security posture against the TTPs documented in this report and CERT Polska's comprehensive analysis.

---

参考资料

• CERT Polska: Energy Sector Incident Report – 29 December

• Cisco Talos: Static Tundra
• FBI IC3: PSA250820

MITRE ATT&CK Mapping