WARSAW, Poland (AP) — Poland experienced 2 times more cyberattacks in 2025 compared to the previous year, and the numbers are constantly rising, a government official said Tuesday.

In December, the country faced a destructive attack on its energy system believed to be unprecedented among NATO and European Union members, and suspected of originating in Russia.

Over the last year, Poland was the target of 270,000 cyberattacks, Deputy Minister of Digital Affairs Pawe Olszewski said on Tuesday.

“We've been waging a war in cyberspace for many years now,” the official said. “The number of incidents and attacks has been increasing significantly and radically year after year.”

The government, now led by Prime Minister Donald Tusk, has beefed up its cyber defences since the start of Russia's full-scale invasion of Ukraine on Feb. 24, 2022, in response to what it believes to be a rising threat from Russia.

During the morning and afternoon of Dec. 29, coordinated cyberattacks hit a combined heat and power, or CHP, plant supplying heat to almost 500,000 customers, as well as multiple wind and solar farms in Poland.

Polish authorities said that the actions were likely performed “by the same threat actor,” with multiple experts pointing to malicious actors linked to Russian secret services.

The electricity supply wasn't disrupted, but the nature of the sabotage attack alarmed Polish authorities so much so that they put out a report detailing the technical details of the incident and asking the cyber community to chip in with any observations about what happened.

“The attack was a significant escalation,” Marcin Dudek, head of CERT Polska, or Computer Emergency Response Team Poland, told The Associated Press. The team is responsible for responding to computer security incidents operating within the state research institute NASK.

It was Dudek’s team that prepared the governmental report.

“We’ve had such incidents in the past, but they were of the ransomware type, where the motivation of the attacker is financial," Dudek said. “In this case, there was no financial motivation — the motivation was just destruction.”

He said that Poland has seen few destructive incidents in the past and none of them were in the energy sector.

Dudek said that he wasn't aware of any other destructive cyberattacks on the energy sector in either NATO or EU countries. There have been many espionage incidents as well as situations in which activist groups managed to cause marginal damage to devices, but “advanced attacks” like the December one in Poland are likely unprecedented, he said.

If the scale of the attack was bigger and larger energy units were targeted, an action like this “could impact the stability of the Polish grid system,” Dudek said.

The Polish secret services haven't yet publicly identified an alleged culprit. Dudek’s team only has the prerogatives to describe the modus operandi and point to a likely “threat actor” responsible. In cyber jargon, a threat actor is an individual or group engaging in malicious activity.

According to the CERT analysis, the infrastructure used for the Polish attack, including domains and internet protocol, or IP, addresses — a numeric designation that identifies its location on the internet — had been used before by a Russian threat actor known by the name “Dragonfly,” also called “Static Tundra” or “Berserk Bear.”

Dudek says Dragonfly is known to have engaged in espionage cyber actions against the energy sector, but so far it hasn’t been associated with a destructive one.

According to an alert issued by FBI in August 2025, Dragonfly is a cybersecurity cluster associated with FSB Center 16 unit, a key unit within Russia’s Federal Security Service responsible for signals intelligence, electronic espionage and cyber operations.

“For over a decade, this unit has compromised networking devices globally,” the FBI wrote.

Experts unrelated to Polish authorities agree that the traces lead back to Russia.

ESET, one of the largest cybersecurity companies in the EU, was alerted when the attack happened because one of the Polish companies affected had purchased its cyber solutions. After analyzing the malware used in the attack, ESET experts concluded that the threat actor involved was likely Sandworm.

The group says it recognized patters it had seen before in more than 10 incidents, including destructive malware, most happening in Ukraine, which it had investigated before.

The U.S. government has in the past attributed Sandworm to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, or GRU.

Anton Cherepanov, senior malware researcher at ESET, told The Associated Press that “the use of data-wiping malware and its deployment” in the Polish case “are both techniques commonly employed by Sandworm.”

The threat actor frequently targets energy companies, he said. This specific type of destructive attack, however, was only typical in Ukraine recently.

“We are not aware of any other recently active threat actors that have used data-wiping malware in their operations against targets in European Union countries,” Cherepanov added.

CERT, the body affiliated with the Polish government, is less certain about Sandworm.

“CERT Polska cannot conclusively determine whether the actor behind the ‘Sandworm’ activity cluster participated in the attack to any extent,” it wrote in its report.

Whether Dragonfly or Sandworm, none of the experts deny the threat actor likely involved is one Western services previously affiliated with Russia.

“Whether it’s these Russians or those Russians is a detail,” Cherepanov said.

The Russian Embassy in Warsaw didn't respond to requests for comment.