Table of contents
Case study: Poland’s late-2025 destructive campaign against energy assets
Case study: Railway sabotage in Poland and the identity dimension of hybrid threats
Case study: Ukraine’s energy war and the return of credential-led intrusion in 2026
IAM lessons from these 3 cyber attacks on critical infrastructure
In 2025 alone, ransomware groups hit thousands of industrial organizations worldwide. The scariest part, in my opinion, is that many attackers are now playing “the long game”, i.e., they linger inside networks for an average of 42 days before triggering any visible disruption.
That long dwell time means credential abuse can go on for weeks while defenders are still trying to piece together what's happening. This is scary when we look at individual electric energy, transportation, or water supply units. But it’s terrifying when we consider that these sectors all fall under critical infrastructure and affect millions at a time.
Many regions now have a clear legal baseline with tight incident reporting clocks. Europe’s NIS2, for example, requires from 18 critical sectors that they put out early warnings in the first 24 hours, formal notifications in 72 hours, and a final report in a month.
These aren't abstract risks anymore, and identity and access controls are often the quiet first (and sometimes last) line of defense. When they're weak, one compromised credential can lead to real-world outages.
That’s why I’ve decided to look at three recent cyber attacks on critical infrastructure. I explain what happened in each, how stronger IAM practices could have helped, and what others can learn from these unfortunate incidents.
One of the most recent examples of where IAM was “suboptimal”, to say the least, was an attack on 30 wind and solar farms, a manufacturing company, and a major combined heat and power plant that delivers heat to nearly half a million people.
CERT Polska, which is the Computer Response Energy team of Poland’s Scientific and Academic Computer Network, laid out exactly what happened in their detailed report. Here, I’m going to explain broadly what the core event was, and what could have been done better from an access management and identity perspective.
The attackers deployed wipers like DynoWiper and LazyWiper, aiming to wipe data, disrupt operations, and potentially trigger energy blackouts. Thankfully, the worst didn't come to fruition, because there were no widespread outages or losses of power production.
From an IAM standpoint, though, I can’t say the systems were ideally prepared.
It started with initial access through internet-facing FortiGate devices acting as firewalls and VPN concentrators at the renewable sites. These VPN interfaces were exposed publicly, and authentication relied on single-factor only; there was no MFA.
Attackers likely used stolen or guessed credentials to log in, and once inside, destructive actions wiped VPN logs, erasing much of the early trail.
I've seen this pattern before in traditional breaches where exposed remote access became the front door. Here, in a distributed energy environment, it was especially risky because one compromised edge device could serve as a launchpad for broader reconnaissance.
Attackers gained access via SSH using unchanged default root-privileged credentials, then executed commands that systematically deleted essential system files, rendering the devices inoperable and breaking remote visibility and control. Comparable weaknesses appeared in other industrial hardware: Hitachi RTU560 remote terminal units permitted login through an undocumented “Default” account. This allowed the upload of corrupted firmware that induced persistent reboot loops. Certain Moxa serial-to-Ethernet servers and HMIs likewise retained factory-default passwords.
That example shows how badly things can turn for identity governance in industrial settings. Default or static credentials are frequently configured during initial setup and never rotated or removed. This makes them permanent, unmanaged secrets instead of temporary installation aids. When such credentials remain in place (particularly when the same or similar defaults are reused across geographically dispersed sites) they allow attackers to pivot from one device to many others with minimal additional effort.
This directly undermines network segmentation. An incident that should remain contained to a single asset quickly escalates into a multi-site compromise affecting power generation, transmission, or distribution assets that depend on isolation for safety and reliability.
I've seen how physical disruptions can expose vulnerabilities in digital access controls, amplifying the impact of cyber attacks on critical infrastructure. The November 2025 railway sabotage in Poland serves as a stark reminder of this interplay, even though the incident itself was primarily physical. Let me break down the event and its IAM implications.
