By AJ Vicens
Jan 30 (Reuters) - Russia's domestic spy agency was likely responsible for cyberattacks late last month on 30 Polish renewable energy facilities, a manufacturing firm and a plant supplying heat for nearly 500,000 customers, Polish officials said on Friday.
A report by Poland's Computer Emergency Response Team on the incident - which a Polish minister said was the worst of its kind in years - pointed to a team of hackers from Russia's Federal Security Service, known by its Russian acronym FSB.
The hacks were "purely destructive in nature," the report said, comparing them to arson.
"It is worth noting that this period coincided with low temperatures and snowstorms affecting Poland, shortly before New Year’s Eve,” the report said.
The Russian aim was to irreversibly destroy data stored on devices within the combined heat and power plant but security software blocked that portion of the attack, according to the report.
The Russian embassy in Washington did not respond to a request for comment.
OTHER ANALYSIS POINTS TO RUSSIAN MILITARY INTELLIGENCE
Poland says its critical infrastructure has been subject to a growing number of cyberattacks by Russia since the war in Ukraine began in February 2022. Moscow regularly denies responsibility for malicious cyber activity.
The report tied the incident to an FSB hacking operation tracked under several nicknames, including "Berserk Bear" and “Dragonfly.” An August 20, 2025 report from the FBI linked the groups to the FSB’s specialised unit Center 16.
While the group has historically had “significant interest” in the energy sector and the ability to attack industrial devices, “this is the first publicly described destructive activity attributed to this cluster,” the Polish cyber officials said, referring to the FSB hacking group.
The report’s verdict on the hacks involved partially backs an independent analysis published last week by researchers at the Slovakia-based cybersecurity firm ESET.
ESET said that the malware involved in the Polish attack overlapped with prior destructive cyber operations tied to Russia, but linked it to a Russian military intelligence hacking unit known as Sandworm, not the FSB.
ESET issued a second report Friday expanding on its analysis of the malware which again tied it to Sandworm, although it cautioned that other aspects of the operation might have been carried out by different hacking groups.
John Hultquist, chief analyst at Google Threat Intelligence Group, said Friday that if the attack truly is Berserk Bear, the activity represents an escalation from its penetration of targets for long-term espionage towards damaging action.
"They have the means, the question was always did they have the motivation,” Hultquist said. "Now, potentially based on this attribution, proven to us that they do have the motivation, which puts us in a much more serious situation.”
Hultquist said the situation should raise concerns about the security of the Winter Olympics, set to kick off February 6.
“Russia has previously attempted to knock the opening ceremonies of the Winter Olympics offline, and they were extremely active during the last summer games," Hultquist said. “Disruptive cyberattacks are a very real threat.”
(Reporting by AJ Vicens in Detroit; editing by Philippa Fletcher)
