Overview

On December 29, 2025, a series of cyberattacks struck several Polish energy facilities and a manufacturing firm. Poland's Computer Emergency Response Team (CERT Polska) described it as the worst attack of its kind in years, and the incident was reported publicly by Reuters on January 30, 2026.

The attacks were destructive in nature — their apparent goal was to wipe data stored on devices within heat and power plants, deliberately timed to coincide with a period of extremely cold weather in Poland.

Attribution: FSB vs. Sandworm

Attribution on this incident was contested and evolved across multiple analyses. Polish officials initially pointed blame toward Russia's Federal Security Service (FSB), connecting the attack to a hacking cluster previously known as "Berserk Bear" and "Dragonfly" — a group long suspected of having the capability to attack industrial devices and a documented interest in the energy sector.

Notably, CERT Polska characterized this as "the first publicly described destructive activity attributed to this cluster," marking a significant escalation from prior suspected capabilities to confirmed destructive action.

ESET later published an expanded follow-up report that again led back to Sandworm, while also noting that aspects of the attack may have involved other groups acting in coordination. The divergence between Polish government attribution (FSB) and independent researcher attribution (Sandworm / GRU) reflects how difficult definitive attribution remains even in high-profile incidents.

Broader Context: Russia–Poland Cyber Escalation

Poland's government noted that Russian cyberattacks specifically targeting Polish infrastructure have been rising steadily since Russia's invasion of Ukraine in February 2022. This attack fits into a broader pattern of Russian threat actors using neighboring NATO countries' critical infrastructure as a pressure point in the wider geopolitical conflict.

The choice of energy infrastructure as a target — and the deliberate timing during a cold weather period — signals an intent to cause real-world physical harm, not just data loss or financial disruption. Attacks on industrial control systems and operational technology (OT) environments represent one of the most serious categories of cyber threat facing governments today.

Lessons Learned

As a cybersecurity student, this incident highlights several principles that go beyond standard enterprise security and into the domain of critical infrastructure protection:

• Destructive intent changes the threat model. Most cybersecurity frameworks are built around confidentiality and availability. An attack designed to destroy data on OT systems in a power plant during winter is an attempt to cause physical harm to civilians — a fundamentally different category of threat.
• Security software blocking the wiper was the decisive control. The attack's worst outcome was prevented not by detection or response, but by defensive tooling that stopped the payload from executing. Endpoint protection on OT-adjacent systems is not optional.
• Attribution is hard and often contested. Government attribution (FSB) and independent researcher attribution (Sandworm) diverged on the same incident. Both may be partially correct — multiple Russian groups sometimes operate in the same environment. Defenders should not wait for definitive attribution before responding.
• Geopolitical context shapes targeting. Poland's support for Ukraine directly correlated with increased Russian cyber activity against Polish infrastructure. Understanding the geopolitical environment is part of understanding threat actor motivation and likely targeting.
• Critical infrastructure requires specialized defenses. OT and industrial control environments have different patching cycles, network architectures, and risk tolerances than standard IT environments. Cybersecurity controls need to account for that gap.