Russian domestic intelligence is likely responsible for cyberattacks that occurred late last month on 30 Polish renewable energy facilities, a manufacturing company, and a plant that supplies heat to almost half a million consumers.
Points of attention
- Poland accuses Russian domestic intelligence of conducting cyberattacks on 30 renewable energy facilities and other critical infrastructure, with the intent to cause harm.
- The attacks on Polish energy facilities were identified as being destructive in nature, resembling arson, and were attributed to a hacking operation linked to the Russian Federal Security Service (FSB).
FSB hackers attacked Polish energy facilities in December 2025
This is stated in a report by the Polish Cyber Emergency Response Team (CERT Polska).
A summary of cyberattacks on December 29 points to a group of hackers from the Russian Federal Security Service (FSB). The crimes were “purely destructive in nature,” the report says, comparing them to arson.
It is worth noting that this period coincided with low temperatures and snowstorms that hit Poland shortly before the New Year.
Russia's goal was to permanently destroy data stored on devices at the thermal power plant, but security software blocked this part of the attack.
CERT Polska experts link the incident to an FSB hacking operation that has been tracked under several names, including "Berserk Bear" and "Dragonfly." An FBI report dated August 20, 2025, links these groups to the specialized unit of the Russian FSB, Center 16.
Although the FSB hacking group has historically shown "significant interest" in the energy sector and has had the ability to attack industrial devices, "this is the first publicly described destructive activity attributed to this group," CERT Polska said.
Meanwhile, an independent analysis by Slovak cybersecurity firm ESET linked the malware used in the attack on Poland to previous disruptive cyber operations linked to Russia. But in a report published last week, experts pointed to a Russian military intelligence hacking unit known as Sandworm, not the FSB.
On Friday, ESET released a second report detailing its analysis of the malware, again linking it to Sandworm, and warning that other aspects of the operation could have been carried out by other hacking groups.
John Galtquist, principal analyst at Google's Threat Intelligence Group, said that if the attack was indeed carried out by "Berserk Bear," the activity is an escalation from infiltrating targets for long-term espionage to actions aimed at causing harm. He noted that this situation should raise concerns about the security of the Winter Olympics, which begin on February 6.
Russia has previously attempted to disrupt the opening ceremony of the Winter Olympics, and they were extremely active during the last summer games. Destructive cyberattacks are a very real threat.
