In December 2025, Poland became the scene of one of the most significant episodes of modern cyber warfare in Europe. A series of highly sophisticated digital attacks targeted the country’s energy infrastructure, including power plants, industrial facilities, and combined heat and power generation systems. Although the attacks did not succeed in causing massive blackouts or widespread supply disruptions, their scope, complexity, and timing raised alarms at both the national and international levels.
The incident clearly demonstrated the extent to which the critical infrastructures of modern states have become priority targets within contemporary geopolitical conflicts. In a context marked by persistent tensions between Russia and the countries of the European Union, the attack was interpreted by numerous analysts as a clear manifestation of so-called “hybrid warfare,” a strategy that combines conventional military tools with cyber operations, disinformation, and economic pressure.
The context of the attack: Winter, energy, and vulnerability
The cyberattacks took place during the last week of December 2025, when a coordinated cyberattack occurred in the middle of the European winter. This cyberattack coincided with a period of low temperatures in Poland, which made the cyberattack particularly critical due to the high demand for electricity and heating. In this context, the cyberattack represented a serious threat, as any impact of the cyberattack on the energy supply would have amplified the social, economic, and political consequences of the cyberattack itself.
Polish authorities confirmed that the cyberattack sought to infiltrate strategic systems. The cyberattack targeted renewable energy facilities, such as wind and solar farms, as well as industrial plants and a large combined heat and power generation plant. This cyberattack potentially affected hundreds of thousands of people, reinforcing the perception that the cyberattack was neither isolated nor accidental. The objective of the cyberattack did not appear to be limited to espionage; rather, the cyberattack was clearly aimed at the destruction of essential digital systems.
This cyberattack differed from many previous cyberattack campaigns. Unlike other cyberattack cases focused on economic gain, this cyberattack used software specifically designed to cause damage. The cyberattack employed wiper-type malware, a common tool in highly aggressive cyberattacks, whose purpose in this cyberattack was to erase data irreversibly. Thus, the cyberattack rendered critical servers and workstations unusable, confirming that the cyberattack was intended to have a direct, lasting, and destructive impact.
Destructive malware and how it works
The technical analysis following the cyberattack revealed that the cyberattack had employed a specific type of destructive malware. This cyberattack used tools developed to delete essential files from the operating system and from the programs that control industrial infrastructures. Unlike other types of cyberattack, such as ransomware, in which the cyberattack encrypts information and allows its recovery through the payment of a ransom, this cyberattack relied on wipers designed to destroy data without offering any possibility of recovery after the cyberattack.
In the Polish case, the cyberattack relied on malware specifically adapted to industrial environments and control systems. This cyberattack demonstrates a deep knowledge of the technologies used in the energy sector, indicating that the cyberattack was not improvised. Those responsible for the cyberattack appeared to know in detail the internal architecture of the networks, as well as the protocols that allow the operation of power plants and energy distribution systems, which reinforces the complexity of the cyberattack.
This level of specialization of the cyberattack reinforces the hypothesis that behind the cyberattack there was not a common criminal group. On the contrary, the cyberattack points to an entity with extensive technical resources, planning capacity, and access to detailed intelligence about the targets of the cyberattack. Such characteristics, when analyzed in the context of this cyberattack, are usually associated with state-sponsored actors.
Possible attribution: Russian military intelligence
After weeks of investigation, cybersecurity experts and Polish authorities indicated that the cyberattack showed clear similarities with previous operations associated with other cyberattacks attributed to hacker groups linked to Russian military intelligence. In the analysis of this cyberattack, technical patterns, tools, and intrusion methods were identified that coincide with those historically used in previous cyberattacks carried out by a unit known in the cybersecurity field as Sandworm.
This group has been linked in the past to multiple cyberattacks against critical infrastructure in other Eastern European countries, especially Ukraine. In 2015 and 2016, these cyberattacks caused power outages that affected hundreds of thousands of people, establishing a historical precedent in the use of the cyberattack as a tool to cause real physical damage.
