Poland's Computer Emergency Response Team (CERT Polska) has attributed a series of December cyberattacks targeting the country's energy infrastructure to Russia's Federal Security Service (FSB), marking what Polish officials describe as the worst incident of its kind in years.
The attacks struck 30 renewable energy facilities, a manufacturing firm, and a combined heat and power plant serving nearly 500,000 customers in late December 2025, according to a CERT Polska report cited by Reuters.
"This period coincided with low temperatures and snowstorms affecting Poland, shortly before New Year's Eve," the report states.
Polish cyber officials characterized the operations as "purely destructive in nature," comparing them to arson. The attackers aimed to irreversibly destroy data stored on devices within the heat and power plant, though security software blocked that portion of the attack, the report indicates.
CERT Polska linked the incident to an FSB hacking operation tracked under several names, including "Berserk Bear" and "Dragonfly." An August 2025 FBI report connected these groups to the FSB's specialized unit Center 16.
While this group has historically shown "significant interest" in the energy sector and demonstrated the capability to attack industrial devices, "this is the first publicly described destructive activity attributed to this cluster," Polish cyber officials noted.
The attribution has sparked debate among cybersecurity researchers. Slovakia-based firm ESET published analysis last week tying the malware used in the Polish attacks to Sandworm, a Russian military intelligence hacking unit, rather than the FSB. ESET issued a second report Friday that again connected the malware to Sandworm, though it cautioned that different hacking groups may have carried out other aspects of the operation.
John Hultquist, chief analyst at Google Threat Intelligence Group, said the attack—if indeed conducted by Berserk Bear—represents a significant shift in tactics.
"They have the means, the question was always did they have the motivation," Hultquist said. "Now, potentially based on this attribution, proven to us that they do have the motivation, which puts us in a much more serious situation."
The development marks an escalation from penetrating targets for long-term espionage toward destructive action, Hultquist noted.
He raised concerns about the upcoming Winter Olympics, set to begin February 6.
"Russia has previously attempted to knock the opening ceremonies of the Winter Olympics offline, and they were extremely active during the last summer games," Hultquist said. "Disruptive cyberattacks are a very real threat."
Poland has reported growing cyberattacks on its critical infrastructure since Russia's invasion of Ukraine in February 2022. Moscow regularly denies responsibility for malicious cyber activity.
Polish Energy Minister Miłosz Motyka reported unsuccessful cyberattacks on several power-generating facilities in the final days of 2025. Deputy Prime Minister and Minister of Digitalization Krzysztof Gawkowski said in December that Poland came "very close" to power outages due to a Russian attack.
Prime Minister Donald Tusk held an urgent meeting on 15 January regarding cyberattacks on Polish energy infrastructure. Following the meeting, Tusk stated that some evidence points to Russian intelligence services' involvement in preparing the attacks, though he noted the absence of definitive proof.
The Russian embassy in Washington did not respond to a request for comment.
