Poland experienced a significant increase in cyberattacks in 2025, registering 2.5 times as many incidents as the previous year, according to a government report issued on Tuesday. This alarming trend has been accompanied by a series of serious breaches, notably including a targeted infiltration of the country’s energy system in December. This incident is regarded as unprecedented among NATO and European Union member states and is suspected to have originated from Russian sources.
Over the past year, Poland faced 270,000 cyberattacks, according to Deputy Minister of Digital Affairs Paweł Olszewski. He remarked, “We have been waging a war in cyberspace for many years now.” Olszewski emphasised the notable and rapid increase in both the number of incidents and attacks each year.
In light of the escalating threat landscape, the Polish government has reinforced its cyber defence measures since the commencement of Russia’s full-scale invasion of Ukraine on 24 February 2022.
Targeting the energy system
On 29 December, coordinated cyberattacks targeted a combined heat and power plant that supplies heat to nearly 500,000 customers, as well as multiple wind and solar farms across Poland. Polish authorities suspect these cyberattacks were carried out by a single “threat actor,” with expert assessments suggesting links to Russian intelligence services.
Although the electricity supply remained uninterrupted, the nature of the sabotage raised significant concerns among Polish officials. As a result, CERT Polska (Computer Emergency Response Team Poland) issued a public report in late January detailing the technical aspects of the incident and requested input from the broader cyber community to gain further insights.
“The attack was a significant escalation,” CERT head Marcin Dudek told The Associated Press.
“We’ve had such incidents in the past, but they were of the ransomware type, where the motivation of the attacker is financial,” Dudek said. “In this case, there was no financial motivation — the motivation was just destruction.”
Dudek stated that Poland has faced a few significant incidents, none in the energy sector. He is unaware of any serious cyberattacks on energy systems in NATO or EU countries. While there have been minor espionage events and activist-related damage, advanced attacks like the December one are likely unprecedented. Had it targeted larger facilities, it could have greatly impacted Poland’s energy grid stability. The Polish secret services have not identified a suspect, and Dudek’s team can only describe the attack’s modus operandi and suggest a possible “threat actor.”
Dragonfly or Sandworm
The CERT analysis of the Polish cyberattack revealed that the domains and IP addresses used were previously linked to a Russian threat actor known as “Dragonfly,” which targets the energy sector. An August 2025 FBI alert identified Dragonfly as connected to FSB Centre 16, a unit of Russia’s Federal Security Service.
Experts agree that the traces from the December attack point back to Russia. ESET, a major EU cybersecurity firm, analysed the malware and suggested that the responsible actor is likely “Sandworm,” known for destructive attacks in Ukraine. The US government has previously linked Sandworm to the GRU, Russia’s military intelligence.
Anton Cherepanov, an ESET malware researcher, noted that the data-wiping malware used in Poland aligns with Sandworm’s operational techniques, and no other known actors are using such malware against EU targets.
Ultimately, whether the attacker is Dragonfly or Sandworm, they are likely affiliated with Russia. The Russian Embassy in Warsaw did not respond to requests for comment.
This article used information from The Associated Press.