Poland thwarted a significant cyberattack targeting the nation’s energy grid as 2025 ended, warding off a blackout that could have affected hundreds of thousands of people.

Poland Prime Minister Donald Tusk said in a news briefing this week that the country defended itself against the destabilization attempts that targeted two combined heat and power plants in the last days of December 2025. The defensive posture was effective, preventing the attack from cutting off heat for nearly 500,000 people according to original reporting from Onet (translated into English with Google translate).

Tusk did not provide hard evidence but said Russia’s intelligence services may have been involved in the attack.

“This has a Ukraine-related context, because we have energy exchange,” Tusk said. “We sell electricity there, and in critical situations, we sometimes receive it from them. The energy infrastructure in Ukraine is under enormous pressure. We must take all of this very seriously. This is not just about energy security, but also about national security.”

The hackers behind the attack focused on the communications between renewable energy installations and electricity distribution operators in Poland, according to The Record. Energy Minister Miłosz Motyka explained that the hackers initially targeted large power plants and transmission networks, then moved their focus to several small sources of power.

“We have not seen this type of attack before, but we should expect it to happen again,” Motyka said.

Russian cyberattacks have targeted Poland’s infrastructure since at least 2022 when Russia invaded Ukraine. Poland is a crucial ally to Ukraine, providing shelter to refugees, extensive military assistance, and a logistics hub for Western aid to move into Ukraine.

Poland also modernized an energy line to Ukraine’s Khmelnitsky nuclear power station, as well as other investments, to export 144 GWh of electricity to Ukraine as of January 2025, S&P Global reports.

Connections like this have been vital for Ukraine because Russia has heavily targeted Ukraine's energy supplies since the outbreak of the war. Currently, Kyiv is experiencing major power outages caused by Russian drone and missile strikes that have cut off heat to Ukraine’s capital.  

“Just as Kyiv has entered a deep winter freeze, Russia has intensified a campaign to knock out the city’s heating and electrical infrastructure,” according to The New York Times. “The attacks are intended to dent the population’s morale and pressure the government to make concessions in peace talks brokered by the Trump administration.”

Historical Context

The pressure on energy systems comes just after the 10-year anniversary of the Stuxnet attack, a major 2015 Russian cyberattack that shut down part of Ukraine’s power grid and affected 250,000 people. The December 2015 incident was closely followed by a similar attack in 2016 with similar ramifications.  

In a report reflecting on the anniversary of the attacks, operational technology (OT) cybersecurity firm Dragos assessed that the groups behind the 2015 and 2016 attacks—called KAMACITE and ELECTRUM—continue to conduct scanning activity against industrial devices in the United States.

“The observed scanning activity suggests an effort to identify exposed or weakly protected assets outside of Ukraine, where both KAMACITE and ELECTRUM have focused much of their effort for the past three years,” according to the report. “While scanning alone does not indicate imminent OT impact, its occurrence within U.S.-based industrial environments highlights the broadening of target considerations and reinforces that KAMACITE’s access operations are not confined to a single region or operational context.”

Next Steps for Security Practitioners

Reuters reports that of the 170,000 cyber incidents identified in the first three quarters of 2025, a “significant portion was attributed to Russian actors.”

Meanwhile, a recent survey of IT and OT professionals at energy, oil, and gas companies, found that 70 percent of respondents are concerned that a successful cyberattack could cause a catastrophic failure at their organization—including an explosion.

“With widespread recognition of the physical threat cyberattacks present against the energy and oil and gas industry, 97 percent are concerned that attacks could cause operational shutdowns, and 96 percent believe they could impact the safety of their employees,” betanews reports.

To mitigate these risks, cybersecurity experts from Australia, Canada, Germany, New Zealand, The Netherlands, the United Kingdom, and the United States released guidance this week about designing, securing, and managing connectivity in OT.

“Exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors,” the guidance explained. “This activity includes state-sponsored actors actively targeting critical national infrastructure networks (CNI). The threat is not just limited to state-sponsored actors with recent incidents showing how exposed OT infrastructure is opportunistically targeted by hacktivists. Strengthening the cybersecurity of CNI, including securing OT connections, can challenge attackers’ efforts and raise the threshold necessary to cause physical harm, environmental impact, and disruption.”

The guidance lays out eight main principles that owners and operators should follow to secure both new and existing OT systems:

1. Balance the risks and opportunities
   
   
2. Limit the exposure of your connectivity
   
   
3. Centralize and standardize network connections
   
   
4. Use standardized and secure protocols
   
   
5. Harden your OT boundary
   
   
6. Limit the impact of compromise
   
   
7. Ensure all connectivity is logged and monitored
   
   
8. Establish an isolation plan

The new guidance is designed to work with recommendations released by the same partners in 2025 about gaining visibility into OT networks, according to a blog post from the UK’s National Cyber Security Center.

“Just as the guidance on creating and maintaining a definitive view of OT architecture aimed to give you the visibility to inform decisions, the new secure connectivity principles aim to help you take actions,” the NCSC said. “By systematically applying these principles to all connections—whether new, revised, or existing—you can reduce your attack surface, improve incident response options, and maintain the trust and safety of your operations.”

MOST POPULAR ARTICLES

1. Trade Secret Theft: The Overlooked Fault Line in Modern Security

2. Gang Violence in Haiti Remains High as Armed Men Kidnap Security Expert and Family

3. 2 CPTED Must-Haves for Multitenant Buildings