Cyberattacks Against Poland Surge 250% in 2025, Energy Grid Targeted

Polish officials report facing 270,000 cyberattacks in 2025, marking a dramatic 250% increase from the previous year. A December assault on the country's energy infrastructure affected heating for nearly half a million customers and is believed to be linked to Russian hackers.

WARSAW, Poland (AP) — Polish government officials revealed Tuesday that the nation endured a staggering 250% increase in digital attacks throughout 2025, with cybersecurity threats continuing to escalate at an alarming rate.

Among the most concerning incidents was an unprecedented December breach targeting Poland’s power infrastructure, which experts believe marked the first destructive cyberattack on energy systems among NATO and EU member nations. Intelligence sources suspect the assault originated from Russia.

Deputy Minister of Digital Affairs Paweł Olszewski disclosed Tuesday that Poland withstood 270,000 cyber incidents over the past year.

“We’ve been waging a war in cyberspace for many years now,” Olszewski stated. “The number of incidents and attacks has been increasing significantly and radically year after year.”

Prime Minister Donald Tusk’s administration has significantly enhanced the country’s digital security measures following Russia’s comprehensive military offensive against Ukraine that began on Feb. 24, 2022, responding to what officials view as heightened Russian cyber threats.

On the morning and afternoon of Dec. 29, synchronized digital assaults struck a heating and power facility serving nearly 500,000 residents, along with numerous renewable energy installations including wind and solar operations across Poland.

Polish security agencies believe a single “threat actor” orchestrated the cyberattacks, with numerous specialists indicating connections to Russian intelligence operations.

While electrical service remained uninterrupted, the destructive nature of the sabotage prompted CERT Polska, the nation’s Computer Emergency Response Team, to release a detailed technical analysis in late January and solicit assistance from the global cybersecurity community.

“The attack was a significant escalation,” CERT director Marcin Dudek explained to The Associated Press.

“We’ve had such incidents in the past, but they were of the ransomware type, where the motivation of the attacker is financial,” Dudek noted. “In this case, there was no financial motivation — the motivation was just destruction.”

Dudek emphasized that Poland has encountered few destructive cyber incidents previously, with none targeting energy infrastructure.

The CERT leader indicated he was unaware of similar destructive digital assaults on power systems within NATO or EU territories. While espionage cases and activist groups have caused minor disruptions, “advanced attacks” comparable to Poland’s December incident appear to be without precedent, he explained.

Dudek warned that if the assault had focused on larger energy facilities, it could have severely compromised Poland’s electrical grid stability.

Polish intelligence services have not yet publicly named a suspected perpetrator.

Dudek’s organization is authorized only to analyze attack methods and identify potential “threat actors” — cybersecurity terminology for individuals or groups conducting malicious operations.

The CERT investigation examined internet infrastructure utilized in the Polish breach, including web domains and IP addresses, discovering they had been previously employed by a Russian threat group called “Dragonfly,” also known as “Static Tundra” or “Berserk Bear.”

According to Dudek, Dragonfly has historically focused on energy sector targets, though not with destructive intent.

An FBI alert from August 2025 identified Dragonfly as a cybersecurity cluster linked to FSB Center 16, a critical division within Russia’s Federal Security Service.

Independent cybersecurity experts concur that evidence from the December attack points toward Russian involvement.

ESET, a major European Union cybersecurity firm, examined the malicious software used in the assault and determined the perpetrator was likely “Sandworm,” another suspected Russian group previously connected to destructive attacks in Ukraine.

U.S. authorities have previously linked Sandworm to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, known as GRU.

Anton Cherepanov, a senior malware analyst at ESET, told The Associated Press that “the use of data-wiping malware and its deployment” in the Polish incident “are both techniques commonly employed by Sandworm.”

“We are not aware of any other recently active threat actors that have used data-wiping malware in their operations against targets in European Union countries,” Cherepanov stated.

Regardless of whether Dragonfly or Sandworm was responsible, both groups have previous Russian affiliations. “Whether it’s these Russians or those Russians is a detail,” Cherepanov observed.

The Russian Embassy in Warsaw did not respond to requests for comment.