Poland has confirmed that Russian government-backed hackers breached parts of its energy infrastructure in late 2025, exploiting basic cybersecurity failures such as default passwords and the absence of multi-factor authentication. The incident, detailed in a new technical report by Poland’s Computer Emergency Response Team (CERT), underscores how vulnerable critical infrastructure systems remain to even relatively unsophisticated attack methods.
According to the report, attackers accessed wind farms, solar facilities, and a combined heat-and-power plant using weak or unchanged login credentials. Once inside, they attempted to deploy destructive “wiper” malware designed to erase systems and render them unusable. While the attack was stopped at the heat-and-power plant, monitoring and control systems at renewable energy facilities were successfully disrupted, forcing operators to temporarily lose visibility into grid operations.
Fortunately, Polish authorities said the hackers did not manage to interrupt electricity supply, and even if they had, the impact on national grid stability would have been minimal. Still, officials described the attack as “purely destructive,” likening it to digital arson an act intended more to cause chaos and disruption than to steal data or conduct long-term espionage.
Cybersecurity firms ESET and Dragos had previously linked the December 29 incident to Sandworm, a notorious Russian hacking group responsible for major power outages in Ukraine in 2015, 2016, and 2022. However, Poland’s CERT attributed the breach to another Russian-linked group known as Berserk Bear, also called Dragonfly. This group is traditionally associated with cyberespionage campaigns rather than destructive attacks, making this incident particularly concerning to analysts.
The attack highlights a broader and growing risk to energy infrastructure across Europe and beyond. As renewable energy systems and grid controls become increasingly digital and interconnected, weak authentication practices and outdated security policies create easy entry points for hostile actors. Experts say the fact that default credentials were still in use reflects a systemic problem in industrial cybersecurity, where operational convenience often takes priority over security.
Polish authorities have since urged energy operators to strengthen access controls, enforce multi-factor authentication, and conduct regular security audits. The incident also reinforces the importance of national cyber defense coordination and real-time threat sharing between governments and private-sector infrastructure providers.
While the immediate damage was limited, the breach serves as a stark reminder that critical infrastructure is now a frontline target in geopolitical conflict. Even unsuccessful attacks can test defensive systems, expose weaknesses, and lay the groundwork for more disruptive operations in the future.
As tensions between Russia and NATO countries remain high, cybersecurity experts warn that energy grids will continue to face persistent and evolving threats making proactive defense not just a technical necessity, but a national security priority.
