Russian Hackers Breached Parts of Poland’s Power Grid by Exploiting Weak Security, Report Finds

Poland has revealed that suspected Russian government-linked hackers managed to break into parts of the country’s energy infrastructure after exploiting weak and outdated security practices.

According to a new technical report released by Poland’s Computer Emergency Response Team (CERT), attackers accessed systems connected to wind farms, solar farms, and a heat-and-power plant late last year. Officials said the hackers encountered little resistance because some of the targeted systems were protected only by default usernames and passwords and lacked multi-factor authentication — two of the most basic safeguards in modern cybersecurity.

The report suggests the attackers attempted to install destructive “wiper” malware, designed to erase data and disable critical systems. Such malware can effectively render industrial control systems unusable, potentially leading to major operational disruption.

While the attack was stopped in time at the heat-and-power plant, it was not fully contained at the renewable energy sites. Monitoring and control systems at the wind and solar farms were reportedly damaged, making them temporarily inoperable.

Poland’s CERT described the attacks as purely destructive, comparing them to deliberate acts of arson in the physical world. However, officials confirmed that the hackers ultimately failed to disrupt electricity supplies at any of the targeted facilities.

The report also noted that even if the attackers had succeeded in shutting down operations, the overall stability of Poland’s national power system would not have been affected during that period.

Cybersecurity firms including ESET and Dragos had previously linked the December 29 intrusion to Sandworm, a notorious Russian hacking group known for attacking Ukraine’s power infrastructure and causing major blackouts in past years.

Poland’s government agency, however, attributed the breach to a different Russian-linked group known as Berserk Bear, also called Dragonfly. Unlike Sandworm, Berserk Bear has traditionally been associated more with espionage than destructive sabotage.

The incident highlights growing concerns across Europe about the vulnerability of critical infrastructure to cyberattacks, especially as energy systems become increasingly digital and interconnected.

Experts warn that even basic security failures, such as unchanged default passwords, can open the door to serious national security threats in an era of rising geopolitical tensions.