The Polish government has reported that Russian government hackers managed to penetrate segments of the country’s energy grid infrastructure, exploiting weak security measures. At the end of last year, suspected Russian government hackers gained access to wind and solar farms as well as a heat-and-power plant. The attackers encountered minimal resistance, as described by Poland’s Computer Emergency Response Team (CERT), which functions under the Ministry of Digital Affairs. According to the detailed technical report released by CERT, the systems targeted by the hackers had default usernames and passwords. Moreover, they did not utilize multi-factor authentication, which are fundamental security oversights that facilitated the breach.

Incident Details and Cybersecurity Report Analysis

The hackers attempted to deploy wiper malware intended to erase and disable the energy systems. Their apparent objective may have been to disrupt power, but this remains uncertain. Transitioning into the attack’s timeline, it is worth noting that while the breach was intercepted at the heat-and-power plant, the malware successfully took the wind and solar farm systems offline. These farms lost the capacity to monitor and control their grid functions, rendering them partially inoperative. The nature of the attacks was described as purely destructive; the CERT report made an analogy to physical arson, emphasizing the deliberate intent to cause harm.

Despite their efforts, the hackers did not manage to interrupt the power at any of their intended targets. The report further highlighted that even if the attack had been successful, the overall stability of the Polish power system would have remained intact during that period. This provides some reassurance about the resilience of the country’s main energy infrastructure.

Investigation Findings and Attribution

Additionally, independent cybersecurity organizations like ESET and Dragos published their own analyses of the incident, which occurred on December 29 of the previous year. Both firms attributed the attack to the infamous Sandworm group, known for disrupting energy infrastructure in Ukraine multiple times, including large-scale blackouts in 2015, 2016, and 2022. Sandworm’s established history in this field made it a primary suspect. For more information, refer to ESET and Dragos.

Contrary to these findings, Poland’s CERT accused a different Russian hacking collective: Berserk Bear, which is also known as Dragonfly. Traditionally, Berserk Bear has focused on cyberespionage rather than destructive activities, as identified by the MITRE ATT&CK® knowledge base. This accusation marks a departure from their previous attribution pattern, raising concerns about evolving cyber threats targeting national critical infrastructure.

Tags: sulme kibernetike, hakerë rusë, siguria energjetike, Polonia, Berserk Bear, infrastrukturë kritike