The cyberattack against Poland, which occurred almost a decade after those cyberattacks, was interpreted by many analysts as a sign of strategic continuity in this type of cyberattack. Although definitive attribution of a cyberattack in cyberspace is complex and can rarely be established with absolute certainty, the accumulation of technical and contextual indicators in this cyberattack consistently pointed toward actors linked to the Russian intelligence apparatus.
Some reports also suggested that the cyberattack may have involved the participation of other Russian security agencies, fueling the debate over whether this cyberattack was a joint operation or a series of parallel cyberattacks within the country’s intelligence structure. In any case, the general consensus was that a cyberattack of this magnitude would not have been possible without state backing.
The response of the Polish authorities
The Polish government reacted quickly after detecting the cyberattack and the intrusion associated with the cyberattack. Monitoring and incident response systems activated against the cyberattack made it possible to isolate the compromised equipment before the cyberattack could spread uncontrollably. Thanks to these measures against the cyberattack, a collapse of the energy system was avoided, and no massive blackouts or prolonged supply interruptions caused by the cyberattack were recorded.
The Minister of Energy described the cyberattack as the most serious cyberattack against the country’s energy infrastructure in recent years. However, he emphasized that prior preparation against potential cyberattacks and investments in cybersecurity had been decisive in mitigating the impact of this cyberattack. According to the authorities, the cyberattack served as a real test of the defense mechanisms specifically designed to respond to future cyberattacks.
The Prime Minister convened emergency meetings after the cyberattack with officials responsible for national security, energy, and digitalization, and announced an immediate strengthening of protection measures against new cyberattacks targeting critical infrastructures. Among the actions adopted after the cyberattack were additional audits, the strengthening of cyberattack response teams, and greater coordination between civilian and military bodies to prevent future cyberattacks.
Poland on the European geopolitical chessboard
Poland’s position within the European geopolitical context is key to understanding the relevance of the cyberattack. Since the start of the conflict in Ukraine in 2022, the country has established itself as one of Kyiv’s main allies, and this position has made the cyberattack a central element of geopolitical pressure. The cyberattack occurred in a context in which Poland was providing political, logistical, and military support, and in which the cyberattack is interpreted as an indirect response to that stance. In addition, the cyberattack is part of a scenario in which Poland has been one of the most critical voices within the European Union toward Russian foreign policy.
This stance has placed Poland in a particularly sensitive position with regard to possible cyberattacks within the Kremlin’s pressure strategy. For many analysts, the cyberattack of December 2025 fits into a broader pattern of cyberattacks aimed at deterring, intimidating, or destabilizing states considered hostile to Russian interests. In this framework, the cyberattack is not an isolated event, but part of a sequence of cyberattacks with a clear strategic background.
In this sense, the cyberattack can be interpreted as a political message as well as a technical action. By demonstrating the ability to carry out a cyberattack against critical systems, those responsible for the cyberattack send a signal of power and warning. Even if the final impact of the cyberattack is limited, the mere possibility that a cyberattack could cause a massive blackout during the winter is enough to generate concern among both the population and the markets.
International repercussions and concern in the European Union
The cyberattack in Poland had an immediate echo in other European countries. Following this cyberattack, governments and security agencies expressed concern about the possibility of facing comparable cyberattacks against similar infrastructures in their own territories. As a result of the cyberattack, several states announced urgent reviews of their strategies against cyberattacks, as well as of the protocols for protecting critical infrastructure against future cyberattacks.
The European Union, which had already identified cybersecurity as a strategic priority in the face of cyberattacks, intensified cooperation efforts among Member States to address cyberattacks. Information sharing, joint simulations, and the development of common standards were considered essential elements to respond in a coordinated manner to cyberattacks that do not respect national borders.
