Russian state-backed hackers successfully infiltrated Polish energy infrastructure late last year, exploiting critical security vulnerabilities. The breach targeted wind farms, solar facilities, and a heat-and-power plant, exposing significant gaps in the country’s grid protection.
Security Failures Enabled the Breach
According to a technical report published by Poland’s Computer Emergency Response Team (CERT), the intruders faced minimal resistance. The compromised systems relied on default credentials and lacked multi-factor authentication (MFA)—fundamental security oversights that provided a direct entry point for the attackers.
Destructive Intentions and Malware Deployment
The attackers attempted to deploy wiper malware across the hijacked systems. The primary objective appeared to be the permanent destruction of grid control infrastructure. While the malicious code was successfully neutralized at the heat-and-power facility, the malware rendered monitoring and control systems at several wind and solar farms inoperable.
“All of the attacks were purely destructive in nature — by analogy to the physical world, they can be compared to deliberate acts of arson,” the CERT report stated.
Grid Stability Remained Intact
Despite the successful infiltration of specific sites, the hackers failed to cause widespread power disruptions. Analysts confirmed that even if the attacks on the targeted facilities had reached their full potential, the overall stability of the Polish power grid would not have been compromised during the incident window.
Identifying the Perpetrators
The attack, which occurred on December 29, has drawn intense scrutiny from global cybersecurity firms. Researchers at ESET and Dragos initially linked the operation to the notorious Russian state group Sandworm, a unit historically associated with major power grid disruptions in Ukraine between 2015 and 2022.
However, Poland’s CERT has attributed the activity to a different actor: the Russian state-affiliated group known as Berserk Bear (also known as Dragonfly). While Sandworm is known for aggressive, kinetic-style cyberattacks, Berserk Bear has traditionally focused on cyberespionage, marking a potential shift in the group’s operational tactics.