Cyberattacks on Polish energy infrastructure attributed to Russia

Developing StoryLast updated APR 18
SUMMARY

CERT Polska attributed the late December 2025 cyberattack on Poland's energy sector to the Russian-associated 'Static Tundra' (Berserk Bear/Dragonfly) cluster, linked to the FSB. As of April 18, 2026: The attack, which utilized DynoWiper malware to destroy data and corrupt systems, damaged equipment and degraded communication between energy entities, though electricity supply remained uninterrupted. Polish authorities suspect Russian intelligence services, including APT28 and Sandworm, were behind the attack, which exploited vulnerable devices and targeted approximately 30 wind and solar farms. The U.S. CISA issued a warning to U.S. critical infrastructure owners based on lessons learned from this incident, which saw Russian government hackers breach facilities by exploiting default credentials and a lack of multi-factor authentication. This event marks the first major cyberattack targeting distributed energy resources (DERs), with Poland facing between 2,000 and 4,000 cyber incidents daily.

Timeline

Want updates on this thread?

Track this story

April 2026 1 developments

  1. CERT Polska has attributed the late December 2025 cyberattack on Poland's energy sector to the 'Stat…

    CERT Polska has attributed the late December 2025 cyberattack on Poland's energy sector to the 'Static Tundra' cluster, also known as Berserk Bear or Dragonfly, which is associated with Russia's Federal Security Service (FSB). The sophisticated operation utilized wiper malware like DynoWiper to destroy data and corrupt systems, damaging equipment and degrading communication between energy entities.

March 2026 1 developments

  1. Polish authorities suspect Russian intelligence services are behind a major December 2025 cyberattack on energy infrastructure, which is part of a broader trend of a 2.

    Polish authorities suspect Russian intelligence services are behind a major December 2025 cyberattack on energy infrastructure, which is part of a broader trend of a 2.5-fold increase in cyberattacks against Poland in 2025. The attack, which exploited vulnerable devices, is attributed to groups including APT28 (Fancy Bear) and Sandworm, and aimed at destabilization. Electricity supply remained uninterrupted.

February 2026 1 developments

  1. Following a cyberattack on Poland's energy grid, the U.

    Following a cyberattack on Poland's energy grid, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to U.S. critical infrastructure owners and operators. The advisory aims to share lessons learned from the attack, which targeted approximately 30 wind and solar farms.

January 2026 9 developments

  1. A technical report from Poland's CERT revealed that Russian government hackers breached Polish energ…

    A technical report from Poland's CERT revealed that Russian government hackers breached Polish energy facilities by exploiting default credentials and a lack of multi-factor authentication. The attackers deployed wiper malware to destroy monitoring systems.

  2. The cyberattack has been attributed to the Russian state-sponsored hacking group ELECTRUM, which shares overlaps with Sandworm.

    The cyberattack has been attributed to the Russian state-sponsored hacking group ELECTRUM, which shares overlaps with Sandworm. According to cybersecurity company Dragos, this was the first major cyberattack targeting distributed energy resources (DERs).

  3. The CEO of Polskie Sieci Energetycznych (PSE) stated that the risk of a long-term blackout from the …

    The CEO of Polskie Sieci Energetycznych (PSE) stated that the risk of a long-term blackout from the cyberattack was small and that the attack on smaller renewable energy assets did not threaten critical infrastructure.

  4. The cyberattack specifically targeted two heat-and-power plants and a renewable energy management system, and the DynoWiper malware used was previously undocumented.

    The cyberattack specifically targeted two heat-and-power plants and a renewable energy management system, and the DynoWiper malware used was previously undocumented.

  5. The cyberattack on Poland's energy grid specifically aimed to disrupt communications between renewable energy installations and electricity distribution operators.

    The cyberattack on Poland's energy grid specifically aimed to disrupt communications between renewable energy installations and electricity distribution operators.

  6. European security firm ESET reported that the December cyberattack on Polish energy targets used 'DynoWiper' malware, designed to erase computers and cause disruption.

    European security firm ESET reported that the December cyberattack on Polish energy targets used 'DynoWiper' malware, designed to erase computers and cause disruption. ESET attributed the operation with medium confidence to Sandworm, a Russian military intelligence hacking unit.

  7. Poland's digital affairs minister reported that the country faces between 2,000 and 4,000 cyber inci…

    Poland's digital affairs minister reported that the country faces between 2,000 and 4,000 cyber incidents daily, with 700 to 1,000 posing a real threat, and that Russia has tripled its resources for cyber actions against Poland in 2025. The recent attack on the energy grid breached systems through vulnerable edge devices before deploying wiper malware that damaged operational technology and corrupted firmware.

  8. Poland has accused Russia of launching a major cyberattack on its energy grid in late December 2025, which nearly caused a nationwide blackout.

    Poland has accused Russia of launching a major cyberattack on its energy grid in late December 2025, which nearly caused a nationwide blackout. Energy Minister Miłosz Motyka stated the attack aimed to disrupt communication between renewable energy installations and power distribution operators. The UK's National Cyber Security Centre also issued an alert following these attacks, attributed to Russian state cyber forces.

  9. Polish Energy Minister Miłosz Motyka stated that the December attack was 'threatening' and different from previous attacks, as various locations were targeted simultaneously.

    Polish Energy Minister Miłosz Motyka stated that the December attack was 'threatening' and different from previous attacks, as various locations were targeted simultaneously. He announced Poland would increase investment in energy infrastructure through an 'anti-blackout package'.

December 2025 1 developments

  1. Poland thwarted a significant and coordinated cyberattack targeting its energy grid, specifically tw…

    Poland thwarted a significant and coordinated cyberattack targeting its energy grid, specifically two combined heat and power plants, which aimed to cause a blackout affecting hundreds of thousands of people. Polish officials attributed the attack to Russian intelligence services.

October 2025 1 developments

  1. Poland's Digital Affairs Minister Krzysztof Gawkowski reported a surge in cyberattacks linked to Rus…

    Poland's Digital Affairs Minister Krzysztof Gawkowski reported a surge in cyberattacks linked to Russia, with Moscow's military intelligence tripling its cyber resources targeting Poland. Of 170,000 cyber incidents in the first nine months of 2025, a substantial share was attributed to Russian actors, with attackers extending their reach to the energy sector.

September 2025 1 developments

  1. A coordinated cyberattack, described as the largest digital assault since 2022, coincided with a Russian drone strike.

    A coordinated cyberattack, described as the largest digital assault since 2022, coincided with a Russian drone strike. Russian-linked bots subsequently spread disinformation blaming Ukraine.

August 2025 1 developments

  1. Hackers attempted to disable a hydroelectric power station in Poland's Pomeranian Voivodeship near G…

    Hackers attempted to disable a hydroelectric power station in Poland's Pomeranian Voivodeship near Gdańsk by manipulating operational parameters to extreme values, forcing a shutdown of the generator and rotor.