Poland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy Sector

Summary

Poland experienced a 2.5x surge in cyberattacks during 2025, totaling 270,000 incidents, with a major December destructive attack on energy infrastructure supplying 500,000 heat customers. Polish authorities and cybersecurity analysts attributed the assault to Russian threat actors, likely Dragonfly (FSB-linked) or Sandworm (GRU-linked), marking an unprecedented destructive attack on NATO/EU energy systems. The attack used data-wiping malware but did not disrupt electricity supply, though it alarmed authorities enough to trigger public incident analysis.

Full text

Poland experienced 2½ times more cyberattacks in 2025 compared to the previous year, and the numbers are constantly rising, a government official said Tuesday. The attacks included a destructive infiltration of the country’s energy system in December that was believed to be unprecedented among NATO and European Union members, and was suspected of originating in Russia. Over the last year, Poland was the target of 270,000 cyberattacks, Deputy Minister of Digital Affairs Paweł Olszewski said Tuesday. “We’ve been waging a war in cyberspace for many years now,” the official said. “The number of incidents and attacks has been increasing significantly and radically year after year.” The government, led by Prime Minister Donald Tusk, has beefed up its cyber defenses since the start of Russia’s full-scale invasion of Ukraine on Feb. 24, 2022, in response to what it believes to be a rising threat from Russia. Energy system attack During the morning and afternoon of Dec. 29, coordinated cyberattacks hit a combined heat and power plant supplying heat to almost 500,000 customers, as well as multiple wind and solar farms in Poland.Advertisement. Scroll to continue reading. Polish authorities suspected the cyberattacks were done by a single “threat actor,” with multiple experts pointing to culprits linked to Russian secret services. The electricity supply wasn’t disrupted, but the nature of the sabotage alarmed Polish authorities so much that the agency CERT Polska, or Computer Emergency Response Team Poland, issued a public report in late January on technical details of the incident and asked the cyber community for any input on what happened. “The attack was a significant escalation,” CERT head Marcin Dudek told The Associated Press. “We’ve had such incidents in the past, but they were of the ransomware type, where the motivation of the attacker is financial,” Dudek said. “In this case, there was no financial motivation — the motivation was just destruction.” He said that Poland has seen only a few destructive incidents in the past and none of them were in the energy sector. Dudek said that he wasn’t aware of any other destructive cyberattacks on the energy sector in either NATO or EU countries. There have been espionage incidents and activist groups causing marginal damage, but “advanced attacks” like the December one in Poland are likely unprecedented, he said. Had it targeted even larger energy units, it could have substantially impacted the stability of Poland’s energy grid, Dudek said. The Polish secret services haven’t yet publicly identified an alleged culprit. Dudek’s team is authorized only to describe the modus operandi and point to a likely “threat actor” — cyber jargon for an individual or group engaging in malicious activity. Dragonfly or Sandworm The CERT analysis looked at the Internet infrastructure used in the Polish attack, including domains and IP addresses, and found that they had been used previously by a Russian threat actor known as “Dragonfly,” and also called “Static Tundra” or “Berserk Bear.” Dudek said Dragonfly has been known to target the energy sector, but so far not with a destructive attack. According to an alert issued by the FBI in the United States in August 2025, Dragonfly is a cybersecurity cluster associated with FSB Center 16, a key unit within Russia’s Federal Security Service. Experts unrelated to Polish authorities agree that the traces of the December attack lead back to Russia. ESET, one of the largest cybersecurity companies in the EU, analyzed the malware used in the attack and concluded the culprit likely was “Sandworm,” another possible Russian actor previously associated with destructive attacks in Ukraine. The U.S. government has in the past attributed Sandworm to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, or GRU. Anton Cherepanov, senior malware researcher at ESET, told The Associated Press that “the use of data-wiping malware and its deployment” in the Polish case “are both techniques commonly employed by Sandworm.” “We are not aware of any other recently active threat actors that have used data-wiping malware in their operations against targets in European Union countries,” Cherepanov added. Whether Dragonfly or Sandworm, it would an actor previously affiliated with Russia. “Whether it’s these Russians or those Russians is a detail,” Cherepanov said. The Russian Embassy in Warsaw didn’t respond to requests for comment. Related: Hacking Attempt Reported at Poland’s Nuclear Research Center Related: 3 Threat Groups Started Targeting ICS/OT in 2025: Dragos Written By Associated Press More from Associated Press 3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to ChinaIran-Linked Hackers Take Aim at US and Other Targets, Raising Risk of Cyberattacks During WarPentagon’s Chief Tech Officer Says He Clashed With AI Company Anthropic Over Autonomous WarfareFBI Investigating ‘Suspicious’ Cyber Activity on System Holding Sensitive Surveillance InformationIranian Strikes on Amazon Data Centers Highlight Industry’s Vulnerability to Physical DisastersTrump Orders All Federal Agencies to Phase Out Use of Anthropic TechnologyAnthropic Refuses to Bend to Pentagon on AI Safeguards as Dispute Nears DeadlineReddit Hit With $20 Million UK Data Privacy Fine Over Child Safety Failings Latest News Why Agentic AI Systems Need Better Governance – Lessons from OpenClawRSAC 2026 Conference Announcements Summary (Day 1)Extortion Group Claims It Hacked AstraZenecaChrome 146 Update Patches High-Severity VulnerabilitiesWebinar Today: Putting CIS Controls and Benchmarks into Practice3.1 Million Impacted by QualDerm Data BreachIran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting ToolCritical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms Warn Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveMarkwayne Mullin as DHS Secretary late Monday.7AI has appointed Israel Barak as its first Chief Information Security Officer.Brian Harrell has been appointed Chief Security Officer at FirstEnergy.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Dragonfly / Static Tundra / Berserk Bear
• malware — Sandworm