Poland faced a surge in cyberattacks in 2025, including a major assault on the energy sector

WARSAW, Poland (AP) — Poland experienced 2½ times more cyberattacks in 2025 compared to the previous year, and the numbers are constantly rising, a government official said Tuesday.

The attacks included a destructive infiltration of the country’s energy system in December that was believed to be unprecedented among NATO and European Union members, and was suspected of originating in Russia.

Over the last year, Poland was the target of 270,000 cyberattacks, Deputy Minister of Digital Affairs Paweł Olszewski said Tuesday.

“We’ve been waging a war in cyberspace for many years now,” the official said. “The number of incidents and attacks has been increasing significantly and radically year after year.”

The government, led by Prime Minister Donald Tusk, has beefed up its cyber defenses since the start of Russia’s full-scale invasion of Ukraine on Feb. 24, 2022, in response to what it believes to be a rising threat from Russia.

During the morning and afternoon of Dec. 29, coordinated cyberattacks hit a combined heat and power plant supplying heat to almost 500,000 customers, as well as multiple wind and solar farms in Poland.

Polish authorities suspected the cyberattacks were done by a single “threat actor,” with multiple experts pointing to culprits linked to Russian secret services.

The electricity supply wasn’t disrupted, but the nature of the sabotage alarmed Polish authorities so much that the agency CERT Polska, or Computer Emergency Response Team Poland, issued a public report in late January on technical details of the incident and asked the cyber community for any input on what happened.

“The attack was a significant escalation,” CERT head Marcin Dudek told The Associated Press.

“We’ve had such incidents in the past, but they were of the ransomware type, where the motivation of the attacker is financial,” Dudek said. “In this case, there was no financial motivation — the motivation was just destruction.”

He said that Poland has seen only a few destructive incidents in the past and none of them were in the energy sector.

Dudek said that he wasn’t aware of any other destructive cyberattacks on the energy sector in either NATO or EU countries. There have been espionage incidents and activist groups causing marginal damage, but “advanced attacks” like the December one in Poland are likely unprecedented, he said.

Had it targeted even larger energy units, it could have substantially impacted the stability of Poland’s energy grid, Dudek said.

The Polish secret services haven’t yet publicly identified an alleged culprit.

Dudek’s team is authorized only to describe the modus operandi and point to a likely “threat actor” — cyber jargon for an individual or group engaging in malicious activity.

The CERT analysis looked at the Internet infrastructure used in the Polish attack, including domains and IP addresses, and found that they had been used previously by a Russian threat actor known as “Dragonfly,” and also called “Static Tundra” or “Berserk Bear.”

Dudek said Dragonfly has been known to target the energy sector, but so far not with a destructive attack.

According to an alert issued by the FBI in the United States in August 2025, Dragonfly is a cybersecurity cluster associated with FSB Center 16, a key unit within Russia’s Federal Security Service.

Experts unrelated to Polish authorities agree that the traces of the December attack lead back to Russia.

ESET, one of the largest cybersecurity companies in the EU, analyzed the malware used in the attack and concluded the culprit likely was “Sandworm,” another possible Russian actor previously associated with destructive attacks in Ukraine.

The U.S. government has in the past attributed Sandworm to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, or GRU.

Anton Cherepanov, senior malware researcher at ESET, told The Associated Press that “the use of data-wiping malware and its deployment” in the Polish case “are both techniques commonly employed by Sandworm.”

“We are not aware of any other recently active threat actors that have used data-wiping malware in their operations against targets in European Union countries,” Cherepanov added.

Whether Dragonfly or Sandworm, it would an actor previously affiliated with Russia. “Whether it’s these Russians or those Russians is a detail,” Cherepanov said.

The Russian Embassy in Warsaw didn’t respond to requests for comment.