Poland Reports Sharp Rise in Russian Cyberattacks as AI Tools Threaten to Intensify the Campaign
Poland is experiencing a sharp rise in state-linked cyberattacks primarily sourced from Russia, with officials warning that the spread of advanced AI tools will intensify the threat — following a December 2025 power grid attack that came within hours of a nationwide blackout.
WARSAW, POLAND — Poland is facing a documented escalation in Russian-linked cyber operations, with the country's deputy digitalization minister warning publicly that the threat is growing and AI tools are accelerating adversary capability. In an interview with Bloomberg published April 28, Pawel Olszewski stated that the bulk of attacks targeting Poland are sourced from Russia and that the government expects the situation to worsen as more advanced AI tools become widely accessible to threat actors.
The disclosure follows the most serious cyber incident Poland has faced in years: a December 29, 2025 attack on the country's power grid that brought the country to within hours of a large-scale blackout that would have left up to 500,000 people without heating during freezing winter temperatures. Attribution for the attack has since been linked to a FSB-linked cluster — not the GRU-associated Sandworm group — a finding that carries significant implications for how Russia's offensive cyber posture is evolving.
What Happened
The December 2025 Power Grid Attack
The attack on December 29, 2025 was not a sudden strike — investigators traced adversary access inside targeted networks back to at least March 2025, nearly nine months before the active disruption attempt. During that period, threat actors silently conducted reconnaissance: capturing screenshots of industrial systems, exporting lists of running processes, and mapping the communications infrastructure between renewable energy installations and electricity distribution operators.
On December 29, attackers struck two combined heat and power plants and multiple wind and solar farms simultaneously — the first time Poland had experienced coordinated multi-site attacks of this kind. Digital Affairs Minister Krzysztof Gawkowski confirmed the attack came very close to a blackout and described it as a coordinated operation intended to deliberately cut off power to Polish citizens. Poland's grid operator and cybersecurity services detected and repelled the attack before physical disruption occurred.
CERT Polska subsequently traced the attack infrastructure to the cluster known as Static Tundra, Berserk Bear, Ghost Blizzard, or Dragonfly — an ecosystem widely associated with Russia's FSB, the domestic security service, rather than with Sandworm, which is linked to the GRU military intelligence directorate.
The AI Threat Escalation Warning
Olszewski's April 28 warning that AI tools will intensify the cyberattack threat to Poland reflects a concern security agencies across NATO are tracking simultaneously. More capable AI tools lower the technical floor for adversary operations — automating reconnaissance, accelerating vulnerability exploitation, and enabling more convincing social engineering at scale. Poland's position as a frontline NATO state makes it both an early indicator of what AI-augmented hybrid warfare looks like in practice and a high-priority target as those capabilities develop.
Scope and Impact
Poland reported approximately 170,000 cyber incidents in the first three quarters of 2025 alone. Microsoft's 2025 Digital Defense Report ranks Poland as the third most-targeted country in Europe for politically motivated cyberattacks, behind only Ukraine and the UK. ESET's H2 2025 threat report places Poland third globally for ransomware attacks and second for malicious email threats.
The geopolitical context amplifies every metric: Poland is a NATO member sharing borders with Russia's Kaliningrad exclave and Russian-allied Belarus; it is the primary logistics corridor for military and humanitarian aid to Ukraine; and it has been one of the most vocal European critics of Russian territorial aggression. Deputy PM Gawkowski has stated that Poland is the most cyberattacked country in the EU.
Response and Attribution
Poland successfully repelled the December grid attack before physical disruption occurred. Prime Minister Donald Tusk praised the country's intelligence services and urged parliament to fast-track new cybersecurity legislation. The government has announced investments in infrastructure safeguards, system modernization, and regulatory strengthening, with a focus on the energy sector.
The FSB attribution — specifically to the Static Tundra cluster rather than Sandworm — was reached through infrastructure analysis, with CERT Polska tracing compromised servers, anonymizing nodes, and network devices to an activity pattern consistent with FSB-associated operations. If the attribution holds, it represents a significant expansion of FSB operational mandate into the physical disruption space previously dominated by the GRU.
The CyberSignal Analysis
Signal 01 — The FSB Is Expanding Into Sabotage
Russia's cyber offensive architecture has historically divided along institutional lines: the GRU's Sandworm unit conducts destructive operations, while FSB-linked clusters focus on persistent intelligence collection. The attribution of the December grid attack to a FSB-associated cluster suggests those lines are blurring. If accurate, this represents a significant escalation — with the FSB now demonstrating willingness to conduct physical-disruption operations against critical infrastructure beyond its traditional intelligence mandate.
Signal 02 — Nine Months of Pre-Positioning Is the Real Story
The aspect of the December attack that deserves the most attention is not the attack itself — it is the nine months of silent pre-positioning that preceded it. Adversaries were inside targeted networks from March 2025, conducting reconnaissance and mapping the operational environment, before striking on December 29. This dwell time reflects a level of operational patience that passive monitoring and perimeter-focused defenses cannot catch. Detection of this kind of pre-positioning requires behavioral analytics, OT-specific monitoring, and a baseline understanding of what normal looks like inside industrial network environments.
Signal 03 — NATO's Eastern Flank Is a Live Intelligence Feed
Poland's incident catalog over the past 18 months functions as a forward intelligence feed for every NATO member with exposure to Russian hybrid operations. Organizations and governments providing support to Ukraine, operating near Russia's sphere of influence, or operating critical infrastructure in sectors Russia has targeted in Poland should be treating Poland's experience as their own threat model. See also: our explainer on nation-state cyberattacks.
