Poland Confirms Alarming Surge in Cyberattacks During 2025
Polish authorities have disclosed that the nation experienced a staggering 270,000 cyberattacks throughout 2025, representing a dramatic increase of two and a half times compared to the previous year. Deputy Minister of Digital Affairs Paweł Olszewski announced these concerning figures on Tuesday, emphasizing that the frequency of such incidents continues to rise significantly each year.
Unprecedented Energy Infrastructure Attack
Among the most serious incidents was a coordinated cyber assault on December 29th that targeted critical energy infrastructure. The attack affected a combined heat and power plant providing heating to nearly half a million customers, along with multiple wind and solar farms across Poland. While electricity supply remained uninterrupted, the destructive nature of the infiltration alarmed security officials.
"We've been waging a war in cyberspace for many years now," stated Olszewski, highlighting the escalating digital conflict. The Polish government, led by Prime Minister Donald Tusk, has substantially strengthened cyber defenses since Russia's full-scale invasion of Ukraine in February 2022, responding to what they perceive as growing threats from Russian-linked actors.
Destructive Motivation Beyond Financial Gain
Marcin Dudek, head of Poland's Computer Emergency Response Team (CERT Polska), described the December incident as "a significant escalation" in cyber warfare tactics. Unlike previous ransomware attacks motivated by financial extortion, this assault appeared designed purely for destruction without monetary demands.
Dudek revealed that Poland has witnessed only a handful of destructive cyber incidents historically, with none previously targeting the energy sector. He expressed concern that had the attack focused on larger energy units, it could have substantially compromised the stability of Poland's national energy grid.
Russian Threat Actors Suspected
Polish cybersecurity experts investigating the December attack identified infrastructure elements previously associated with Russian threat actors. The analysis pointed toward a group known as "Dragonfly" (also called "Static Tundra" or "Berserk Bear"), which the FBI has linked to FSB Center 16 within Russia's Federal Security Service.
Independent cybersecurity firm ESET conducted separate analysis of the malware used in the attack, suggesting the culprit might instead be "Sandworm" - another Russian-linked group previously associated with destructive operations in Ukraine. The U.S. government has previously attributed Sandworm to Russia's GRU military intelligence agency.
Anton Cherepanov, senior malware researcher at ESET, noted that "the use of data-wiping malware and its deployment" in the Polish case represented techniques commonly employed by Sandworm. He emphasized that no other recently active threat actors have used such destructive malware against targets within European Union countries.
Broader Cybersecurity Implications
The Polish incident represents what experts believe may be the first destructive cyberattack on energy infrastructure within NATO or European Union member states. While espionage incidents and activist-driven attacks have occurred previously, the advanced, destructive nature of the December assault appears unprecedented in Western alliance nations.
CERT Polska took the unusual step of publishing a detailed technical report about the incident in late January, soliciting input from the global cybersecurity community. Polish secret services have not yet publicly identified specific culprits, though multiple experts agree the digital evidence points toward Russian origins.
"Whether it's these Russians or those Russians is a detail," Cherepanov remarked, underscoring the broader concern about state-sponsored cyber aggression. The Russian Embassy in Warsaw did not respond to requests for comment regarding these allegations.
