Russia’s cyber assaults on Polish utilities attracts NCSC alert
A sequence of cyber assaults in opposition to the Polich electrical energy grid that unfolded on the finish of December 2025 have prompted a contemporary warning from the UK’s Nationwide Cyber Safety Centre (NCSC), alerting British utilities to the risks of intrusions orchestrated by Russian state risk actors.
The assaults on Poland, which have been attributed to numerous models of Russia’s state cyber forces operated by the FSB and GRU intelligence businesses, techniques enabling the administration of electrical energy generated from renewable sources at a number of services, and two mixed warmth and energy crops (CHPs).
Jonathon Ellison, NCAC director for nationwide resilience, mentioned that assaults just like the one which unfolded in Poland might sound far-fetched however have been removed from it.
“Incidents like this communicate to the severity of the cyber risk and spotlight the need of robust cyber defences and resilience,” he mentioned. “Operators of UK crucial nationwide infrastructure (CNI) should not solely take notice however, as we’ve mentioned earlier than, act now.”
Ellison highlighted numerous NCSC assets that such organisations can fall again on, together with its Cyber Evaluation Framework (CAF) – which is designed to assist CNI operators and regulators perceive and implement measures to enhance resilience and may, if utilized appropriately, assist mitigate such intrusions.
The upcoming Cyber Safety and Resilience Invoice – which is at present heading to Committee after receiving its Second Studying within the Home of Commons – additionally comprises measures designed to strengthen the regulatory framework for CNI operators equivalent to datacentres and utilities, authorities and public sector our bodies, and different organisations thought-about crucial to the functioning of society.
“Prior planning is the important thing right here and we’ve not too long ago printed steering on the right way to put together for and plan your organisation’s response to extreme cyber risk, which units out defensive actions which may be proportionate if the cyber risk to the UK have been to extend,” mentioned Ellison.
“However these actions require cautious preparation and forethought – they can’t be improvised beneath stress.
“Though assaults can nonetheless occur, robust resilience and restoration plans scale back each the possibilities of an assault succeeding and the impression if one does,” he mentioned.
Assaults on Poland rebuffed
The assaults on Poland have been virtually actually a part of Russia’s rising hybrid warfare on its European neighbours over their assist for Ukraine, and that they occurred in any respect is very regarding, however it is very important notice that they have been efficiently rebuffed within the second.
Talking in mid-January, Polish prime minister Donald Tusk mentioned that there had been no critical impacts to the nation’s nationwide grid. “The techniques we’ve in Poland at present proved efficient,” he mentioned. “At no level was crucial infrastructure threatened, which means the transmission networks and all the things that determines the protection of the whole system.
“The whole lot signifies that these assaults have been ready by teams immediately linked to the Russian providers,” Tusk advised a press convention on the time.
In a report on the incident, Poland’s nationwide Pc Emergency Response Group, CERT Polska, mentioned that these accountable doubtless broke into the goal environments via Fortinet FortiGate gadgets that have been current at every affected facility, the place they served as each VPN concentrators and firewalls.
In every case, the crew mentioned, the VPN interface had been left uncovered to the general public web and enabled authentication to accounts outlined within the configuration with out multi-factor authentication.
On the renewables services focused, the attackers sought to destroy numerous operational know-how (OT) elements, together with Hitachi and Mikronika distant terminal unit (RTU) controllers, Hitachi safety and management relays, and Mikronika human machine interface (HMI) computer systems. On the energy crops, they sought to make use of a wiper malware generally known as DynoWiper with the intent of irreversibly destroying important knowledge.
CERT Polska mentioned that with the advantage of hindsight, it was clear that within the case of the CHPs, the hackers had gained entry to the focused techniques to be able to conduct reconnaissance and set up persistence as early as March of 2025.
The Poles imagine that the assaults doubtless originated from a cluster of risk exercise recognized to Microsoft as Ghost Blizzard (aka Beserk Bear and Static Tundra) primarily based on an evaluation of the attacker managed infrastructure.
The presence of the DynoWiper malware, nonetheless, moreover raises the potential for a hyperlink again to the Sandworm group, which infamously used a number of comparable instruments through the early months of the Ukraine warfare in 2022.
