Polish cyber authorities say Russia's FSB was likely responsible for destructive cyberattacks on Dec. 29 that hit 30 renewable energy sites, a factory and a heat plant serving nearly 500,000 people. A national report called the malware "purely destructive" and said security tools stopped the attackers from fully wiping data at the heat-and-power plant. Independent researchers at ESET attribute the code to Sandworm (linked to Russian military intelligence), illustrating competing technical attributions and raising concerns about a broader escalation in disruptive cyber operations.
Poland Says FSB Likely Behind Devastating Dec. 29 Cyberattacks on Energy and Heat Facilities
FILE PHOTO: Silhouettes of laptop users are seen next to a screen projection of binary code are seen in this picture illustration created on March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo
Polish authorities said on Jan. 30 that Russia's domestic intelligence service, the Federal Security Service (FSB), was the likely author of coordinated cyberattacks on Dec. 29 that targeted 30 renewable energy sites, a manufacturing firm, and a combined heat-and-power plant supplying nearly 500,000 customers.
A technical assessment by Poland's Computer Emergency Response Team — described by a Polish minister as the worst incident of its kind in years — characterized the intrusions as "purely destructive in nature," likening the malware's effect to arson and stressing the risk to public welfare given the timing during a cold spell and snowstorms just before New Year’s Eve.
The national report says the attackers attempted to irreversibly wipe data on systems inside the combined heat-and-power plant, but security software thwarted the final destructive stage. The Russian Embassy in Washington did not respond to a request for comment.
Alternate Analysis Links Attack To Russian Military Intelligence
While Poland's report attributes the campaign to an FSB-linked cluster tracked under names such as Berserk Bear and Dragonfly, independent researchers at Slovakia-based cybersecurity firm ESET concluded the malware overlaps with prior destructive operations tied to Sandworm, a hacking unit associated with Russian military intelligence (GRU).
Poland cited an Aug. 20, 2025 FBI report that connects the actor names to the FSB's specialised unit known as Center 16. ESET published a follow-up analysis that again linked the code to Sandworm while cautioning some operational elements may involve other threat actors, underscoring the complexity of confident attribution in multi-stage attacks.
"They have the means, the question was always did they have the motivation," said John Hultquist, chief analyst at Google Threat Intelligence Group. "Now, potentially based on this attribution, we see that they do — which puts us in a much more serious situation."
Experts warn this apparent shift from long-term espionage to deliberately destructive operations represents an escalation and raises concerns about the security of large international events, including the Winter Olympics scheduled to open on Feb. 6. Analysts note Russia has previously attempted disruptive operations around major sporting events.
What is clear: critical infrastructure in Poland has faced growing cyber pressure since the February 2022 invasion of Ukraine, and this incident highlights continuing risks to energy systems and civilian services when destructive malware is deployed.
(Reporting by AJ Vicens in Detroit; editing by Philippa Fletcher)
Help us improve.
