Poland’s cybersecurity authorities say Russian state-backed hackers slipped into parts of the country’s power infrastructure by exploiting startlingly simple security mistakes, disabling critical monitoring systems at wind and solar farms before defenders contained the attempt at a combined heat and power plant. The technical report points to weak authentication practices — including default usernames and passwords and a lack of multi-factor authentication — as the attackers’ easiest path in.
Report Faults Basic Security Lapses in Polish Energy Sector
The national Computer Emergency Response Team, operating under the Ministry of Digital Affairs, detailed a series of intrusions at the end of last year that leveraged unprotected remote access and vendor-installed default credentials. Investigators said the intruders deployed data-wiping malware intended to make supervisory control and data acquisition workstations and related monitoring consoles unusable, effectively blinding operators at several renewable sites.
Although no power outages were recorded and grid stability was not at risk, the campaign succeeded in knocking out visibility and control tools at some sites — a stark reminder that even a modest foothold in operational technology can have outsized operational impact. The report characterized the malware’s intent as purely destructive, akin to setting a fire rather than stealing data.
The ease of entry matters as much as the payload. Security assessments across the energy sector repeatedly find exposed remote access services, shared vendor accounts, and flat networks between corporate IT and plant environments. The picture described by Polish officials is consistent with those patterns, suggesting a preventable incident rather than a triumph of sophisticated tradecraft.
Attribution Dispute Highlights Moscow’s Playbook
There is disagreement among experts about which Russian unit led the operation. Private-sector researchers at ESET and Dragos previously tied the activity to Sandworm, the group behind power disruptions in Ukraine in 2015, 2016, and attempts in 2022, including use of the Industroyer family of malware. Poland’s CERT, however, attributes the intrusions to Berserk Bear, also known as Dragonfly, a separate intelligence outfit historically focused on espionage and long-term access in energy networks.
Attribution in industrial cyber incidents is notoriously hard. Tool reuse, shared infrastructure, and deliberate false flags often blur the picture. What is clear from the technical details is a growing willingness by Russian operators to blend traditional reconnaissance with destructive actions against civilian energy assets — a trend European defenders have tracked since the start of large-scale hostilities in the region.
Distributed Energy Assets Are An Easy Target
Wind and solar facilities are attractive to adversaries because they are numerous, geographically dispersed, and frequently managed by contractors and equipment vendors using remote connections. Many sites run commodity operating systems for human-machine interfaces and historians, with limited on-site staffing and inconsistent patching. When those environments inherit weak IT controls — shared passwords, disabled logging, or neglected VPN gateways — resilient grid design can still be tested by localized disruptions.
The European grid has been probed before. The continent’s transmission and distribution operators have reported attempted intrusions against business systems, and Ukraine’s experience remains the canonical example of adversaries moving from footholds in IT to impact in substations. In each case, discipline around authentication and segmentation made the difference between a nuisance and an operational event.
The Verizon Data Breach Investigations Report has long found the human element and credentials at the center of most compromises, with misused or stolen credentials a dominant vector in intrusions. The Polish case underscores how those same realities play out in industrial settings, where remote access is necessary but dangerous when not rigorously managed.
What Energy Operators Should Do Now to Reduce Risk
Critical energy entities should immediately eliminate default and shared accounts, enforce multi-factor authentication on every remote entry point, and rotate vendor credentials across sites. Remote connectivity from original equipment manufacturers must be restricted through jump hosts, strong identity verification, and time-bound approvals.
On the network side, segment IT from operational technology with firewall-enforced zones and conduits, employ strict allowlists for services and ports, and monitor for anomalous east–west traffic in plant networks. Deploy application allowlisting and secure baseline images on engineering workstations, maintain offline and immutable backups of configurations, and test restoration procedures regularly.
Incident response should include tabletop exercises with grid operators and regulators, rehearsed isolation of affected assets, and rapid reconstitution plans for SCADA and energy management systems. Guidance from ENISA, CISA’s Cross-Sector Cybersecurity Performance Goals, and the IEC 62443 standards provides concrete control sets suited to mixed IT/OT environments.
With NIS2 requirements tightening across the European Union, operators of essential and important entities face increased oversight for risk management and supply chain security. The episode in Poland is a warning shot: the gap between compliance checklists and operational resilience often lies in the basics. When attackers only need a default password, the grid’s toughest problems start at the login prompt.
