Poland Under Cyber Siege: Attacks Soar, Russia Suspected
WARSAW, Poland – Poland experienced a staggering 2.5 times increase in cyberattacks in 2025 compared to the previous year, with the number of incidents continuing to climb, according to a government official. This surge in malicious activity culminated in a particularly concerning event: a destructive infiltration of the nation’s energy system in December, believed to be unprecedented within both NATO and the European Union, and strongly suspected of originating in Russia.
A Dramatic Increase in Cyber Threats
Paweł Olszewski, Deputy Minister of Digital Affairs, revealed that Poland was targeted by approximately 270,000 cyberattacks over the past year. “We’ve been waging a war in cyberspace for many years now,” Olszewski stated. “The number of incidents and attacks has been increasing significantly and radically year after year.”
The government, under the leadership of Prime Minister Donald Tusk, has significantly bolstered its cyber defenses since the commencement of Russia’s full-scale invasion of Ukraine on February 24, 2022. This proactive measure is a direct response to the perceived escalation of threats emanating from Russia.
The December Energy System Attack
On December 29th, coordinated cyberattacks targeted a combined heat and power plant serving nearly 500,000 customers, alongside multiple wind and solar farms across Poland. While the electricity supply remained uninterrupted, the nature of the sabotage deeply alarmed Polish authorities.
CERT Polska, the Computer Emergency Response Team Poland, promptly issued a public report in late January detailing the technical aspects of the incident and soliciting input from the cybersecurity community. Marcin Dudek, head of CERT Polska, emphasized the severity of the attack: “The attack was a significant escalation. We’ve had such incidents in the past, but they were of the ransomware type, where the motivation of the attacker is financial. In this case, there was no financial motivation – the motivation was just destruction.”
Dudek further noted that Poland has rarely encountered destructive cyber incidents, and none previously targeted the energy sector. He believes that similar attacks haven’t been observed in other NATO or EU countries, with previous incidents limited to espionage or minor damage caused by activist groups.
Tracing the Attack: Dragonfly and Sandworm
Investigations by Polish authorities and cybersecurity experts point towards known Russian-linked threat actors. CERT Polska’s analysis of the attack’s infrastructure revealed connections to “Dragonfly,” also known as “Static Tundra” or “Berserk Bear,” a group previously associated with targeting the energy sector. The FBI has linked Dragonfly to FSB Center 16, a key unit within Russia’s Federal Security Service. FBI Website
ESET, a leading EU cybersecurity firm, analyzed the malware used in the attack and concluded that “Sandworm,” another potential Russian actor previously linked to destructive attacks in Ukraine, was likely responsible. The U.S. government has attributed Sandworm to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). ESET Website
Anton Cherepanov, a senior malware researcher at ESET, stated that the use of data-wiping malware and its deployment in the Polish attack are techniques commonly employed by Sandworm. “We are not aware of any other recently active threat actors that have used data-wiping malware in their operations against targets in European Union countries,” Cherepanov added.
International Implications
While the specific actor remains unconfirmed, experts agree that the traces of the December attack lead back to Russia. The Russian Embassy in Warsaw has not yet responded to requests for comment.
This escalating cyber warfare highlights the growing threat landscape facing Poland and the broader international community, demanding continued vigilance and robust cybersecurity measures.
