Full Report
The UK and EU are demanding urgent action from critical infrastructure organizations after formally attributing the December 2025 cyberattack on Poland’s power grid to Russia’s Federal Security Service. The Foreign, Commonwealth & Development Office (FCDO) described the attack, carried out by the FSB’s Centre 16 division, as “another example of the Russian state’s irresponsible attempts…
Analysis Summary
# Incident Report: FSB Targeted Attack on Poland’s Power Grid
## Executive Summary
In December 2025, the Russian Federal Security Service (FSB) executed a sophisticated cyberattack against Poland’s electrical infrastructure. Attributed to the FSB’s Centre 16 division, the operation specifically targeted the communications layer between renewable energy hardware and power distribution operators. The incident has prompted formal diplomatic condemnation and urgent security warnings from the UK and EU to all critical infrastructure organizations.
## Incident Details
- **Discovery Date:** January 2026
- **Incident Date:** December 2025
- **Affected Organization:** Polish Power Grid (National Infrastructure)
- **Sector:** Energy / Critical Infrastructure
- **Geography:** Poland
## Timeline of Events
### Initial Access
- **Date/Time:** December 2025
- **Vector:** Targeted intrusion against grid communication systems.
- **Details:** The threat actor, identified as FSB Centre 16, gained access to the systems managing the interface between power generation and distribution.
### Lateral Movement
- **Details:** The attackers moved laterally from general IT/network environments into the Operational Technology (OT) and Industrial Control Systems (ICS) communication protocols.
### Data Exfiltration/Impact
- **Details:** The primary impact was the disruption of critical communication channels between renewable hardware (e.g., wind turbines) and the central power distribution operators. No mass data exfiltration of consumer data was reported; the focus was on operational chaos.
### Detection & Response
- **How it was discovered:** Anomalies in renewable hardware reporting and distribution commands were identified by Polish energy experts.
- **Response actions taken:** Poland’s Energy Ministry initiated an investigation in January 2026; the UK Foreign, Commonwealth & Development Office (FCDO) and EU later provided formal attribution and technical support.
## Attack Methodology
- **Initial Access:** Exploitation of external-facing communication interfaces.
- **Impact:** Disruption of Operational Technology (OT) communications to "sow chaos" and degrade the reliability of renewable energy sources.
- **Targeting:** Specifically focused on the integration of renewable energy into the national grid.
## Impact Assessment
- **Financial:** Undisclosed, but involves the cost of emergency incident response and stabilization of the grid.
- **Data Breach:** Non-consumer focused; focused on proprietary grid configuration and operational commands.
- **Operational:** Disrupted communication between hardware and operators, potentially leading to instability in power distribution.
- **Reputational:** High diplomatic tension; reinforced the vulnerability of European energy grids to Russian state-sponsored actors.
## Indicators of Compromise
*(Note: Specific technical hashes and IPs were not detailed in the public disclosure; however, typical Centre 16 activity includes:)*
- **Network:** Unscheduled communication attempts between renewable controllers and external Russian-associated IP ranges [defanged: 194[.]x[.]x[.]x].
- **Behavioral:** Unauthorized modifications to ICS/SCADA communication protocols and unusual polling rates from renewable energy assets.
## Response Actions
- **Containment:** Isolation of affected communication modules between the grid and renewable sources.
- **Eradication:** Removal of persistence mechanisms planted by Centre 16 within the grid management software.
- **Recovery:** Restoration of verified communication links and hardening of the interface between hardware and operators.
## Lessons Learned
- **Key takeaways:** Russian state actors are increasingly targeting the "Green Energy" transition, viewing the integration of renewable hardware as a vulnerable entry point to the wider grid.
- **What could have been done better:** Earlier detection of anomalous communication between field hardware and the central distribution office could have mitigated the duration of the "chaos" period.
## Recommendations
- **Asset Hardening:** Implement strict mutual authentication (mTLS) for all communications between renewable energy assets (wind/solar) and the primary grid.
- **Network Segmentation:** Ensure a robust "air-gap" or highly restricted unidirectional gateway between the Business IT network and the Power Distribution OT network.
- **Monitoring:** Deploy specialized ICS/OT monitoring solutions capable of detecting protocol-level anomalies in energy distribution commands.