In 2025, there were 187 confirmed ransomware attacks on the energy sector, an 80% year‑on‑year increase. Poland recorded over 627,000 cyber incidents, and a December 2025 attack threatened a blackout.
Critical infrastructure encompasses systems and their interconnections whose disruption or destruction could threaten the life and health of citizens, public safety, substantial property or the natural environment. In practice, this primarily means the energy sector (power plants, transmission grids, wind and solar farms, district heating), water and sanitation (treatment plants, pumping stations, sewage works), transport (railways, airports, ports, traffic management systems), telecommunications (mobile and fibre networks, data centres) and healthcare (hospitals, emergency systems, patient databases). Each of these sectors is highly digitised and automated, making them vulnerable to disruptions originating from the internet.
A particular role is played by OT (operational technology) systems – the controllers and devices responsible for the physical operation of industrial processes. Many of these were not designed with cybersecurity in mind: they were built decades ago, use obsolete communication protocols (such as Modbus or DNP3), have no built‑in authentication or encryption mechanisms, and their architecture often assumes trust in all connected devices. As OT systems are connected to corporate IT networks for remote management and monitoring, previously isolated devices become accessible via the internet, opening new vectors for attackers. As experts point out, OT systems were designed for reliability, not cybersecurity, leaving them defenceless against modern threats.
Rising scale and frequency of attacks
Data collected worldwide leaves no doubt about the dynamics of the threat. According to the Cyble Energy & Utilities Threat Landscape Report 2025, 187 confirmed ransomware attacks were recorded in the energy and utilities sector alone in 2025, and this figure does not include unsuccessful attempts. LevelBlue SpiderLabs research showed a staggering 80 percent year‑on‑year increase in ransomware activity in the energy sector. Globally, the number of ransomware incidents in the energy and utilities sector in 2025 was higher than in previous years, with the main perpetrators being groups such as RansomHub (24 attacks, 12.8 percent), Akira (20 attacks, 10.7 percent) and Play (18 attacks, 9.6 percent).
Poland is one of the European Union countries most exposed to cyberattacks, as confirmed by official statistics. In 2024, over 627,000 cyber incidents were recorded, a 60 percent increase compared to 2023, and the number of confirmed security breaches was 111,660, up 23 percent from the previous year. In 2023, the number of incidents was 80,267, already a 100 percent increase year‑on‑year. According to Deputy Minister of Digital Affairs Dariusz Standerski, Poland repels between 20 and 50 attack attempts on its critical infrastructure every day, most of which are successfully neutralised, but some – especially those targeting healthcare facilities – succeed. In response to the growing threat, the Polish government increased its cybersecurity budget from €600 million in 2024 to €1 billion in 2025, an increase of about 67 percent.
Variety of perpetrators and motivations
The spectrum of actors carrying out attacks on critical infrastructure is wide, and their motivations equally varied. The most serious threat comes from state‑sponsored hacker groups, which act on behalf of military intelligence and special services to achieve geopolitical goals. In Poland’s case, the main adversary in cyberspace is Russia, whose intelligence agencies – including the GRU – have for years conducted operations targeting Polish energy grids, water systems, transport and public administration. This is confirmed by a report from the Polish Internal Security Agency (ABW), which showed that state‑sponsored cyberattacks on industrial systems and public infrastructure escalated sharply in 2024 and 2025. In particular, state actors attacked military facilities, critical infrastructure and civilian sites across Poland, including systems regulating water supplies, electricity, transport and other services essential for the functioning of the state. The ABW report also stressed that the observed trend is moving away from data theft towards physical disruption of infrastructure.
Alongside state‑backed operations, criminal groups acting for financial gain play a growing role, using ransomware to encrypt data and demand payment. In 2025, such groups were responsible for the vast majority of high‑profile attacks on the energy sector. One must also not forget hacktivists – activists acting in the name of political, social or ideological causes – such as pro‑Russian collectives like NoName057(16), which coordinated DDoS attacks on European infrastructure through a gamification platform that encouraged volunteers to participate in cyber operations. Increasingly alarming is also the use of artificial intelligence by attackers – AI allows for automation of attacks, faster vulnerability detection and the creation of convincing phishing campaigns on an unprecedented scale.
