Full Report
A combined heat and power (CHP) plant serving nearly half a million Poles was targeted in a cyberattack in December. The goal was to freeze people in their homes on one of the coldest weeks of the year. Polish intelligence traced the plot back to at least March 2025 and identified nine months of reconnaissance, stolen credentials, and malware designed to…
Analysis Summary
# Incident Report: Attempted Critical Infrastructure Disruption of Polish CHP Plant
## Executive Summary
In December 2025, a combined heat and power (CHP) plant in Poland was targeted by a sophisticated cyberattack attributed to Russian intelligence services. The operation aimed to disrupt heating services for approximately 500,000 residents during a period of extreme cold. While the attackers successfully infiltrated the network and deployed data-wiping malware, the full impact was mitigated by Polish security defenses and international coordination.
## Incident Details
- **Discovery Date:** Late 2025 (Attributed to months of monitoring)
- **Incident Date:** December 2025
- **Affected Organization:** Unspecified Combined Heat and Power (CHP) plant
- **Sector:** Energy / Critical Infrastructure
- **Geography:** Poland
## Timeline of Events
### Initial Access
- **Date/Time:** Circa March 2025
- **Vector:** Credential Theft
- **Details:** Attackers gained an initial foothold through stolen credentials, beginning a nine-month period of silent reconnaissance.
### Lateral Movement
- **Details:** Following the initial breach, the actors spent months moving through the plant’s internal networks to identify high-value targets and command-and-control systems for the heating infrastructure.
### Data Exfiltration/Impact
- **Details:** The primary goal was disruption rather than theft. Malware designed to destroy data and paralyze computer systems was deployed in December 2025 to coincide with a severe cold wave.
### Detection & Response
- **How it was discovered:** Monitored by Polish intelligence and CERT Polska.
- **Response actions taken:** Polish authorities foiled the full execution of the attack; CISA issued a formal alert following the attribution to Russian intelligence.
## Attack Methodology
- **Initial Access:** Stolen credentials.
- **Persistence:** Long-term presence (9 months) within the network.
- **Privilege Escalation:** Not explicitly detailed, but implied via access to core plant computer systems.
- **Defense Evasion:** Slow-and-low reconnaissance over three quarters of a year to avoid detection.
- **Credential Access:** Theft of legitimate user logins.
- **Discovery:** Extensive nine-month reconnaissance of plant operations.
- **Lateral Movement:** Movement from IT to OT (Operational Technology) environments hinted by the target systems.
- **Collection:** Information gathering on plant infrastructure.
- **Exfiltration:** Not the primary motive.
- **Impact:** Deployment of wiper malware designed to destroy system data.
## Impact Assessment
- **Financial:** Undisclosed; costs associated with incident response and remediation.
- **Data Breach:** Destruction-focused malware rather than data theft.
- **Operational:** Potential loss of heating for 500,000 citizens; avoided due to successful intervention.
- **Reputational:** High-profile targeting of crucial national infrastructure during a humanitarian-sensitive period (winter).
## Indicators of Compromise
- **Network indicators:** None provided in public report (Contact Polish Intelligence/CERT.pl for defanged lists).
- **File indicators:** Malware designed for data destruction (wiper-class).
- **Behavioral indicators:** Unusual login activity from March 2025; unauthorized access to plant control systems.
## Response Actions
- **Containment measures:** Isolation of infected systems containing wiper malware.
- **Eradication steps:** Removal of Russian intelligence-linked persistence mechanisms.
- **Recovery actions:** Hardening of energy sector infrastructure and praise of cyber defenses by the Polish Prime Minister.
## Lessons Learned
- **Key takeaways:** Critical infrastructure remains a primary target for geopolitical signaling and "Grey Zone" warfare.
- **What could have been done better:** The nine-month dwell time suggests a need for more robust behavioral analytics to detect stolen credential usage earlier in the kill chain.
## Recommendations
- **Multi-Factor Authentication (MFA):** Implementation of hardware-based MFA to negate the utility of stolen credentials.
- **Network Segmentation:** Rigorous isolation between administrative IT networks and Industrial Control Systems (ICS).
- **Endpoint Detection & Response (EDR):** Deployment of EDR tools to identify and kill wiper malware processes before execution.
- **Threat Intelligence:** Regular monitoring of alerts from CISA and CERT.pl regarding Russian state-sponsored TTPs.