A series of cyber attacks against the Polich electricity grid that unfolded at the end of December 2025 have prompted a fresh warning from the UK’s National Cyber Security Centre (NCSC), alerting British utilities to the dangers of intrusions orchestrated by Russian state threat actors.
The attacks on Poland, which have been attributed to various units of Russia’s state cyber forces operated by the FSB and GRU intelligence agencies, systems enabling the management of electricity generated from renewable sources at multiple facilities, and two combined heat and power plants (CHPs).
Jonathon Ellison, NCAC director for national resilience, said that attacks like the one that unfolded in Poland may sound far-fetched but were far from it.
“Incidents like this speak to the severity of the cyber threat and highlight the necessity of strong cyber defences and resilience,” he said. “Operators of UK critical national infrastructure (CNI) must not only take note but, as we have said before, act now.”
Ellison highlighted various NCSC resources that such organisations can fall back on, including its Cyber Assessment Framework (CAF) – which is designed to help CNI operators and regulators understand and implement measures to improve resilience and can, if applied appropriately, help mitigate such intrusions.
The upcoming Cyber Security and Resilience Bill – which is currently heading to Committee after receiving its Second Reading in the House of Commons – also contains measures designed to strengthen the regulatory framework for CNI operators such as datacentres and utilities, government and public sector bodies, and other organisations considered critical to the functioning of society.
“Prior planning is the key here and we have recently published guidance on how to prepare for and plan your organisation’s response to severe cyber threat, which sets out defensive actions that may be proportionate if the cyber threat to the UK were to increase,” said Ellison.
“But these actions require careful preparation and forethought – they cannot be improvised under pressure.
“Although attacks can still happen, strong resilience and recovery plans reduce both the chances of an attack succeeding and the impact if one does,” he said.
Attacks on Poland rebuffed
The attacks on Poland were almost certainly part of Russia’s growing hybrid war on its European neighbours over their support for Ukraine, and that they happened at all is highly concerning, but it is important to note that they were successfully rebuffed in the moment.
Speaking in mid-January, Polish prime minister Donald Tusk said that there had been no serious impacts to the country’s national grid. “The systems we have in Poland today proved effective,” he said. “At no point was critical infrastructure threatened, meaning the transmission networks and everything that determines the safety of the entire system.
“Everything indicates that these attacks were prepared by groups directly linked to the Russian services,” Tusk told a press conference at the time.
In a report on the incident, Poland’s national Computer Emergency Response Team, CERT Polska, said that those responsible likely broke into the target environments through Fortinet FortiGate devices that were present at each affected facility, where they served as both VPN concentrators and firewalls.
In each case, the team said, the VPN interface had been left exposed to the public internet and enabled authentication to accounts defined in the configuration without multi-factor authentication.
At the renewables facilities targeted, the attackers sought to destroy various operational technology (OT) components, including Hitachi and Mikronika remote terminal unit (RTU) controllers, Hitachi protection and control relays, and Mikronika human machine interface (HMI) computers. At the power plants, they sought to use a wiper malware known as DynoWiper with the intent of irreversibly destroying vital data.
CERT Polska said that with the benefit of hindsight, it was clear that in the case of the CHPs, the hackers had gained access to the targeted systems in order to conduct reconnaissance and establish persistence as early as March of 2025.
The Poles believe that the attacks likely originated from a cluster of threat activity known to Microsoft as Ghost Blizzard (aka Beserk Bear and Static Tundra) based on an analysis of the attacker controlled infrastructure.
The presence of the DynoWiper malware, however, additionally raises the possibility of a link back to the Sandworm group, which infamously used multiple similar tools during the early months of the Ukraine war in 2022.
