Polish officials say Russia’s domestic intelligence agency likely carried out a wave of cyberattacks on December 29, targeting critical sites across Poland. The attacks hit renewable energy facilities, a manufacturing company, and a major heating plant that serves nearly 500,000 customers, raising fresh concerns about the safety of the country’s infrastructure.
Cyberattacks Target Energy and Heating Systems
According to Polish authorities, the December 29 cyberattacks affected around 30 renewable energy facilities. The hackers also struck a manufacturing firm and a combined heat and power plant that provides heating to almost half a million people.
Poland’s Computer Emergency Response Team (CERT) described the incident as one of the most serious attacks of its kind in years. The report said the hackers aimed to disrupt operations and damage systems rather than steal information.
Polish CERT Points to Russia’s FSB
A new report from Poland’s CERT linked the cyberattacks to a hacking team tied to Russia’s Federal Security Service (FSB). Investigators connected the incident to an operation known under names like “Berserk Bear” and “Dragonfly.”
In addition, Polish officials noted that the FBI previously connected these groups to an FSB unit called Center 16 in a report published on August 20, 2025.
Officials Say the Attack Was “Purely Destructive”
Poland’s CERT said the operation had a destructive purpose. It compared the attack to arson because it aimed to wipe systems and permanently damage data.
The report also pointed out the timing. The cyberattack occurred during freezing weather and snowstorms in Poland, just before New Year’s Eve. That timing suggests the attackers may have wanted to maximize disruption during a high demand period.
However, the report said security software blocked part of the attempt. As a result, the attackers failed to irreversibly destroy data stored inside the heat and power plant systems.
ESET Analysis Links Malware to Sandworm Instead
While Poland’s official report blamed the FSB, another analysis reached a different conclusion. Researchers at cybersecurity firm ESET said the malware used in the attack matched tools tied to earlier destructive operations linked to Russia.
However, ESET connected the operation to Sandworm, a hacking unit widely associated with Russian military intelligence, rather than the FSB. In a second report published Friday, ESET repeated that conclusion, although it also warned that different groups could have played roles in the wider operation.
Experts Warn of Escalation and Wider Risk
Google Threat Intelligence Group analyst John Hultquist said that if the attack is truly tied to Berserk Bear, it could mark a major shift. In the past, the group mainly focused on long-term spying. Now, the behavior looks more aggressive and destructive.
He added that this change could increase security worries beyond Poland. He also said the situation should raise concerns about major events like the Winter Olympics, set to begin on February 6.