Methods of attack – evolution of techniques
Modern attacks on critical infrastructure are carefully planned operations that often last months and consist of several stages. The first step is usually reconnaissance and penetration of the victim’s corporate systems. Attackers use sophisticated social engineering techniques – in 2026, “quishing” (phishing using QR codes that direct victims to fake login pages) became particularly popular. Attackers also run spear‑phishing campaigns, sending crafted emails with attachments or links to specific employees who have access to sensitive systems. The goal of this stage is to obtain credentials (logins and passwords) or directly install malicious software on devices connected to the corporate network.
The next stage is lateral movement – moving through the network in search of OT systems and industrial controllers. Because IT and OT networks are increasingly connected, once attackers gain a foothold in the corporate infrastructure they can move into the systems managing power plants, water treatment stations or electricity grids. Here the biggest problem is the low level of security of the OT devices themselves – many use default passwords, do not require multi‑factor authentication, and their software has not been updated for years. As the investigation after the attack on Poland’s electricity grid revealed, all the targeted facilities used FortiGate devices acting as VPN and firewalls that did not have multi‑factor authentication enabled. The attackers did not even need to guess passwords – they most likely bought previously stolen login credentials and then “just walked in”.
The final phase is the actual attack, which can take different forms. The most common are ransomware attacks, which encrypt data and demand a ransom. In the case of Halliburton, one of the largest oilfield services companies, a ransomware attack in August 2025 caused $35 million in losses. In some cases, attackers do not encrypt data but use so‑called wiper malware – software designed to permanently destroy data, often by overwriting it with random values. Among the most dangerous is the attack on Polish energy infrastructure, where attackers installed DynoWiper malware that overwrote files, leaving no possibility of data recovery. Simultaneously, attackers may conduct DDoS attacks on telecommunications networks and websites, further hampering communication and incident response. Researchers have also noted a rising number of cases where attackers do not limit themselves to cyberspace but use the access gained to physically damage devices – in the Polish grid attack, they loaded faulty firmware onto RTU controllers, locking the devices in a restart loop and rendering them useless.
Physical and operational consequences
The most serious risk from attacks on critical infrastructure is physical impact, which can spread over tens or hundreds of kilometres and affect the lives of millions of people. Damage or shutdown of a power plant, substation or transmission line can lead to a blackout – a total loss of voltage over a large area. In December 2025, Polish authorities reported a situation where operators lost control over about a quarter of the country’s energy mix, which in temperatures of minus 15 degrees Celsius could have led to a humanitarian catastrophe on an unimaginable scale – an estimated half a million households could have been left without heating. Although the attack was ultimately repelled, Minister of Digital Affairs Krzysztof Gawkowski admitted that Poland “came very close to a blackout”, and the event itself was the most serious attack on energy infrastructure in years. Hungary’s police anti‑virus group discovered malware that would allow remote manipulation of coal‑fired power plants, and Romania’s Oltenia power plant fell victim to the Gentlemen ransomware just after Christmas 2025.
Damage can also be long‑lasting and costly to repair. In the case of the attack on Polish renewable energy installations, the attackers not only disabled the equipment but permanently damaged it, requiring hardware replacement and significant financial outlays. A US nuclear power plant, Atomica, suffered a series of physical and cyber attacks on key operational and security personnel. In Poland, a Russian‑backed hacker operation in a city of at least 150,000 inhabitants nearly cut off the city’s drinking water supply, and in other locations hackers manipulated parameters at water treatment stations and sewage pumping stations. In 2021, a hacker tried to increase the concentration of sodium hydroxide in drinking water in Oldsmar, Florida, which could have poisoned residents. In Arkansas City, Kansas, in 2025, a cyberattack forced a water treatment plant to switch to manual mode. In December 2024, the Cyber Av3ngers group hacked at least ten water facilities in the United States.
