On 29-30 December 2025, a coordinated cyberattack hit more than 30 wind and solar farms in Poland, alongside a major combined heat and power plant and a manufacturing company. On 30 January 2026, CERT Polska published its incident report. By April 2026, the sector analysis has caught up, and the lessons are sharper than the initial headlines suggested.

The entry point was boring. Exposed FortiGate VPNs. Missing MFA. Unpatched devices carrying known vulnerabilities. Credentials reused across sites, which let attackers walk laterally between facilities that should have been isolated. The payloads were less boring: destructive malware called DynoWiper and LazyWiper, deployed to wipe data and damage industrial devices. Hitachi RTUs, Mikronika controllers, Moxa serial devices, and HMI computers were all affected. Compromised VPS hosts and Cisco routers served as command and control.

Here is the striking part. Communications dropped at multiple sites. Remote control of distributed energy resources was degraded. Industrial equipment was physically damaged. No outage. Electricity kept flowing, heat kept flowing, and physical redundancy in the grid absorbed the damage. The report frames this bluntly. Technically, the attack worked. Operationally, it did not.

Attribution is split. CERT Polska points to Static Tundra, also tracked as Berserk Bear, Blue Kraken, Dragonfly, Havex, and Ghost Blizzard — linked to Russia's FSB Center 16. ESET and Dragos, in separate analyses, attribute the activity with moderate confidence to Sandworm, a different Russian state-sponsored group affiliated with GRU. Two Western threat-intel shops disagreeing with a national CERT tells you how hard attribution gets when two Russian services share tradecraft and infrastructure.

Why this matters: This is the first publicly documented destructive cyberattack on European renewable energy at this scale. For Baltic and North Sea offshore wind operators, it reads like a preview. The same vendor stack sits in almost every major offshore project under construction: FortiGate edge security, Moxa serial-to-Ethernet converters, Siemens and Mikronika industrial controllers. The same attack path — exposed VPN without MFA, credentials reused between sites — matches how offshore wind O&M contractors actually work today. Polish onshore renewables were the opening move. Offshore will be next, and nobody should count on physical redundancy absorbing the impact in a 1.2 GW offshore farm with a single export cable.

One thing to do: Read the CERT Polska report (link in Resource of the week). Then walk the list of FortiGate devices in your environment. For each, confirm three things: patched to current, MFA enforced on all admin access, and credentials not shared with any other site or contractor. If the answer to any of those is "no", treat it as a P1. That was the gap the Polish attack exploited.

On 14 April 2026, Marlink published its Cyber Intelligence Report for Remote Operations 2026. The dataset comes from Marlink's global security operations centres and more than 200 cyber security assessments carried out across maritime clients in 2025. The topline finding: 69% of observed cyber risks were tied to compromised identities and credentials. Only 12% were linked to technical flaws in software or hardware.

Marlink ran phishing simulations across client environments. 20% of users clicked the malicious link. 11% disclosed their credentials. 11% reported the incident. The remaining 78% neither fell for it nor flagged it. Incidents detected across monitored environments grew from 5740 in 2024 to 7793 in 2025, roughly 35% year-on-year. More than half of those incidents targeted transportation, energy, and manufacturing, which places maritime in the middle of the attack surface. 82% of all alerts were concentrated in crew network zones.

The infrastructure assessments fill in the rest. Over 70% of sites Marlink assessed had undocumented or poorly secured remote connections — forgotten VPNs, legacy modems, vendor tunnels nobody currently owns. 30-40% of OT assets were initially unknown or unmanaged: no inventory, no patch status, no clear owner. That is the environment in which identity-based attacks run with near impunity.

Why this matters: NIS2 Article 21 requires essential entities to put HR security controls and access governance into practice as part of their cybersecurity risk management. Marlink's numbers give that requirement operational teeth. Maritime cyber conversations usually revolve around protocol vulnerabilities, ECDIS firmware, VSAT encryption, and ICS patches — all legitimately important, and collectively responsible for 12% of observed risk. The dominant 69% is people, passwords, and the loss of visibility over who has access to what. The Polish wind farm attack from the first story is the concrete example: initial access came from reused credentials, not a zero-day.

One thing to do: Run an identity audit this month. Not a policy review, an inventory. How many humans currently have administrative access to maritime operational systems? How many are still current employees? When did each credential last rotate? How many service accounts exist, and who owns each? Service accounts are the quiet danger. They rarely leave, rarely rotate, often hold broad privileges, almost never have MFA. If your answer to any of these questions is "I would have to check", that gap is what Marlink is measuring.

On 13 April 2026, CISA added CVE-2026-21643 to its Known Exploited Vulnerabilities catalog. The vulnerability is an SQL injection in Fortinet's FortiClient Enterprise Management Server (EMS), the platform that manages endpoint security policies for FortiClient deployments. Successful exploitation gives an unauthenticated remote attacker the ability to execute arbitrary code as SYSTEM. No credentials required. No user interaction required. Federal civilian agencies had three days to patch, deadline 16 April. Fortinet released the fix in FortiClient EMS 7.4.5. Versions 7.2 and 8.0 are unaffected. Version 7.4.4 is. Exploitation has been reported in the wild since late March 2026.

CISA's three-day deadline is unusually aggressive. The default is three weeks. Three days means active exploitation at scale and a risk window that is closing fast. Germany's BSI issued a parallel advisory on 15 April warning operators about internet-facing edge security devices being used to pivot into internal OT networks. The BSI note is not Fortinet-specific, but the pattern is consistent: the front door of the enterprise is the front door of the control network.

Maritime operations run on edge security infrastructure. Port operators use Fortinet gateways to separate business networks from terminal operating systems. Shipping companies deploy FortiClient and FortiClient EMS at headquarters to manage remote fleet access. VSAT providers — Marlink, Inmarsat, KVH — integrate Fortinet into customer-facing managed services. Offshore platforms and wind farms use FortiGate to bridge corporate networks and control networks. The Polish December 2025 attack in the first story exploited the same vendor family, different product line. A vulnerability in the management server, not just the endpoint, is more serious: one compromised EMS instance can push malicious updates to every FortiClient it manages.

Why this matters: Edge security devices are now the most consequential single-point-of-failure in operational environments. They sit between the internet and everything valuable. One successful exploit, and the attacker has privileged access to the network designed to keep them out. Three days to patch reflects how the threat model has shifted: the time between CVE publication and active exploitation is often measured in hours now. Patch cycles designed around monthly or quarterly windows assume a different threat landscape than the one we operate in.

One thing to do: If you operate FortiClient EMS, confirm your version this week. Version 7.4.4 — patch immediately to 7.4.5 or above. Version 7.2 or 8.0 — unaffected by this CVE, but check you are on the current branch for other reasons. For all Fortinet appliances, verify the admin interface is not reachable from the public internet. If you can log in to the management UI from a hotel Wi-Fi, so can the threat actor who read CISA's KEV update.

Full conference calendar: mc3.maritime-ogmios.tech