Skip to main content
Threat IntelligenceEmerging Threats

UK, EU Attribute Poland Cyberattack to Russian Spies, Warn Infrastructure Operators

Control room with industrial equipment and officials monitoring power distribution systems.

"Another example of the Russian state's irresponsible attempts to sow chaos across Europe," the Foreign, Commonwealth & Development Office said, describing the December 2025 cyberattack on Poland's power grid that the UK and EU have now formally attributed to Russia's Federal Security Service (FSB), specifically its Centre 16 division.

Attribution to FSB Centre 16 and the failed disruption in Poland

The UK and EU announced a coordinated attribution linking the December 2025 incident against Poland's electrical system to the FSB's Centre 16. Poland's energy minister, Milosz Motyka, confirmed in January that the incident was an attack on the country's power grid and said experts suspected the attackers attempted to disrupt communication between renewable hardware and power distribution operators. According to the FCDO, the intrusion could have left half a million Poles without power in midwinter, a cyberattack the office described as having "potentially lethal consequences." Authorities say the effort was ultimately unsuccessful.

Tradecraft: DynoWiper, SNMP scanning, and Cisco Smart Install

The publicly released advisory links the attempted operation in Poland to the attempted deployment of DynoWiper malware — a destructive tool the intelligence partners say is typically associated with Russian state-backed activity. The technical advisory, co-authored by the UK National Cyber Security Centre (NCSC) and published Monday, highlights a principal Centre 16 tactic: scanning for devices that respond with SNMPv1 or SNMPv2.

The document urges defenders to disable SNMPv1 and SNMPv2, adopt SNMPv3 with authPriv (which provides strong authentication and data encryption), and to disable Cisco Smart Install on all devices. The advisory explains how Centre 16 abuses default or easily guessed SNMP community strings to gain access to routers and other network devices, extract configuration data, and transfer that data to servers under the attackers' control to facilitate persistent access. It also covers exploitation of Cisco devices where Smart Install is enabled.

Context from past Russian-aligned operations cited in the advisory

The NCSC and its international partners point to overlapping tactics, techniques, and procedures between Centre 16 and other Russia-aligned groups. The briefing notes earlier disruptive operations associated with Russian military intelligence: Mandiant previously tied 2023 blackouts in Ukraine to Sandworm's deployment of CaddyWiper, and the NCSC and allies linked the same military intelligence unit to the 2022 WhisperGate wiper attacks at the outset of Russia's invasion. Defenders were also reminded of prior warnings — in April, the NCSC and others separately warned about the same SNMP scanning technique.

Sanctions, naming of GRU figures, and cybercrime connections

Alongside the attribution and advisory, the UK and EU announced new sanctions targeting an array of Russian individuals and entities, including GRU officials, cybercriminals, hacktivists and pro‑Kremlin outlet Rybar for alleged false narratives and election interference. The most prominent designations singled out Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko, accused of orchestrating cyber and hybrid operations and of working with cybercriminals and a company called IMPULS to recruit cybersecurity specialists from Russian universities and academies.

Sanctions also targeted operators linked to Lumma Stealer, an infostealer malware family. The UK's National Crime Agency data cited in the announcement indicates at least 2,100 victims in the UK were identified as infected with Lumma Stealer over a six‑month span. The UK confirmed the Russian state has used Lumma Stealer to gather stolen credentials and to launch cyberespionage operations against global targets. The 24 new sanctions add to more than 3,400 existing EU and UK designations linked to support for Russia's war efforts.

Dutch advisory on compromised IP cameras and image recognition

Separate but contemporaneous warnings from Dutch authorities described Russian espionage units targeting internet‑connected cameras to collect imagery on military logistics routes and infrastructure. Dutch intelligence said at least one Russian intelligence unit targets the Netherlands and other NATO members, using IP camera footage and image recognition software to detect military vehicles, shipments to Ukraine, and locations of Ukrainian soldiers. The advisory said abusing default passwords is the most common method for gaining access to cameras, and that security updates are rarely applied.

What this means for energy operators, network defenders, and policymakers

  • Energy operators: The NCSC advisory directly flags energy networks as a high‑risk target and recommends immediate technical changes — notably disabling SNMPv1/v2 and Cisco Smart Install — to reduce the chance of compromise.
  • Network defenders and IT teams: The advisory links well‑known device misconfigurations (default community strings, Smart Install enabled) to persistent access and destructive outcomes, urging rapid patching, configuration audits, and the adoption of SNMPv3 with authPriv.
  • Policymakers and sanction authorities: The coordinated naming of Centre 16 and the simultaneous expansion of sanctions — including against GRU leaders and malware operators — signal a combined diplomatic and punitive response that pairs public technical guidance with economic measures.

Jonathon Ellison, director of national resilience at the NCSC, framed the advisory as "decisive, actionable directions" and urged organisations responsible for critical networks to adopt the recommended measures immediately. When asked to provide more detail on the specific evidence supporting the attribution, the NCSC declined to comment on operational matters.

The authorities have published both a technical playbook and a sanctions list; the immediate test will be whether operators apply the mitigations the advisory prescribes and whether the newly targeted sanctions disrupt the networks named by the UK and EU. For now, the published record ties a December 2025 intrusion to Centre 16, details a familiar set of misconfigurations and malware, and extends a broader international campaign of warnings and punitive steps.

Original story on The Register