After Poland cyberattacks, CISA warns US energy sector to change default passwords

Published: 12 February 2026
power_plant_worker_electricity
Quality control on Power station at dusk. Shutterstock.

The US energy sector has been advised to immediately change all their default passwords after a series of cyberattacks on the Polish energy suppliers.

On December 29th, 2025, a threat actor targeted over 30 wind and solar farms, a combined heat and power (CHP) plant, and a manufacturing company in Poland.

According to an analysis performed by Poland’s computer emergency response team (CERT-PL), attackers gained access through internet-connected edge devices, such as firewalls and VPN gateways.

ADVERTISEMENT

Several of these systems were exposed due to weak or missing multifactor authentication (MFA), poor network segmentation between operational technology (OT) and industrial control systems (ICS), and default or reused login credentials.

Once the attackers were in, they deployed destructive malware. Thus, they were able to corrupt the firmware of remote terminal units (RTUs), disrupt human-machine interface (HMI) systems, and wipe corporate data.

poland_power_plant_smoke
The Kozienice Power Station, a coal-fired thermal power station near Kozienice, Poland is seen on August 21, 2025. Photo: D. Zarzycka/NurPhoto via Getty.

CERT-PL concluded that the cyberattack appeared strategic and disruptive, aligned with geopolitical tensions. Although major outages were avoided, the incident exposed significant vulnerabilities in industrial control environments.

According to CISA, the report of their Polish counterpart reveals three important issues. For starters, vulnerable edge devices remain a primary target for threat actors. Therefore, end-of-life edge devices like firewalls, VPN gateways, and routers pose significant risks and should be replaced immediately.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Secondly, operational technology without firmware verification can be permanently damaged.

“Operators should prioritize updates that allow firmware verification when available. If updates are not immediately feasible, ensure that cyber incident response plans account for inoperative OT devices to mitigate prolonged outages,” the cybersecurity authority says in a recently published security advisory.

ADVERTISEMENT

Lastly, the threat actor leveraged default credentials. Therefore, operators should immediately change default passwords to prevent hackers from gaining entry to critical systems.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT