Poland has linked cyberattacks on the energy sector to hacker units of Russia's FSB
Polish cybersecurity authorities believe that hackers linked to Russia's Federal Security Service (FSB) were involved in a series of cyberattacks on the country's energy infrastructure in late December. This is stated in a report by Poland's Computer Emergency Response Team (CERT Polska), as reported by Reuters.
According to CERT Polska, on 29 December, about 30 renewable energy facilities, a manufacturing company, and a company that provides heat to almost half a million consumers were hit by cyberattacks. The report notes that the actions of the attackers were purely destructive and comparable in their consequences to arson.
CERT Polska noted that the attacks took place during a period of severe frost and snowstorms that swept across Poland shortly before the New Year holidays. According to experts, one of the goals of the operation was to permanently destroy data on the devices of the thermal power plant, but the security system software was able to block this part of the attack.
Polish experts link the incident to a hacking operation tracked under the names Berserk Bear and Dragonfly. In a report by the US Federal Bureau of Investigation (FBI) dated 20 August 2025, these groups are associated with the Russian FSB's specialised unit "Centre 16".
CERT Polska noted that although this hacker group has long shown an increased interest in the energy sector and had the capability to attack industrial systems, this is the first publicly recorded case of destructive activity attributed to it.
At the same time, an independent analysis by the Slovak cybersecurity company ESET links the malware used in the attacks in Poland to previous destructive cyber operations attributed to Russia. In a report released last week, ESET experts pointed to a Russian military intelligence hacking unit known as Sandworm, rather than the FSB. On Friday, the company published a second report in which it again linked the malware to Sandworm, noting that certain elements of the operation may have been carried out by other hacker groups.
John Hultquist, chief analyst at Google Threat Intelligence Group, said that if the attack was indeed carried out by the Berserk Bear group, it represents an escalation from covert infiltration for long-term espionage to actions aimed at causing immediate harm. He also warned that such incidents raise concerns about the security of the Winter Olympics, which begin on 6 February.
According to Galtqvist, Russia has previously attempted to disrupt the opening ceremony of the Winter Olympics and was extremely active during the last Summer Games, and destructive cyberattacks remain a real threat.
Earlier, Polish Prime Minister Donald Tusk said that the cyberattack on 29–30 December was directed against two thermal power plants and renewable energy facilities and was likely organised by Russian special services.
Cyberattacks Poland, Russian FSB, energy infrastructure, CERT Polska, Sandworm, war
