Poland accuses Russian intelligence of orchestrating cyber attack in late December

JAKARTA - Polish officials said Russia's domestic intelligence agency was suspected of being behind a cyber attack that occurred at the end of December 2025 and targeted dozens of renewable energy facilities and critical infrastructure in the country.

In a statement on Friday, January 30, Polish authorities said the cyber attack targeted around 30 renewable energy facilities, a manufacturing company, and a power and heat plant that supplies the needs of nearly 500,000 customers.

The report of the Polish Computer Emergency Response Team (CERT Poland) called the attack the worst in recent years. Initial analysis points to a hacker group linked to the Russian Federal Security Service (FSB).

"This attack is purely destructive," the report said, comparing the hacking to arson.

CERT Poland noted that the attack occurred when Poland was hit by low temperatures and a snowstorm, days before New Year's Eve. The main goal of the attack was allegedly to permanently destroy data on the system of an integrated power and heat plant. However, the attempt was successfully thwarted by security software.

The Russian Embassy in Washington has not responded to a request for comment on the allegations.

Poland says its critical infrastructure has increasingly become a target of cyberattacks since the Russia-Ukraine war began in February 2022. Moscow has consistently denied involvement in malicious cyber activity.

The Polish CERT report links this incident to the FSB hacking operation known by a number of names, including "Berserk Bear" and "Dragonfly". The FBI report in August 2025 also previously linked this group to the FSB's special unit, Center 16.

Although the group has long been known to have a strong interest in the energy sector and the ability to attack industrial systems, Polish cyber authorities said this was the first time that destructive activity had been publicly associated with the group.

However, a separate analysis from Slovakian cybersecurity firm ESET instead linked the malware used in the attack to a Russian military intelligence unit known as Sandworm, not the FSB. ESET said it was likely that more than one hacking group was involved in the operation.

Google Threat Intelligence Group principal analyst John Hultquist said that if the attack was carried out by Berserk Bear, it would mark a serious escalation from long-term espionage activities to direct sabotage.

"The question all along has been whether they had the motivation. Now it appears that motivation is there, and the situation has become a lot more serious," Hultquist said.

He also reminded of the threat of cyber attacks on international events, including the Winter Olympics which are scheduled to begin on February 6.

"Disruptive cyber attacks are a very real threat," he said.