Full Report
Another year of CERT Polska’s activities is behind us. It was a special one, as it marked the end of the third decade of our operations – we are celebrating our 30th anniversary! The year 2025 was a time full of challenges, growth, and a comprehensive approach to shaping cybersecurity – from proactive threat detection, through handling reports and responding to incidents, to sharing knowledge and building public awareness.
Analysis Summary
# Incident Report: CERT Polska 2025 Annual Cybersecurity Landscape
## Executive Summary
The 2025 annual report by CERT Polska highlights a year of significant evolutionary threats, marking the organization's 30th anniversary. The cybersecurity landscape was characterized by a rise in complex fraud campaigns, Advanced Persistent Threat (APT) activity, and ransomware, mitigated by proactive national defense initiatives and international cooperation.
## Incident Details
- **Discovery Date:** Ongoing throughout 2025
- **Incident Date:** January 1, 2025 – December 31, 2025
- **Affected Organization:** Various (National-level monitoring)
- **Sector:** Cross-sector (Government, Finance, Industry, Public Sector)
- **Geography:** Poland
## Timeline of Events
### Initial Access
- **Date/Time:** Various throughout 2025
- **Vector:** Phishing, SMS (Smishing), exploitation of web vulnerabilities, and mobile malware.
- **Details:** Attackers utilized social engineering via SMS fraud and deceptive investment schemes to lure victims.
### Lateral Movement
- **Details:** Observed primarily in APT and ransomware campaigns where attackers shifted from initial entry points to high-value assets using internal network exploitation.
### Data Exfiltration/Impact
- **Details:** Significant data leaks were recorded; ransomware groups focused on data encryption and "double extortion" (stealing data before encryption).
### Detection & Response
- **Detection:** Identified through the **Artemis** scanner, **n6** platform, and public reports via **moje.cert.pl**.
- **Response:** Actions included updating the "Warning List" of malicious domains, blocking fraudulent SMS messages, and conducting coordinated vulnerability disclosures (CVD).
## Attack Methodology
- **Initial Access:** Smishing (SMS fraud), malicious email attachments, and exploitation of CMS vulnerabilities.
- **Persistence:** Utilization of specialized malware families and mobile-specific trojans.
- **Privilege Escalation:** Exploitation of key software vulnerabilities and unpatched public-sector applications.
- **Defense Evasion:** Use of legitimate tools for malicious purposes and obfuscated malware code (analyzed via MWDB).
- **Credential Access:** Phishing pages mimicking banking logins and public services.
- **Discovery:** Automated scanning of public infrastructure (monitored by the Artemis project).
- **Lateral Movement:** Standard APT techniques moving from public-facing servers to internal databases.
- **Collection:** Gathering of PII (Personally Identifiable Information) and financial credentials.
- **Exfiltration:** Transfer of data to C2 (Command & Control) servers, often hidden in encrypted traffic.
- **Impact:** Financial loss from fraud, operational disruption from ransomware, and reputational damage via data leaks.
## Impact Assessment
- **Financial:** High; widespread losses reported from "fake investment" and "fake consultant" schemes.
- **Data Breach:** High volume; numerous data leaks affected both private and public sectors.
- **Operational:** Business disruptions caused by targeted ransomware attacks on industrial and public sectors.
- **Reputational:** Public trust challenges addressed through awareness campaigns like "OUCH!".
## Indicators of Compromise
- **Network indicators:** Thousands of domains added to the Warning List (e.g., `hxxps[://]fraud-login[.]pl`).
- **File indicators:** Malware samples documented in the Malware Database (MWDB).
- **Behavioral indicators:** Unusual SMS patterns and unauthorized access attempts tracked by the **n6** system.
## Response Actions
- **Containment:** Real-time blocking of malicious URLs via the national Warning List.
- **Eradication:** Coordinated takedowns of C2 infrastructure and malware cleanup.
- **Recovery:** Implementation of sectoral CSIRT teams to assist specific industries in returning to normal operations.
## Lessons Learned
- **Key Takeaways:** Human awareness remains the primary defense line against social engineering.
- **Improvements:** More automated scanning (Artemis) is required to identify vulnerabilities before attackers do.
## Recommendations
- **Prevention:** Implement Multi-Factor Authentication (MFA) across all sectors.
- **Protection:** Organizations should integrate with CERT Polska’s **n6** and **Warning List** feeds.
- **Awareness:** Regular training for employees on identifying smishing and deceptive attachments.