WARSAW, Poland (AP) 鈥 Poland experienced 2陆 times more cyberattacks in 2025 compared to the previous year, and the numbers are constantly rising, a government official said Tuesday.
The attacks included a destructive infiltration of the country’s energy system in December that was believed to be unprecedented among NATO and European Union members, and was suspected of originating in Russia.
Over the last year, Poland was the target of 270,000 cyberattacks, Deputy Minister of Digital Affairs Pawe艂 Olszewski said Tuesday.
鈥淲e’ve been waging a war in cyberspace for many years now,鈥 the official said. 鈥淭he number of incidents and attacks has been increasing significantly and radically year after year.鈥
The government, led by Prime Minister Donald Tusk, its cyber defenses since the start of Russia’s full-scale invasion of Ukraine on Feb. 24, 2022, in response to what it believes to be a from Russia.
Energy system attack
During the morning and afternoon of Dec. 29, coordinated cyberattacks hit a combined heat and power plant supplying heat to almost 500,000 customers, as well as multiple wind and solar farms in Poland.
Polish authorities suspected the cyberattacks were done by a single 鈥渢hreat actor,鈥 with multiple experts pointing to culprits linked to Russian secret services.
The electricity supply wasn鈥檛 disrupted, but the alarmed Polish authorities so much that the agency CERT Polska, or Computer Emergency Response Team Poland, issued a public report in late January on technical details of the incident and asked the cyber community for any input on what happened.
鈥淭he attack was a significant escalation,鈥 CERT head Marcin Dudek told The Associated Press.
鈥淲e鈥檝e had such incidents in the past, but they were of the ransomware type, where the motivation of the attacker is financial,” Dudek said. 鈥淚n this case, there was no financial motivation 鈥 the motivation was just destruction.鈥
He said that Poland has seen only a few destructive incidents in the past and none of them were in the energy sector.
Dudek said that he wasn’t aware of any other destructive cyberattacks on the energy sector in either NATO or EU countries. There have been espionage incidents and activist groups causing marginal damage, but 鈥渁dvanced attacks鈥 like the December one in Poland are likely unprecedented, he said.
Had it targeted even larger energy units, it could have substantially impacted the stability of Poland’s energy grid, Dudek said.
The Polish secret services haven’t yet publicly identified an alleged culprit.
Dudek’s team is authorized only to describe the modus operandi and point to a likely 鈥渢hreat actor鈥 鈥 cyber jargon for an individual or group engaging in malicious activity.
Dragonfly or Sandworm
The CERT analysis looked at the Internet infrastructure used in the Polish attack, including domains and IP addresses, and found that they had been used previously by a Russian threat actor known as 鈥淒ragonfly,鈥 and also called 鈥淪tatic Tundra鈥 or 鈥淏erserk Bear.鈥
Dudek said Dragonfly has been known to target the energy sector, but so far not with a destructive attack.
According to an alert issued by the FBI in the United States in August 2025, Dragonfly is a cybersecurity cluster associated with FSB Center 16, a key unit within Russia鈥檚 Federal Security Service.
Experts unrelated to Polish authorities agree that the traces of the December attack lead back to Russia.
ESET, one of the largest cybersecurity companies in the EU, analyzed the malware used in the attack and concluded the culprit likely was 鈥淪andworm,鈥 another possible Russian actor previously associated with destructive attacks in Ukraine.
The U.S. government has in the past to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, or GRU.
Anton Cherepanov, senior malware researcher at ESET, told The Associated Press that 鈥渢he use of data-wiping malware and its deployment鈥 in the Polish case 鈥渁re both techniques commonly employed by Sandworm.鈥
鈥淲e are not aware of any other recently active threat actors that have used data-wiping malware in their operations against targets in European Union countries,鈥 Cherepanov added.
Whether Dragonfly or Sandworm, it would an actor previously affiliated with Russia. 鈥淲hether it鈥檚 these Russians or those Russians is a detail,鈥 Cherepanov said.
The Russian Embassy in Warsaw didn’t respond to requests for comment.
Copyright © 2026 The Associated Press. All rights reserved. This material may not be published, broadcast, written or redistributed.
