Russian hackers breached Polish power grid thanks to bad security, report says

The Polish government has disclosed that hackers linked to the Russian government gained access to parts of the country's energy infrastructure by exploiting weak security practices.

On Friday, Poland's Computer Emergency Response Team (CERT), which operates under the Ministry of Digital Affairs, published a technical report detailing a cyber incident that took place toward the end of last year. According to the report, suspected Russian state-backed hackers infiltrated systems at wind farms, solar farms, and a combined heat-and-power plant.

The findings suggest the attackers encountered little resistance. The compromised systems were reportedly running with default usernames and passwords and lacked multi-factor authentication — basic security protections that were not in place at the time of the breach.

After gaining access, the hackers attempted to deploy wiper malware designed to erase data and render systems unusable. The report notes that the malware appeared to be intended to destroy the affected systems, potentially as a precursor to disrupting power operations, though the attackers' ultimate objective remains unclear.

The attempted attacks were stopped at the heat-and-power plant, preventing damage there. However, the malware was successfully deployed at wind and solar farms, rendering the grid's monitoring and control systems inoperable.

"All of the attacks were purely destructive in nature — by analogy to the physical world, they can be compared to deliberate acts of arson," the report stated.

Despite the intrusions, the attackers failed to cause any power outages at the targeted facilities. The report further concluded that even if the attacks had succeeded, they "would not have affected the stability of the Polish power system during the period in question."

Cybersecurity companies ESET and Dragos had previously released their own analyses of the incident that occurred on December 29 last year. Those reports attributed the attacks to Sandworm, a well-known Russian government-linked hacking group with a history of targeting energy infrastructure in Ukraine, including successful power disruptions in 2015, 2016, and 2022.

Poland's CERT, however, reached a different conclusion. In its assessment, the agency attributed the attacks to another Russian state-linked group known as Berserk Bear, also referred to as Dragonfly. Unlike Sandworm, Berserk Bear is typically associated with cyberespionage activities rather than overtly destructive operations.