Default Credentials and Missing MFA: Inside the Poland Energy Cyberattack

This major incident in Poland is a useful reminder that attackers don't always need "clever" exploits - they often just need easy access.

On 29 December 2025, coordinated destructive cyberattacks hit 30+ wind and solar sites in Poland and a large Combined Heat-and-Power (CHP) plant serving nearly half a million customers. The focus was on operational visibility and recoverability rather than electricity generation itself.

What made this incident particularly sobering is how much of it came down to basics:

• - Internet-exposed SSL-VPN portals without MFA gave the attacker a straightforward entry point. 
• - Default credentials and out-of-the-box hardening gaps showed up repeatedly - from Remote Terminal Unit (RTU) controllers, to Human-Machine Interfaces, to serial device servers.
• - Default credentials and out-of-the-box hardening gaps showed up repeatedly - from Remote Terminal Unit (RTU) controllers, to Human-Machine Interfaces, to serial device servers.
• - In some cases, protective features existed but weren't enabled (for example, firmware secure update controls on Hitachi RTUs).
• - The attacker took steps to hinder response and recovery - factory-resetting devices, disabling logging, and changing IP addresses to unreachable values

There's also a lesson here about resilience: in the CHP environment, endpoint detection blocked the wiper at runtime and limited damage across 100+ machines. That's a tangible example of why layered defence still matters, even when prevention fails.

So what should security leaders take from this?

1. 1. Treat authentication as critical infrastructure: remove defaults, enforce strong controls, and use MFA everywhere remote access exists.

2. 2. Harden and continuously review edge systems - especially where patch windows are slow and sites are unmanned. 

3. 3. Plan for destructive actions, not just data theft: detection, containment, and recovery drills are part of operational readiness.

This is also where organisations struggle in practice: even when the right fixes are obvious, the time and effort to implement them (especially across legacy and third-party systems) creates a gap attackers can use.

That gap is exactly what RedShield’s AWS-powered service is built to close. We can:

1. - Deploy in-flight security patches that mitigate vulnerabilities on the wire - rewriting requests/responses or adding missing controls in real time, without waiting for vendor patches or code changes.
   

2. - Add MFA to existing web applications quickly, again with no code changes - including for legacy systems.
   

3. - Deliver this as a 24/7 expert-delivered managed service, using a large existing patch library and rapid custom patching when needed, so teams aren't forced into emergency dev cycles just to reduce risk quickly.

If you're responsible for systems that people depend on, it's important to ask (and answer) an uncomfortable question: what's still internet-facing today that relies on passwords alone, defaults, or slow patch cycles?

(Incident reporting credit to CERT Polska and Kim Zetter.