Likewise, the cyberattack reinforced NATO’s role in the field of cyberattack and cyber defense. Although the alliance has traditionally focused on conventional military defense, in recent years it has recognized the cyberattack and cyberspace as a new domain of conflict. The cyberattack against Poland served as a concrete example of how a digital cyberattack can have direct implications for collective security.
The evolution of cyber warfare
The cyberattack against Poland’s energy infrastructure illustrates the evolution of cyber warfare in the twenty-first century. In its early stages, cyberattacks focused mainly on espionage and information gathering, and only to a limited extent on sabotage. However, this cyberattack shows that today cyberattacks have evolved to enable clearly destructive operations. The modern cyberattack is capable of affecting essential services, and this specific cyberattack highlights that change of scale in cyberattacks.
Industrial and energy systems, which are common targets of cyberattacks, were in many cases designed at a time when global connectivity was not a priority. These characteristics allow cyberattacks to exploit structural vulnerabilities. Although significant progress has been made to protect them against cyberattacks, the complexity and age of some components continue to facilitate cyberattacks by sophisticated actors.
In addition, the growing digitalization and automation of critical processes has expanded the scope of cyberattacks. Each new sensor, controller, or remote connection becomes a potential entry point for a cyberattack, increasing the surface exposed to cyberattacks if these systems are not properly managed.
The importance of resilience and preparedness
One of the main lessons following this cyberattack is the importance of resilience in the face of future cyberattacks. Although preventing all cyberattacks is practically impossible, the ability to detect a cyberattack, contain the cyberattack, and recover after the cyberattack can make the difference between a limited incident and a national crisis caused by a cyberattack.
Backups, redundant systems, and contingency plans are key elements in mitigating a cyberattack. In the cyberattack of December 2025, the existence of clear protocols made it possible to respond quickly to the cyberattack and avoid much more serious consequences derived from the cyberattack.
At the same time, the human factor remains crucial in the face of any cyberattack. Staff training, awareness of cyberattack risks, and coordination between different levels of government and the private sector are indispensable for effective defense against cyberattacks.
Cybersecurity as an element of foreign policy
This cyberattack also highlights how cybersecurity and the cyberattack have become direct extensions of foreign policy. Cyberattacks can be used as tools of political pressure without reaching the threshold of a traditional armed conflict, which complicates the response to a cyberattack from a diplomatic and legal point of view.
Unlike a conventional military attack, a cyberattack offers aggressors a greater degree of plausible deniability. This ambiguity in the cyberattack makes it difficult to impose clear sanctions or reprisals after a cyberattack, which in turn may encourage the continued use of cyberattacks.
In this scenario, states are forced to redefine concepts such as deterrence, defense, and sovereignty in the face of the cyberattack, adapting them to an environment in which cyberattacks can be invisible, instantaneous, and global.
The cyberattack against Poland’s energy infrastructure in December 2025 represents a turning point in the perception of the cyberattack and of digital security in Europe. Although the country managed to contain the cyberattack and avoid greater damage, this cyberattack highlighted the inherent vulnerability of critical systems to a well-planned cyberattack. The cyberattack also demonstrated the determination of state actors to use the cyberattack and cyberspace as a true strategic battlefield.
The possible involvement of Russian intelligence services in this cyberattack underscores the geopolitical dimension of the cyberattack and confirms that modern warfare is no longer limited to traditional fronts. In an increasingly interconnected world, a cyberattack can have consequences comparable to those of a conventional military action. Defense against the cyberattack therefore becomes inseparable from national defense, international stability, and the protection of essential infrastructure against future cyberattacks.
The Polish cyberattack serves at the same time as a warning and as a lesson in the face of new cyberattacks. It warns about the real risks posed by the cyberattack in cyber warfare, but also demonstrates that preparation, cooperation, and resilience can mitigate the impact of a cyberattack. In this context, having specialized partners is key: ITD Consulting offers advanced cybersecurity services to help organizations prevent, detect, and respond to any cyberattack. If you wish to strengthen the protection of your systems against cyberattacks, you can contact us by writing to [email protected].
EN 
ES