In mid-November 2025, an explosion damaged a railway track on the Warsaw-to-Lublin line in Mika, Poland – a route critical for transporting supplies, including weapons, toward Ukraine. A separate act of sabotage targeted overhead cables near Puławy on the same line, disrupting railway traction.
Polish Prime Minister Donald Tusk described the blast as an "unprecedented act of sabotage aimed at the security of the Polish state and its citizens," noting it was intended to cause a railway disaster. Fortunately, no casualties occurred, but the incidents prompted a military inspection of a 120 km stretch of track to the Ukrainian border, highlighting the high stakes involved in protecting such vital arteries.
While this wasn't a classic cyber attack on critical infrastructure involving password theft or network intrusion, its relevance to IAM strategy cannot be overstated. Rail operations are quintessential cyber-physical systems, where physical assets like tracks and signals are managed through interconnected digital platforms for routing, signaling, and dispatch.
In moments of crisis – such as when a route faces sabotage – operators often expand remote access privileges to enable rapid rerouting and maintain service continuity. This predictable response creates opportunities for exploitation: shared accounts may be hastily activated, emergency exceptions granted without oversight, and audit trails left incomplete. These gaps can turn a localized physical disruption into a cascading failure if adversaries leverage hybrid threats, blending physical sabotage with digital infiltration.
Drawing from frameworks likeNIST's Special Publication 800-207 on Zero Trust Architecture, I advocate for embedding resilience into IAM from the outset. Zero trust architecture principles – such as continuous verification, least privilege access, and assuming breach – are particularly vital here. For instance, rather than improvising during an incident, organizations should pre-design crisis access protocols. This includes deploying time-bounded "break-glass" accounts that activate only for short durations, coupled with strict logging to capture every action.
Multi-person approval workflows should be mandatory for any changes impacting critical functions like signaling, traction power, or dispatch authority. Additionally, ensuring full traceability of contractor and vendor identities – through robust identity federation and attribute-based access controls – helps mitigate risks from insider or externally influenced threats.
In my work with similar sectors, including addressing cybersecurity threats in the energy sector, I've observed that implementing these measures under a zero trust architecture not only reduces the amplification of physical disruptions but also builds overall system resilience.
Eurelectric documented 1,225 attacks on Ukrainian energy infrastructure in 2025, which was more than the prior three years combined, with intensity surging late in the year. Damage topped $20 billion. Unfortunately, this pattern extended into early 2026, when there was an attack that cut power and heat for civilians across multiple regions, in freezing weather.
I’ve taken a deeper dive, and Google Threat Intelligence narrowed this down to a Russia-linked actor (with suspected intelligence ties). In short, the attackers used large language models to write highly convincing phishing lures, impersonating Ukrainian national and local energy organizations.
Targets included both corporate and personal email accounts. Emails delivered Google Drive links to RAR archives containing double-extension files (e.g., .pdf.js) that hid obfuscated JavaScript. The JavaScript executed PowerShell to fetch memory-resident droppers while displaying decoy errors.
As someone who specializes in IAM services, I must say that this credential-led resurgence is genuinely alarming. At Qwey, we’ve been talking more and more about the need to run simulated, internal (and unannounced!) phishing attacks for this exact reason – to catch an organization’s employee red-handed on a security exercise. This can show them in a real-world setting where they might misidentify an email from a malicious source, with zero repercussions.
Compromised email identities act as gateways – they control password resets, VPN approvals, maintenance ticketing, and administrative access to SCADA/OT support systems. Attackers begin by hijacking the very accounts that operate, monitor, or authorize changes to energy assets. They then pivot to harvest privileged credentials, establish persistence, or gather intelligence for precise physical targeting.
