TL;DR: The largest documented cyberattack on Poland’s energy infrastructure exposed serious gaps in basic cybersecurity practices — despite the presence of security tools, the attack went on for months without a proper response. The incident likely consisted of two stages: the first involving initial access acquisition and possible resale (Initial Access Broker), and the second a destructive phase resembling ransomware operations in terms of techniques and tactics. The key takeaway is that the main issue was not the sophistication of the attackers, but rather the lack of SOC monitoring, failure to respond to alerts, and insufficiently mature security processes — raising concerns about the real level of critical infrastructure protection in Poland.

In December 2025, it was revealed that Poland had become the target of a coordinated, destructive cyber campaign aimed directly at critical infrastructure — including renewable energy sources, an industrial entity, and a large combined heat and power plant serving approximately half a million residents. This represents the largest documented incident of this kind in Poland.

The attack occurred at a particularly sensitive moment — during severe frost and snowstorms, just before the New Year. Although it did not result in power or heating outages, disruptions to communication and attempts to sabotage OT devices demonstrated how real the risk of cyberattacks against industrial control systems has become, as well as how low the level of protection of critical infrastructure in the country remains.

The CERT report on the attack against a Polish CHP plant provides valuable analytical material. Below, I share observations that go beyond the scope of the report itself — because that is where the most interesting discussion begins.

First attack: March–July 2025

Initial access to the environment was achieved via an SSL/VPN FortiGate gateway and a jump host. The report does not specify source IP addresses or details of VPN connections — suggesting that logs from the FortiGate system from that period may simply no longer exist. The analysis was therefore primarily based on events from the domain controller and the EDR system.

The environment used an ESET EDR solution, which does not retain full long-term host telemetry. It can therefore be assumed that the analysis relied mainly on alert data. This raises a concerning question: the system flagged suspicious activity, yet the alerts apparently did not receive an adequate response.

Attacker profile: Initial Access Broker?

The characteristics of the described activity resemble tactics typical of an Initial Access Broker (IAB). The actor conducted reconnaissance and then ceased activity after obtaining information that appears sufficient for reselling access. Such a chain of events is characteristic of the ransomware ecosystem: an IAB gains a foothold and then monetizes it by transferring access to another party.

The techniques and tactics described in the report are typical of attacks targeting organizations poorly prepared to defend against cyber threats. Ransomware groups operate opportunistically and prefer environments that lack monitoring or advanced defensive capabilities. The actor appeared relatively unconcerned with remaining stealthy or covering tracks, which says a lot about the security posture of the CHP plant.

Initial access vector — hypotheses

We do not know exactly how the actor gained initial access. The most likely scenarios include:

• exploitation of a vulnerability or misconfiguration in a perimeter device,

• credential compromise through an infostealer infection,

• credential harvesting through phishing,

• dictionary or brute-force attacks against the VPN gateway (particularly plausible given the lack of 2FA).

Conclusions from the first attack

The environment lacked basic attack surface security practices: perimeter devices were not updated, and multi-factor authentication was not implemented. The environment was not monitored by a SOC team. Alerts generated by the EDR system received no response.

Second attack: late 2025

The second wave of activity again involved reconnaissance and privilege escalation — including LSASS memory dumping and extraction of the Active Directory database. The report does not indicate direct links between the activities earlier in the year and those at the end of the year, suggesting different actors may have been involved. Considering the typical supply chain within the cybercriminal ecosystem, it is possible that the first-stage actor (IAB) leased or sold access to another party. However, a complete lack of connection between the two activities is equally possible.

A classic ransomware-style attack

The actions involving reconnaissance, privilege escalation, and lateral movement within the IT environment of the CHP plant closely resemble ransomware operations. Tools, techniques, and tactics — such as Advanced IP Scanner, Advanced Port Scanner, Impacket, Reverse SOCKS Proxy tunneling, and typical LoLBins usage — appear in most ransomware attack reports. The attack was conducted in a brutally noisy and relatively primitive manner. This is typical of ransomware groups or actors operating within the RaaS ecosystem, targeting easy, unprotected environments where efficiency and profit are key.

Additionally, during this second activity phase, EDR alerts once again appeared without any response.

