Threat Intel - Poland Faces Surge in Cyberattacks in 2025
Basically, Poland faced many cyberattacks in 2025, especially targeting its energy systems.
In 2025, Poland faced a surge in cyberattacks, including a major strike on its energy sector. The attacks are believed to be linked to Russian actors, raising significant security concerns. Authorities are ramping up defenses to counter these threats and protect critical infrastructure.
The Threat
In 2025, Poland saw a staggering increase in cyberattacks, with reports indicating a rise to 270,000 incidents over the year. This figure is 2.5 times higher than the previous year. A significant attack occurred on December 29, targeting the country's energy infrastructure, which raised alarms among officials. The attacks are suspected to have originated from Russian threat actors, marking a troubling trend in cyber warfare against NATO and EU member states.
The December assault involved coordinated attacks on critical energy facilities, including a combined heat and power plant and several renewable energy sources. While the electricity supply remained intact, the nature of the attack was alarming, leading to concerns about potential future disruptions. CERT Polska, Poland's Computer Emergency Response Team, described this incident as a significant escalation in cyber threats, particularly highlighting the absence of financial motives behind the attack.
Who's Behind It
Experts believe that the cyberattack was executed by a single threat actor, with indications pointing towards groups associated with Russian intelligence services. The analysis conducted by CERT Polska identified links to known Russian cyber units such as Dragonfly and Sandworm. Both groups have a history of targeting energy sectors, but the destructive nature of this attack was unprecedented.
The FBI had previously alerted about Dragonfly's activities, which are often linked to the FSB Center 16, a unit within Russia’s Federal Security Service. Meanwhile, Sandworm has been notorious for its destructive operations, particularly in Ukraine. The use of data-wiping malware in the Polish attack aligns with tactics employed by Sandworm, raising concerns about the potential for similar attacks in the future.
Tactics & Techniques
The methodology behind the December attack involved sophisticated techniques that are characteristic of advanced persistent threat (APT) groups. The attackers utilized previously known domains and IP addresses linked to Russian cyber operations. The CERT Polska team noted that this attack was not financially motivated, which is often the case with ransomware incidents, but rather aimed at causing destruction.
This shift in tactics signifies an alarming trend in cyber warfare, where the intent is to disrupt critical infrastructure rather than extort money. Such attacks can have far-reaching implications, not only for Poland but for the stability of the entire region. Experts warn that if similar tactics are used against larger energy facilities, the consequences could be catastrophic.
Defensive Measures
In response to the escalating threat landscape, Poland's government has intensified its cyber defense strategies. Since the onset of Russia's invasion of Ukraine, authorities have recognized the urgent need to bolster their cybersecurity posture. This includes increasing collaboration with international partners and enhancing the capabilities of CERT Polska.
Polish officials are also urging the cyber community to remain vigilant and share information about potential threats. The government is committed to improving its defenses against future attacks, emphasizing the importance of preparedness in the face of rising cyber threats. As the situation evolves, the focus will remain on identifying and neutralizing threats before they can inflict damage on critical infrastructure.
SecurityWeek