Russian government hackers waltzed into Poland's energy infrastructure using the oldest trick in the cybersecurity book - default usernames and passwords. The breach, disclosed Friday by Poland's Computer Emergency Response Team, targeted wind farms, solar facilities, and a heat-and-power plant with wiper malware designed to erase critical systems. While the attacks failed to disrupt power, they expose how vulnerable critical infrastructure remains to nation-state threats, even years after similar Russian campaigns darkened Ukrainian cities.
Russian government hackers broke into Poland's energy grid infrastructure last month, and they didn't need sophisticated zero-days to do it. Default passwords were enough.
Poland's Computer Emergency Response Team dropped a technical report Friday detailing December 29 intrusions that hit wind farms, solar facilities, and a heat-and-power plant. The attackers faced virtually no resistance - targeted systems were still running factory-set usernames and passwords, with multi-factor authentication nowhere in sight. These are the kind of basic security mistakes that make incident responders want to pull their hair out.
The hackers came loaded with wiper malware designed to erase and destroy the systems controlling Poland's distributed energy infrastructure. At the heat-and-power plant, defenders managed to stop the attack before the malware could execute. But at the wind and solar farms, the wipers succeeded in rendering monitoring and control systems completely inoperable.
"All of the attacks were purely destructive in nature - by analogy to the physical world, they can be compared to deliberate acts of arson," Poland's CERT wrote in the report. The language signals how seriously Warsaw is taking these intrusions, even though no power was actually cut.
That's the silver lining here. Despite the successful system destruction at multiple facilities, the lights stayed on. Poland's CERT assessed that even if the attackers had achieved their full objectives, it "would not have affected the stability of the Polish power system during the period in question." The country's grid proved resilient enough to absorb the hit.
But the attribution picture gets messy. Cybersecurity firms ESET and Dragos both released their own analyses pointing fingers at Sandworm, the Russian military intelligence unit with a well-documented obsession with turning off power grids. Sandworm's track record speaks for itself - they successfully cut electricity in Ukraine in 2015, 2016, and 2022.
Poland's government, however, attributes the attacks to a different Russian hacking group called Berserk Bear (also known as Dragonfly). That's a curveball. Berserk Bear typically focuses on traditional espionage operations, not destructive wiper attacks. The group has historically targeted energy sectors for intelligence collection, not infrastructure destruction. Why Poland's CERT sees Berserk Bear's fingerprints where private sector analysts see Sandworm's remains unclear from the public reporting.
The technical details matter less than the strategic message. Poland, a NATO member and staunch Ukraine supporter, just publicly accused Russia of attempting to sabotage its critical infrastructure. The timing - late December 2025 - coincides with continued tensions over the war in Ukraine and Poland's role as a key logistics hub for Western military aid.
What's truly alarming is how preventable this was. We're talking about critical energy infrastructure in 2026 still running on default credentials. No MFA. No basic hardening. The kind of security posture that would fail an entry-level IT audit. Poland's CERT is essentially telling the world that their energy sector had been skating on borrowed time, and Russian hackers finally called them on it.
The incident raises uncomfortable questions about infrastructure security across Europe. If Polish facilities were this exposed, how many other grid operators are one default password away from a similar breach? The answer probably isn't reassuring.
For Russia's part, this looks like either a probing operation to test defenses and response capabilities, or a failed attempt at sending Poland a very direct message. The deployment of wiper malware signals destructive intent, not just reconnaissance. But the relatively limited impact suggests either the operation was detected earlier than planned, or Russian intelligence miscalculated the potential cascade effects.
Cybersecurity professionals have been screaming about infrastructure vulnerabilities for years. This breach is exactly the scenario they've been warning about - state-sponsored attackers with proven capabilities targeting inadequately defended systems. The difference is that Poland got lucky. The malware executed, systems were destroyed, but the grid stayed stable.
Next time, they might not be so fortunate.
This breach is a wake-up call that critical infrastructure operators can't afford to ignore. Russian state hackers just proved they can penetrate NATO member energy systems using security mistakes that shouldn't exist anywhere, let alone on grid infrastructure. Poland dodged a bullet - their systems were compromised and partially destroyed, but the lights stayed on. The real question is how many other facilities across Europe and beyond are running the same vulnerable configurations, just waiting for the next state-sponsored hacking group to come knocking. Default passwords aren't a technical problem anymore. They're a national security liability.
