VYPR
advisoryPublished Jul 13, 2026· 2 sources

EU and UK Blame Russian FSB for December 2025 Poland Power Grid Cyberattack

The UK and EU have officially attributed a December 2025 cyberattack on Poland's power grid to Russia's FSB Centre 16, warning of potential lethal consequences and urging critical infrastructure to implement new security measures.

The United Kingdom and the European Union have formally attributed a significant cyberattack on Poland's power grid in December 2025 to Russia's Federal Security Service (FSB), specifically its Centre 16 division. The attack, which was ultimately unsuccessful in its disruptive aims, is being characterized by the UK's Foreign, Commonwealth & Development Office (FCDO) as "another example of the Russian state's irresponsible attempts to sow chaos across Europe." Polish energy minister Milosz Motyka confirmed the incident in January, stating that the attackers attempted to disrupt communication between renewable energy hardware and power operators.

While the attack did not cause widespread outages, suspicion quickly fell on Russia due to the attempted deployment of the destructive DynoWiper malware. This malware is often associated with Russian state-backed operations, similar to the CaddyWiper malware linked to Sandworm in Ukraine's 2023 blackouts and the WhisperGate wiper attacks during the initial phase of Russia's invasion of Ukraine. The NCSC and its international partners have previously identified the same military intelligence unit behind these earlier destructive campaigns.

The potential impact of the Poland attack was severe, with the FCDO estimating that it could have left half a million Poles without power during the midwinter, highlighting the potentially lethal consequences of such cyber operations against critical infrastructure. The NCSC declined to comment on specific evidence linking the attack to Russia's FSB, citing operational security.

In response, the NCSC co-authored a technical advisory with international partners, detailing Russia's evolving cyber tradecraft. The advisory urges organizations in high-risk sectors—including communications, defense, energy, financial services, government, and healthcare—to implement specific mitigations. A primary recommendation is to disable SNMPv1 and SNMPv2, which are often targeted for their weak default community strings, and to adopt SNMPv3 with authPriv for enhanced authentication and encryption.

Furthermore, the advisory stresses the importance of disabling Cisco Smart Install on all devices. Centre 16 frequently scans for devices using SNMPv1/v2 to gain initial access, leveraging weak community strings to compromise network devices like routers. This technique has been a subject of previous warnings from the NCSC and other agencies. Abuse of SNMP access can allow attackers to exfiltrate device configurations, facilitating persistent access.

The joint advisory also notes overlapping tactics, techniques, and procedures (TTPs) between Centre 16 and other Russia-aligned threat groups, underscoring a coordinated approach to cyber operations. Jonathon Ellison, director of national resilience at the NCSC, emphasized the need for immediate implementation of recommended measures to protect critical infrastructure and reduce the risk of compromise.

In parallel with the technical warnings, the UK and EU have imposed new sanctions on a range of Russian individuals and entities, including GRU officials, cybercriminals, and those involved in spreading disinformation. These designations target leaders accused of orchestrating cyber and hybrid operations, as well as individuals linked to infostealer malware like Lumma Stealer, which has been used by the Russian state for cyberespionage. UK Foreign Secretary Yvette Cooper stated that these sanctions aim to disrupt the cybercriminal networks supporting Russian aggression and send a clear message that Russia cannot hide its actions.

The coordinated international response, including technical advisories and sanctions, underscores the persistent threat posed by Russian state-sponsored cyber actors. The focus on critical infrastructure, coupled with the potential for severe real-world consequences, highlights the ongoing need for robust cybersecurity defenses and international cooperation to counter these advanced threats.

The European Union and United Kingdom have expanded their coordinated sanctions against Russian intelligence agencies, specifically targeting Center 16, the cyberwarfare division of the FSB. This action, which includes asset freezes and travel bans for nine individuals and four entities, is a direct response to the December 2025 attack on Poland's energy grid and ongoing cyberespionage campaigns. The sanctions package is the EU's largest ever for cyber activities and marks the first joint cyber sanctions package between the EU and UK post-Brexit.

Synthesized by Vypr AI