Critical Infrastructure

Poland Reports 270,000 Cyberattacks in 2025, Energy Facilities Targeted in December

3 Min Read / March 26, 2026

Poland Reports 270,000 Cyberattacks in 2025, Energy Facilities Targeted in December

Poland was hit by 270,000 cyberattacks in 2025, according to Deputy Minister of Digital Affairs Paweł Olszewski. That figure represents a 250% increase on the previous year and marks an escalation that has Polish authorities speaking openly of “waging a war in cyberspace.” The most serious incident came on 29 December when coordinated attacks targeted more than 30 wind and solar farms, a manufacturing facility, and a combined heat and power plant serving almost 500,000 customers.

The December attack stands apart from anything Poland has seen before. Previous incidents were financially motivated ransomware operations. This was purely destructive. CERT Polska head Marcin Dudek told The Associated Press that “in this case, there was no financial motivation — the motivation was just destruction.”

The Attack Hit During Winter Storms

CERT Polska’s incident report confirms the timing was deliberate. The attacks occurred during a period when Poland was struggling with low temperatures and snowstorms just before New Year. The report states the attacks “can be compared to deliberate arson” — language that signals how seriously Polish authorities view the incident.

The renewable energy farms lost communication with distribution system operators but continued producing electricity. The combined heat and power plant maintained service to customers. No power cuts resulted, but that appears to have been luck rather than design.

Dragonfly and Sandworm Both Linked to Russian Intelligence

CERT Polska’s technical analysis links the attacks to infrastructure previously used by Dragonfly, a Russian threat group also known as Static Tundra or Berserk Bear. The FBI confirmed in August 2025 that Dragonfly operates as part of FSB Center 16, a Federal Security Service unit responsible for signals intelligence and cyber operations. Separately, ESET analysed the malware samples and noted that the data-wiping malware and its deployment were techniques commonly employed by Sandworm, another Russian group known for destructive attacks in Ukraine.

The attribution disagreement between Polish and Slovak researchers matters less than the consensus: both groups report to Russian intelligence services. As Cherepanov put it: “Whether it’s these Russians or those Russians is a detail.”

Nordic Energy Companies Should Review Winter Readiness

Vattenfall, which operates wind farms across Poland, Denmark, and Sweden, has not commented on whether its Polish facilities were among those targeted. The company’s Nordic operations face similar threat profiles to the Polish installations that were hit. The December attacks demonstrate that energy infrastructure remains a priority target for state-linked actors willing to attempt service disruption during extreme weather events.

For energy companies operating across Eastern Europe, the Polish attacks highlight the value of communications redundancy and manual override capabilities. The targeted facilities maintained power generation despite losing network connectivity, suggesting their operational technology systems were properly segmented from corporate networks.