According to a new incident report by CERT Polska, coordinated cyberattacks targeted Poland’s energy sector in late December 2025. Wind farms, solar installations, and a combined heat and power plant were all hit by the same threat actor. These were not smash-and-grab intrusions or ransomware attempts. They were deliberate, destructive attacks designed to disrupt operations and permanently damage systems.
The technical details matter because they expose a hard truth many organizations still underestimate: basic security hygiene failures in xIoT environments continue to enable catastrophic outcomes.
At the center of these attacks were unmanaged, poorly secured devices. Remote terminal units. Controllers. Network appliances. Devices that can’t run endpoint security agents often sit outside traditional IT visibility, and are frequently deployed with default or weak credentials that never get changed.
The Anatomy of a Predictable Failure
Across dozens of renewable energy sites, attackers compromised network security appliances that lacked strong authentication and exposed management interfaces. Once inside, they escalated privileges, modified configurations, wiped logs, and deliberately factory-reset devices to slow recovery.
From there, the attacker moved laterally into operational technology.
At grid connection points and substations, industrial controllers and RTUs were accessed using default credentials. In multiple cases, attackers logged in as administrators because the devices were still running factory usernames and passwords. The firmware was corrupted. Configurations were wiped. Devices failed and required replacement.
This was not a zero-day problem. It was not an advanced exploit chain that defenders could not reasonably prevent.
It was a problem of basic security hygiene fundamentals.
Default Credentials Are Still Doing the Most Damage
One of the most consistent findings in large-scale xIoT environments is the frequency with which devices are deployed and left running with default, weak, or reused passwords. In energy, manufacturing, healthcare, and data centers, these credentials become permanent backdoors.
Attackers know this.
They scan for exposed services. They try vendor defaults. They reuse credentials harvested from one device across dozens more. Once a single device is compromised, it becomes a staging point for reconnaissance, lateral movement, and destruction.
In the Poland incident, default credentials were not just an entry point. They were the difference between a contained intrusion and physical device damage that interrupted monitoring and control.
Security Hygiene Is Not Optional for xIoT
There is a tendency to treat xIoT security as an advanced problem that requires advanced solutions. In reality, most successful attacks still exploit basic gaps.
Fundamental xIoT security hygiene includes:
- Knowing every device connected to your network, including OT, IoT, and IIoT assets that never appear in CMDBs.
- Identifying devices running default, weak, or reused credentials.
- Replacing those credentials with strong, unique passwords and rotating them on a defined schedule.
- Disabling unnecessary services such as Telnet, FTP, or exposed management interfaces.
- Keeping firmware current and removing devices that are end of life or no longer supported.
- Monitoring continuously for drift, including password resets back to default or unauthorized configuration changes.
These are not optional controls for critical infrastructure. They are baseline requirements.
Yet for most organizations, executing them at scale across thousands or hundreds of thousands of heterogeneous devices is operationally unrealistic without automation.
Why Traditional Tools Fall Short
IT security tools were not built for xIoT. You cannot deploy EDR on a PLC. You cannot rely on passive traffic analysis to tell you whether a controller is using a default password. You cannot manually log into thousands of devices to rotate credentials safely.
As a result, many organizations know these risks exist but lack a practical way to address them. That gap is exactly where attackers operate.
Bringing xIoT Back Into Control
At Phosphorus, we see this pattern repeatedly. The most dangerous vulnerabilities in xIoT environments are rarely sophisticated. They are persistent, unmanaged, and invisible.
That is why our platform is built to do three things exceptionally well:
- Safely discover and identify every xIoT device using native protocols, without disrupting operations.
- Expose real vulnerabilities, including default, weak, and reused passwords, vulnerable firmware, expired or self-signed certificates, and misconfigurations at the device level.
- Automate remediation, including password rotation, configuration hardening, and firmware management, at scale and without agents.
When credential hygiene is enforced continuously, attackers lose one of their most reliable entry points. When drift is detected and corrected automatically, persistence becomes harder. When devices are treated as first-class security assets, incidents like the Poland attacks become far less likely.
The Takeaway for Security Leaders
The attacks on Poland’s energy infrastructure were not a warning about the future. They were a reflection of the present.
If attackers can still destroy critical systems by logging into devices with default credentials, then security resilience starts with fixing what should never have been left broken.
xIoT environments cannot remain unknown, unmanaged, and unmonitored. Fundamental security hygiene, especially credential management, must extend beyond IT and into every connected device that supports operations.
Strengthen Your Security Resilience
Phosphorus helps organizations discover and assess every xIoT device, harden and remediate them, and monitor and manage them to automatically eliminate risk. We make it possible to enforce security hygiene across hundreds of thousands of devices safely, continuously, and at scale.
If you want to understand your true xIoT exposure and see how automated credential management and device hardening can reduce your attack surface, request a Phosphorus demo and take control of the devices attackers are counting on you to ignore.
