EU and UK officially blame Russian spies for cyberattack on Poland’s power grid

The UK and EU are demanding urgent action from critical infrastructure organizations after formally attributing the December 2025 cyberattack on Poland’s power grid to Russia’s Federal Security Service.
The Foreign, Commonwealth & Development Office (FCDO) described the attack, carried out by the FSB’s Centre 16 division, as “another example of the Russian state’s irresponsible attempts to sow chaos across Europe.”
Milosz Motyka, Poland’s energy minister, confirmed the attack on the country’s power grid in January. He said experts suspected that whoever was behind it attempted to disrupt communication between renewable hardware and power distribution operators.
The attack was ultimately unsuccessful, but suspicion quickly fell on Russia.
Attackers tried to deploy the destructive DynoWiper malware, a move typically associated with Russian state-backed operations. Mandiant previously tied the 2023 blackouts in Ukraine to Sandworm’s deployment of CaddyWiper malware, while the NCSC and its allies fingered the same military intelligence unit for the 2022 WhisperGate wiper attacks at the start of Russia’s invasion.
As The Register reported at the time, the FCDO said the attack in Poland could have left half a million Poles without power in midwinter – a cyberattack with potentially lethal consequences.
We asked the NCSC to provide more information about what evidence allowed it to attribute the Poland energy attack to Russia’s FSB, but it declined to comment on operational matters.
Time to act
The UK NCSC co-authored a technical advisory, published Monday, which highlights the latest developments in Russia’s tradecraft, urging those most at risk to apply the recommended mitigations.
It said organizations in the following sectors are most at risk from Centre 16 cyberattacks: communications, defense industrial base, energy, financial services, government services and facilities (especially organizations at the state and local level), and healthcare and public health.
The headline mitigation recommended by the intelligence agencies is to disable SNMPv1 and SNMPv2, opting instead for SNMPv3 with authPriv, which comes with strong authentication and data encryption, and to disable Cisco Smart Install on all devices.
Centre 16’s common tactics involve scanning for devices that respond with SNMPv1/2. These support default or easily guessed community strings, which are commonly abused to gain access to network devices such as routers – a technique the NCSC and others issued separate warnings about in April.
Attackers can abuse SNMP access to obtain device configuration data and transfer it to a server under their control, which can later facilitate persistent access.
Although SNMP scanning is the principal tactic described, the advisory also covers the exploitation of Cisco devices, including those with Smart Install enabled.
MORE CONTEXT
Defenders examining the document will notice overlapping tactics, techniques, and procedures (TTPs) between Centre 16 and other Russia-aligned threat groups, the intelligence partners wrote.
Jonathon Ellison, director of national resilience at the NCSC, said: “The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter.
“Today’s joint advisory provides decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations and secure the UK’s critical infrastructure.
“I’d strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise.”
Fresh sanctions
The UK and EU have each added an array of Russian individuals and entities to their sanctions lists, including GRU officials, cybercriminals, and hacktivists.
Members of pro-Kremlin outlet Rybar also makes an appearance, owing to its false narratives about Ukraine and alleged interference with European elections.
The most high-profile designations concern Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko – three GRU leaders accused of orchestrating cyber and hybrid operations. They also allegedly worked with cybercriminals and a company called IMPULS with a view to recruit cybersecurity specialists from universities and academies across Russia.
UK Foreign Secretary Yvette Cooper said: “These sanctions strike at the core of the cybercriminal networks propping up the Russian state’s aggression, and the UK and EU are sending a clear message that Russia cannot hide behind its use of these proxy groups.
“From directing criminals to targeting businesses, and striking Poland’s energy grid in the depths of winter, the Russian state is sinking to new lows in its attempts to undermine European security.
“Together with our partners, Britain will continue to call out this behaviour, bolster our resilience and respond to the hybrid threat posed by the Russian state. This will not deter us from supporting Ukraine.”
Sanctions were also imposed against three individuals accused of being operators of Lumma Stealer, one of the major infostealer malware strains that play a significant role in the cybercrime economy.
National Crime Agency data suggests that in the UK alone, at least 2,100 victims were identified as infected over six months. The UK confirmed that the Russian state has used Lumma Stealer to gather stolen credentials and launch cyberespionage operations against global targets.
The 24 sanctions unveiled on Monday add to the 3,400-plus individuals and entities that have been designated for their roles in supporting Russia’s war efforts.
Don’t forget those cameras
The coordinated international warnings and sanctions come days after Dutch authorities issued their own alert about Russian espionage units targeting internet-connected cameras to gather intelligence about military logistics routes.
Its separate advisory warned that at least one Russian intelligence unit carries out operations targeting the Netherlands and other NATO members, using IP camera footage to track military logistics routes and the transport of materiel, and to map infrastructure such as bridges and roads.
Dutch intelligence services added that Russia uses image recognition software to detect military vehicles, transport routes, shipments to Ukraine, and locations of Ukrainian soldiers.
The advisory went on to say that Dutch intelligence suggests Russia’s use of compromised IP cameras and their imagery has systematically increased recently and become a normal part of its tradecraft.
It said abusing default passwords was the most common way in which Russian spies were gaining access to the cameras, although the most recent security updates were rarely applied, opening up vulnerabilities to exploit when using guessable passwords doesn’t work. ®
READ MORE HERE
