Poland's Critical Infrastructure Under Threat: Lessons Learned
Poland has been facing a significant number of coordinated cyberattacks from Russian threat actors.
Overview
Russia has been conducting cyberattacks against Poland's critical infrastructure, including power grids, water supplies, and transportation networks. These attacks are believed to be part of a broader effort to weaken the Polish government and undermine its sovereignty. Intelligence assessments suggest these attacks are sophisticated and coordinated, with multiple teams working simultaneously against Polish interests.
The primary threat actor is the Russian Federation, utilizing a combination of state-sponsored groups and affiliated cybercriminals. Within the Russian Federation, cybercriminals operate in a grey zone and frequently shift time and resources between criminal efforts and state priority targets. It has been observed that western organizations which are compromised by Russian criminal actors will not suffer destructive attacks if access to the victim facilitates intelligence operations. Defense sector and government victims are rarely encrypted, frequently compromised, and leveraged to collect massive amounts of data. Russia has a demonstrated history of targeting critical infrastructure globally, often as a means of geopolitical coercion or disruption. Signaling from western nations has shown Russia that cyberattacks are not viewed as major factors in state-to-state political or military relations.
Historical Attack Pattern
Anomali assesses that the historical pattern of attacks against Poland and nations’ critical infrastructure will continue to escalate.
2015: Ukrainian Power Grid Attacks: The attacks, attributed to Sandworm (linked to Russian military intelligence - GRU), utilized the BlackEnergy malware and targeted IT systems to gain access and disrupt operations. This demonstrated a capability and willingness to directly impact physical infrastructure.1
2016: Attacks on Western Energy Sector (Dragonfly/Energetic Bear): A long-running campaign targeting energy companies in the US and Europe. Dragonfly/Energetic Bear focused on gaining access to industrial control systems (ICS) and SCADA systems, likely for espionage and potential future disruption. This campaign highlighted the vulnerability of ICS/SCADA systems to sophisticated attackers.2
2017: NotPetya Malware (Global Impact, Ukraine Focus): While initially appearing as ransomware, NotPetya was a destructive wiper disguised as ransomware. It heavily impacted Ukrainian infrastructure, including energy companies, and caused significant collateral damage globally. This demonstrated Russia’s willingness to deploy destructive malware with far-reaching consequences.3
2022-Present: Increased Cyber Activity Related to the Ukraine Conflict: Since the invasion of Ukraine, there has been a significant increase in cyberattacks targeting critical infrastructure in countries supporting Ukraine, including potential spillover effects and reconnaissance activity targeting neighboring nations like Poland.4
Recommendations for Cybersecurity Defenders
The following recommendations are current best practices for a minimal set of security controls. All organizations should go beyond these recommendations, but they provide a good starting point for security teams to assess their own resilience.
Implement Multi-Factor Authentication (MFA)
For all critical systems and remote access points. This significantly reduces the risk of unauthorized access. Strong MFA is app-based or hard token based. SMS is not secure. Certificate based authentication is an insufficient second control factor to qualify as strong MFA. Ensure that all vendors and partners in your supply chain also use strong MFA. SSO and conditional access policies are NOT a replacement for strong MFA coupled with User Behavioral Analytics. Session stealing is a current and viable attack method but MFA and UBA together can help build a strong defense.
Service Accounts
Conduct monthly access and activity assessments on Service Accounts. Ensure Service Account passwords are rotated quarterly. All service account password lengths should be greater than 26 characters, and all passwords must be generated using a strong password generator. Do not re-use passwords across accounts. Do not all overpermissioning of Service Accounts. Delete unused service accounts. Store all service account passwords in a highly secure location, and use best practices for storing passwords in service account applications.
Conduct Regular Vulnerability Assessments & Penetration Testing
Identify and remediate vulnerabilities in IT and OT (Operational Technology) systems. Focus on ICS/SCADA systems and shadow IT. Airgaps are a strong security control, but may be undone in an instant through human error - continual monitoring is required. Inspect network paths for printers, cameras, door security systems, and any other technology contained within facilities. Discourage or outright ban wifi and bluetooth at and within secure facilities. Secure wiring closets with strong physical security controls and closed circuit alarm systems with obnoxiously audible alarms.
For all systems, ensure that an EDR is in place and reporting up to a centralized monitoring platform. Ensure that threat feeds are consumed in a security enforcement EDR architecture.
Threat Intelligence
Participate in threat intelligence communities to stay informed about the latest threats and vulnerabilities, including ISACs and ISAOs and state programs. Establish a CTI program and define Priority Intelligence Requirements and program deliverables.
Incident Response Planning
Develop and regularly test an incident response plan to ensure a swift and effective response to cyberattacks. These tabletop exercises should be conducted at least annually. Ensure that IR plan is up to date and accurately describes a response plan. Train Incident Responders using realistic incident types, based on trusted intelligence community reports and OSINT.
Patching & Devices
Ensure rapid patching of employee laptops and applications, and equally prioritize patching any internet facing systems. At a minimum, ensure that standard Operating System updates are automatically applied, and use your EDR to monitor for OS version compliance. Ban, confiscate, and replace noncompliant devices. This includes mobile devices issues by the organization. Make no allowances for contractor or visitor devices - these should never be connected to critical sector networks. Consultants and contractors can be issued organization-managed devices on a temporary basis. Do not permit critical sector organization-managed mobile devices and laptops to travel to another country. Do not allow BYOD devices to access any organizational resources and networks. Sweep offices and facilities frequently for shadow IT, including printers and wifi access points.
Employee Training
Educate employees about phishing attacks, social engineering, and other cyber threats. Use a commercial vendor for these activities, and always use contextually relevant materials. Train your employees using real world examples driven by recent Incidents and Cyber Threat Intelligence guidance about current threats. Ensure that the management team for employee training are incentivized to be successful in phishing their users, not rewarded for reducing click rates. The education benefit from these scenarios is only invoked when the employee fails to spot the phish.
By taking these proactive measures, critical infrastructure operators in Poland and more generally across the world can significantly enhance their cybersecurity posture and better defend against evolving threats from the Russian Federation and other adversaries. This is not simply an IT or Information Security issue; it is a national security imperative. Failing to protect critical infrastructure can and will cause high disruptive events such as loss of power, safe drinking water, or emergency responder services.
Sources
1The Cyber Law Toolkit. 2023. Power grid cyberattack in Ukraine (2015). October 29. https://cyberlaw.ccdcoe.org/wiki/Power_grid_cyberattack_in_Ukraine_(2015).
2CISA.gov. 2021. CrashOverride Malware. July 20. https://www.cisa.gov/news-events/alerts/2017/06/12/crashoverride-malware.
3Greenberg, Andy. 2022. The Untold Story of NotPetya, the Most Devastating Cyberattack in History . August 10. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.
4The MITRE Corporation. n.d. 2022 Ukraine Electric Power Attack. Accessed September 25, 2025.https://attack.mitre.org/campaigns/C0034/.
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