All these incidents point to a handful of persistent, fixable gaps that keep showing up in critical infrastructure. Here’s my take:
In Poland’s energy attacks, the FortiGate VPN interfaces relied on single-factor credentials. It’s very easy to compromise and impossible to verify once stolen. In the Ukraine phishing campaigns, attackers went straight for email account takeover using LLM-crafted lures and double-extension payloads. They knew that one compromised mailbox can unlock resets, approvals, and deeper access. Phishing-resistant MFA (FIDO2 or hardware tokens) would have broken both entry vectors at the source.
CERT Polska documented unchanged root SSH defaults on Mikronika controllers and factory-default local admin passwords on HMIs and RTUs. Hardening during commissioning and routine credential scans would eliminate this low-hanging fruit for attackers.
Attackers reached domain controllers and used Group Policy to distribute wipers network-wide. When OT engineering workstations and SCADA support systems log on to the same Active Directory environment as IT, domain dominance becomes operational dominance. Least-privilege enforcement and just-in-time access for privileged roles are essential to keep this pivot from happening.
The stealthy FortiGate rule additions (broad inbound access with logging disabled and rules renamed to blend in) went unnoticed until too late. If access policy modifications and anomalous authentications aren’t flagged in real time, teams lose the window to contain before payloads execute.
Under NIS2, indicators of compromise must be reported within 72 hours. When VPN logs are wiped early (as in Poland) or authentication trails are incomplete, both incident response and regulatory obligations suffer. Strong logging, tamper-resistant audit trails, and rapid credential visibility are what make timely, accurate reporting possible.
These aren’t novel or sophisticated failures, but rather basic identity hygiene issues that have been documented for years.
Effective IAM in OT-heavy environments (particularly those exposed to cybersecurity threats in the energy sector) demands layered controls that recognize the cyber-physical convergence and the potential for cyber attacks on critical infrastructure to exploit access weaknesses.
Map every identity capable of affecting operations: human users, vendors, service accounts, and local accounts on HMIs and OT gateways. Assign a named owner to each identity and establish measurable deprovisioning processes through automated workflows and periodic audits. This eliminates unmanaged or orphaned credentials that adversaries can exploit.
NIST SP 800-207 makes clear that zero trust rejects implicit trust based on network location alone, requiring explicit authentication and authorization for every session. Enforce this principle for remote access into substations and plants, as well as for jump hosts that connect IT and OT zones, preventing lateral movement assumptions rooted in perimeter-based trust.
Replace standing admin accounts with time-limited, just-in-time elevation. Record every administrative session on jump hosts for forensic review. Maintain distinct administrative tiers for identity systems that manage Group Policy and domain security, reducing the blast radius of any compromise.
Require two-person review and approval for actions that can modify many hosts at once – such as Group Policy updates or firewall rule changes that govern remote access.
For corporate users and administrators, adopt phishing-resistant authenticators such as FIDO2 security keys, which use public-key cryptography to eliminate shared secrets vulnerable to interception. For OT devices that cannot yet support modern standards, enforce unique credentials per device and per site, rotate them under formal change control, and remove vendor defaults during commissioning.
Collect and correlate logs from VPN logins, directory audit trails, RDP and jump host access, and firewall configuration changes with OT-specific alarms. This integrated visibility accelerates detection and response, aligning with established guidance on access control, incident handling, and physical security for protecting critical infrastructure.
These measures collectively harden IAM against the evolving hybrid threats targeting critical infrastructure, limiting the ability of adversaries to escalate initial access. Whether gained through a cyber attack on critical infrastructure or a physical breach into operational disruption.
True resilience in critical infrastructure is not built through complexity alone, but through disciplined clarity and foresight. I have witnessed how the smallest overlooked access can become the spark that ignites catastrophe. I have also seen how deliberate, principled IAM choices avert disaster before it begins.
In an era of hybrid threats and accelerating cyber attacks on critical infrastructure, the wisest path is proactive stewardship, not reactive defense. Embrace zero trust architecture not as a framework, but as a mindset: verify relentlessly, privilege sparingly, monitor faithfully.
When you do this, you safeguard societies, and the quiet certainty that tomorrow’s lights will still burn.
