Poland blames Russian FSB for massive cyberattack on energy infrastructure

Polish officials said on January 30 that Russia’s domestic intelligence agency was likely behind a series of cyberattacks late last month targeting 30 renewable energy facilities, a manufacturing company, and a heat-supplying plant serving nearly 500,000 customers.

A report by Poland’s Computer Emergency Response Team, seen by Reuters and described by a Polish minister as the worst of its kind in years, attributed the attacks to a team of hackers from the Federal Security Service (FSB), Russia’s main domestic spy agency.

The report described the hacks as “purely destructive in nature,” comparing them to acts of arson. “It is worth noting that this period coincided with low temperatures and snowstorms affecting Poland, shortly before New Year’s Eve,” it said. According to the report, the Russian attackers aimed to irreversibly destroy data stored at the combined heat and power plant, though security software blocked that portion of the attack.

Poland has reported a growing number of Russian cyberattacks against its critical infrastructure since the outbreak of the war in Ukraine in February 2022, though Moscow regularly denies responsibility. The incident was linked to an FSB hacking operation tracked under several codenames, including “Berserk Bear” and “Dragonfly.”

An FBI report from August 20, 2025, connected these groups to the FSB’s specialised Centre 16 unit. While the group has long demonstrated a “significant interest” in energy-sector targets and the capability to compromise industrial systems, Polish cyber officials noted this is “the first publicly described destructive activity attributed to this cluster.”

Independent analysis by Slovakia-based cybersecurity firm ESET partially corroborated the findings. ESET reported that the malware used in the attacks overlapped with previous Russian destructive cyber operations, but linked it to the military intelligence hacking group Sandworm rather than the FSB. A follow-up ESET report expanded on the malware analysis, again associating it with Sandworm while acknowledging that other components may have been executed by different hacking groups.

John Hultquist, chief analyst at Google Threat Intelligence Group, said Friday that if the operation is indeed the work of Berserk Bear, it marks an escalation from long-term espionage toward active, destructive attacks. “They have the means, the question was always did they have the motivation,” he said. “Now, potentially based on this attribution, proven to us that they do have the motivation, which puts us in a much more serious situation.”

Hultquist also highlighted potential risks for global events, including the upcoming Winter Olympics, set to begin February 6. “Russia has previously attempted to knock the opening ceremonies offline, and they were extremely active during the last summer games,” he said. “Disruptive cyberattacks are a very real threat.”

By Tamilla Hasanova