Conflict & Security

The hackers who tried to freeze Poland

A New Year's Eve cyberattack on Poland's power grid failed. What investigators found afterward alarmed the entire West.

A patch of the Polish Cyberspace Armed Forces is seen during a press conference at the General Staff of the Polish Army in Warsaw, Poland, on November 6, 2025. [Aleksander Kalka/NurPhoto/AFP]
A patch of the Polish Cyberspace Armed Forces is seen during a press conference at the General Staff of the Polish Army in Warsaw, Poland, on November 6, 2025. [Aleksander Kalka/NurPhoto/AFP]

By Olha Hembik |

Russian cyber saboteurs planned to leave hundreds of thousands of Polish citizens shivering in unheated homes over the New Year's holiday. The attack on Poland's energy sector, launched December 29-30, was thwarted, but investigators have since revealed it was broader, more sophisticated, and more consequential for the West than initially understood.

Poland's Computer Emergency Response Team, CERT Polska, confirmed the attack hit more than 30 wind and solar farms in addition to the thermal power plant supplying heat to nearly 500,000 people. The United States and United Kingdom have since issued warnings to their own critical infrastructure operators. Cybersecurity firm Dragos called it the first major cyberattack of its kind to target distributed energy resources -- smaller wind, solar and heat facilities increasingly being added to grids worldwide.

The attack has been attributed to Russian state-linked hackers, though investigators differ on which unit was responsible -- some pointing to actors tied to Russia's FSB intelligence service, others to groups linked to its GRU military intelligence agency. Experts say the operation signals an escalation in Russian cyber activity targeting NATO members.

On January 15, Polish Prime Minister Donald Tusk confirmed the attack had been defeated.

Prime Minister of Poland Donald Tusk gives key remarks during an opening ceremony at the Warsaw Security Forum 2025 in Warsaw, Poland, on September 29, 2025. [Marek Antoni Iwańczuk/NurPhoto/AFP]
Prime Minister of Poland Donald Tusk gives key remarks during an opening ceremony at the Warsaw Security Forum 2025 in Warsaw, Poland, on September 29, 2025. [Marek Antoni Iwańczuk/NurPhoto/AFP]

"If the attack had been fully effective, if it had succeeded, approximately 500,000 people would have been left without electricity," he said, adding that the backbone of Poland's electricity transmission system had not been damaged and safety systems had activated in time. "But we cannot ignore the signals."

Polish Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski called it "the largest attack on the energy sector in recent years" and probable Russian sabotage, saying cybercriminals were trying to "cause a power outage across the entire country."

Polish Energy Minister Milosz Motyka said the goal was to disrupt communications between energy sources and distribution system operators.

Rising cyber pressure

Cyberattacks on Poland continue to surge, with between 2,000 and 4,000 incidents reported daily, according to Gawkowski. CyberDefence24 reported 620,000 incidents in 2025, underscoring a sustained campaign against the country’s digital and physical infrastructure.

Attackers increasingly target utilities and municipal systems. In February 2025, hackers struck water treatment facilities in Tolkmicko, Małdyty and Sieraków, followed by another attack in Szczytno in July. Other targets have included hydroelectric plants, waste incinerators, ventilation systems, compressors, public fountains and even a swimming pool.

Piotr Kaszuwara, a war correspondent and founder of Fundacja Przyszłość dla Ukrainy UA Future, framed the activity as part of a broader Russian campaign beyond Ukraine's borders.

"The Kremlin is using cyberattacks, intimidation, and information operations to discover the state's weaknesses," he told Kontur.

Officials and analysts say the operations combine reconnaissance with pressure-testing of response systems. In December, attackers attempted to disrupt software used to manage electricity demand and consumption levels, a move experts view as an escalation in ambition and sophistication.

Heating systems vulnerable

Energy analysts warn that attacks on heating networks could prove more disruptive than strikes on the national grid. Michał Grabka, head of the Energy and Climate Research Program at Instrat, explained that Poland's electricity and heat generation are linked at the plant level but separated in distribution.

"The power grid covers the entire country. Individual large power units can be prevented from failing or shutting down," Grabka told OKO.press.

He noted that national grid operators maintain reserve capacity to replace offline units. Heating networks, however, function locally and independently. If several plants supplying one city fail, outages could cascade quickly, leaving residents without heat and hot water.

Cybersecurity specialist Wojciech Ciemski described the December incident as "a significant escalation compared to previous incidents." He said the operation appeared carefully staged over months.

"The preparation [for the cyberattack] on the thermal power plant lasted several months. In the early stages, the attackers managed to get copies of account databases," Ciemski said.

He likened the intrusion to a classic espionage campaign. Attackers captured passwords and permissions within a Windows domain and quietly exfiltrated data before moving toward sabotage.

"However, by the end of December, the attackers had gained the necessary access and information to proceed to the sabotage phase," he said.

Artur Wojdygo, an IT expert and volunteer with the Warsaw-based group Asymetryści, warned that outdated security tools compound the threat.

"The worst part is that Fortigate security solutions are not being updated and have vulnerabilities that can be exploited to penetrate the system, which puts virtually everything at risk," he told Kontur.

Analysts say disruptive malware campaigns also intensified last year, hitting the aviation sector and a major Polish hotel company.

State braces for attacks

Experts say the December operation appeared designed both to test energy infrastructure defenses and to refine new attack methods while observing how authorities respond.

Energy Minister Miłosz Motyka said consultations with foreign partners suggested other countries had not yet faced identical tactics, highlighting the experimental nature of the campaign.

Wojdygo stressed that total prevention is unrealistic but mitigation is achievable.

"Attacks will occur. They cannot be completely prevented," he said.

He added that governments must focus on early detection, warning systems and rapid recovery. Restoring services quickly after removing malware limits economic damage and public panic.

Jerzy Mazur, a Polish military expert, said the government is steadily strengthening cybersecurity protections for critical infrastructure.

"We Poles are not panicking. We are talking about a pragmatic response to hybrid warfare. Russia is testing us with sabotage, subversion, and information attacks on the Internet, and will continue to do so," he told Kontur.

Authorities also stepped up public preparedness efforts. The government website published guidance on coping with prolonged blackouts. This winter, households received a free brochure titled Safety Adviser with instructions on surviving power outages, administering first aid and responding to military threats.

Do you like this article?

Comment Policy