Destructive phase — surprising details

The EDR system detected and automatically blocked attempts to damage data, using a typical canary file mechanism. However, the timing was unusual: the destructive phase began during working hours on a weekday morning. Typically, such actions occur at night or during non-working days. This suggests that the attackers did not fear detection.

The first attempt occurred in the morning and another in the afternoon. This means the morning attempt — which generated alerts across approximately one hundred hosts — went unnoticed. The second attempt likely also received no response. Did the overwriting of server disks via KVM finally draw attention from those responsible for security?

Why wasn’t the EDR disabled?

It is striking that the attackers — who had unrestricted access to systems, including the domain controller and domain administrator-level control over the IT infrastructure — did not attempt to disable the EDR system. This is a glaring mistake that may indicate lack of competence or insufficient preparation for the final phase of the attack. On the other hand, launching a Linux distribution through KVM suggests that the attackers persistently pursued their objective, searching for alternative paths.

Broader perspective

As with any major incident, many questions remain unanswered. The CERT team did solid work reconstructing events, and the transparency of the report deserves recognition. CERT appropriately focused on technical analysis and avoided drawing far-reaching conclusions. However, the cybersecurity community should expand the discussion beyond the scope of the report itself.

Key concerns include:

• lack of basic cybersecurity best practices in a large CHP plant forming part of Poland’s critical infrastructure,

• lack of monitoring of security systems,

• lack of response to obvious and noisy attacker activity,

• relatively low sophistication and competence of the attackers — which paradoxically increases concern.

Manufacturing sector — even worse?

The situation described for a manufacturing sector organization may have been even worse. The attack was not detected at all — and the report does not even mention the presence of an EDR system. There is no information about the timeline or defensive actions taken, even in the final phase. The attackers infiltrated the environment and likely conducted destructive actions without encountering resistance. The attack appeared opportunistic.

ESET report — can this be called a success?

Notably, the ESET report includes an unusual declaration: the vendor explicitly states that its system was deployed in the CHP plant and that it was this system that stopped the attack. But can this truly be considered a success?

After all, only the final phase of a months-long attack was prevented. We know the system had previously signaled suspicious activity, yet in its default configuration it generates a large number of false positives, which may lead to critical alerts being overlooked. While improper configuration and lack of automated response are likely not ESET’s responsibility, claiming that “the system stopped the attack” may create unjustified trust in autonomous EDR operation in organizations lacking a competent SOC team.

Attribution — FSB or GRU?

The issue of attribution deserves separate analysis. CERT attributed the attack to a group linked to the Russian FSB, while ESET assessed that GRU agents were responsible. CERT’s assessment appears to be based on stronger evidence related to infrastructure analysis, whereas ESET’s conclusions rely primarily on code analysis.

However, if we set aside infrastructure-based indicators of compromise (IOCs) and focus solely on the TTPs observed within the CHP plant network, the attack strongly resembles typical ransomware activity. Although ransomware groups are financially motivated and typically avoid destructive outcomes, making this clearly not a ransomware attack, the techniques, tactics, and tools used are strikingly similar.

No sophistication. No advanced techniques. Blatantly noisy activity. No false flags, zero-day exploits, or hidden C2 channels. In fact, many ransomware operations I have encountered demonstrated higher levels of sophistication and better operational security. The possible involvement of an Initial Access Broker further complicates attribution.

This raises fundamental questions:

• Are we witnessing a shift in the behavior of Russian state-sponsored actors?

• Has Russia abandoned plausible deniability in escalating its aggression?

• Does this indicate deeper integration between cybercriminal ecosystems and state operations?

• Is the FSB moving from intelligence gathering toward offensive and destructive actions?

If the answer to any of these questions is yes, the cybersecurity industry may face a challenging period ahead.

One can only hope that the described CHP plant represents an isolated case of negligence rather than a systemic issue. Given Poland’s geopolitical position and support for Ukraine, the country remains particularly exposed to cyber threats, and the nationwide BRAVO-CRP cyber alert level remains in effect. This clearly indicates that the key priorities for the coming years must include not only proper configuration of security tools and attack surface management, but above all continuous monitoring, operational readiness, and mature incident response capabilities.