Poland Cyberattacks Surged in 2025, Suspected Pro-Russian Actors Targeted Critical Infrastructure
Published
Key Takeaways
- Unprecedented attack surge: The 2025 Poland cyberattacks data shows 270,000 total incidents, representing a massive 2.5x increase in hostile network activity.
- Energy sector breach: A coordinated sabotage campaign targeted a major combined heat and power plant alongside multiple renewable energy facilities in December.
- Russian threat actors: Forensic investigators attribute the data-wiping malware assault to advanced state-sponsored clusters, specifically pointing toward the Sandworm or Dragonfly groups.
Poland experienced “2.5 times as many” cyberattacks in 2025 as it did in the previous year, culminating in an unprecedented assault on the nation's critical infrastructure. Approximately 270,000 cyber incidents occurred over the past calendar year, Deputy Minister of Digital Affairs Paweł Olszewski said Tuesday, highlighting a rapidly deteriorating digital security environment across the region.
The attacks included a destructive Russia-suspected breach of the country’s energy system in December that was believed to be unprecedented among NATO and European Union (EU) members.
Analyzing the Energy Sector Breach
The most critical incident occurred on December 29, when a coordinated energy sector breach targeted a combined heat and power plant serving nearly 500,000 customers, as well as multiple wind and solar farms.
Unlike standard ransomware infections driven by financial extortion, this data-wiping malware attack focused entirely on infrastructure destruction. “The attack was a significant escalation,” CERT head Marcin Dudek recently told Associated Press (AP).
While the sabotage failed to disrupt the public electricity supply, analysts from CERT Polska said it affected the GCP substation, which serves as the physical grid interconnection point and the location through which the DSO performs remote monitoring and supervisory control.
Successfully striking larger grid components could have fundamentally compromised the stability of the national energy distribution network, Dudek said.
Tracking the Advanced Cybersecurity Threats
Digital forensics teams investigating the external infrastructure utilized in the attack identified direct operational links to known Russian threat actors. Technical analyses of the command-and-control (C2) domains align with the established patterns of the Dragonfly cluster (Static Tundra, Berserk Bear), a unit associated with Russia's Federal Security Service's (FSB) Center 16 unit.
Furthermore, Anton Cherepanov, a senior malware researcher at ESET, told AP that the use of the data-wiping payload and deployment techniques strongly match those of Sandworm (APT44, BlackEnergy Lite, Seashell Blizzard, Telebots, Voodoo Bear), an advanced persistent threat group possibly linked to Russia’s General Staff Main Intelligence Directorate (GRU) military unit 74455.
In February 2025, NoName057(16) and Z-Pentest attacked sewage treatment plants in Poland in support of Russia and against pro-Ukraine NATO nations, and Sandworm targeted Ukraine with trojanized Microsoft activators and fake updates. A SandWorm red-team wiper was released as a training sample in November 2025.
Early last month, Poland detained a Defense Ministry employee on suspicion of spying for Russian and Belarusian intelligence.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular