Poland has said suspected Russian government hackers gained access to parts of the country’s energy infrastructure by exploiting basic security failures, including default login credentials and a lack of multi-factor authentication, according to a technical report released by the government.
Incident Detailed By National CERT
On Friday, Poland’s Computer Emergency Response Team, part of the Ministry of Digital Affairs, published findings on an intrusion that occurred at the end of last year. The report said attackers compromised systems at wind farms, solar farms, and a combined heat-and-power plant.
According to the report, the attackers encountered little resistance. Targeted systems were protected by default usernames and passwords and did not use multi-factor authentication, which the agency described as fundamental security oversights.
Attempted Destructive Malware Deployment
The report said the attackers attempted to deploy wiper malware designed to erase data and render systems unusable. While the report did not confirm the attackers’ ultimate objective, it noted that such malware could be used to disable energy operations.
The attack was stopped at the heat-and-power plant, preventing damage. However, the wind and solar facilities were not as fortunate. Systems used to monitor and control grid operations at those sites were rendered inoperable by the malware.
“All of the attacks were purely destructive in nature,” the report said, comparing the activity to deliberate acts of arson in the physical world.
No Power Disruption Recorded
Despite the successful deployment of destructive malware at some facilities, the hackers did not disrupt electricity supply at any of the targeted locations. The report said that even if the attacks had fully succeeded, they would not have affected the overall stability of Poland’s power system during that period.
Conflicting Attribution Of Attackers
Cybersecurity firms ESET and Dragos had previously reported on the incident, which took place on December 29, and attributed the intrusions to Sandworm. Sandworm has a documented history of attacks on energy infrastructure in Ukraine, including power outages in 2015, 2016, and 2022.
Poland’s CERT reached a different conclusion. The agency attributed the activity to another Russian government-linked group known as Berserk Bear, also referred to as Dragonfly. The report noted that Berserk Bear is typically associated with cyberespionage operations rather than destructive attacks.
Featured image credits: Pixahive
For more stories like it, click the +Follow button at the top of this page to follow us.