Healthcare also falls victim to attacks, with particularly serious consequences. In Poland in 2025, hackers attacked the Ministry of Internal Affairs and Administration hospital in Kraków, blocking access to key IT systems. In other cases, cybercriminals caused temporary closures of medical facilities, preventing patient admissions and surgeries. In March 2026, the pro‑Iranian group Handala attacked Stryker Corporation, a leading medical technology company, forcing it to temporarily suspend production of medical devices. Globally, as many as 146 ransomware attacks on the energy and utilities sector were not made public.
Case study – the attack on Poland
The attack on Polish energy infrastructure on 29 December 2025 is considered by experts to be one of the most advanced and destructive cyberattacks on critical infrastructure in Europe’s history and serves as an excellent case study of contemporary threats. According to a CERT Polska report, the attack was a carefully planned operation whose preparations began as early as March 2025 – nine months before the actual attack date. During that time, the attackers conducted extensive reconnaissance, taking screenshots of industrial systems, exporting lists of running processes and collecting access credentials to various networks. This activity was so well camouflaged that it went unnoticed for months – the attackers moved slowly, carefully covering their tracks and not raising suspicion.
When the day of the attack came, its scale and coordination were unprecedented. The attackers struck simultaneously at least 30 locations across Poland, including wind farms, solar installations, electrical substations and a large combined heat and power plant serving about half a million customers. The choice of targets was not accidental – the attackers focused on decentralised energy sources that are crucial for system stability and are often less well protected than large, centralised power plants. In many cases, they exploited internet VPN gateways connected to RTU controllers that did not require multi‑factor authentication. The controllers themselves were protected with default passwords that had never been changed, and in many facilities these passwords were identical, greatly facilitating the attackers’ lateral movement.
The attackers used a mixture of techniques. For RTU controllers, they loaded faulty firmware that locked the devices in a restart loop. At the main combined heat and power plant, they used obtained administrative privileges to break into the software update system, then distributed a malicious archive containing wiper software that overwrote data across the entire network. Had it not been for the rapid response of engineering teams and appropriate emergency procedures, the consequences could have been catastrophic – operators would have lost control over a significant part of the grid, which in winter conditions could have led to large‑scale heating and power supply disruptions. Polish energy remained under continuous fire: in the week of 9‑15 November 2025 alone, over 2,500 attacks on the energy sector and over 2,200 on public administration were recorded.
New threats – battery storage and solar systems
As the energy transition progresses and the share of renewable sources increases, battery energy storage systems (BESS) become a new battlefield in cyberspace. Unlike traditional power plants that rely on physical combustion processes, modern energy storage systems are essentially programmable IT systems – they consist of battery management systems (BMS), programmable logic controllers (PLC), energy management software, communication networks for remote monitoring, and automated dispatch signals linked to grid frequency and market conditions. Because BESS responds to commands issued by software, and software is the primary target of attacks, gaining access to control systems or communication channels and deliberately destabilising grid balancing mechanisms is only a few keystrokes away.
Specific risks associated with energy storage include loss of oversight over distributed assets – an attack on the communication systems connecting dispersed storage units with grid operators could deprive dispatchers of the ability to monitor the system’s state, which with a high share of renewables makes maintaining grid stability practically impossible. Another risk is manipulation of dispatch signals: storage systems automatically respond to signals from the grid (frequency data, dispatch instructions, price signals). If these communication channels are compromised, an attacker could theoretically trigger coordinated discharge of many storage units at a time when the grid is already overloaded, or force them to charge when the system needs extra power, destabilising frequency and overloading protection devices. Moreover, because storage is often deployed in distributed energy systems, each location – often less well secured – is a potential entry point.
Systemic challenges in protecting critical infrastructure
Experts point to a number of structural problems that make protecting critical infrastructure from cyberattacks particularly difficult. First, many OT systems are legacy systems built decades ago when cybersecurity was not a consideration. Replacing them with modern equivalents is extremely costly and often impossible without long shutdowns of entire industrial plants. Second, the convergence of IT and OT – connecting corporate and industrial networks – increases the attack surface but is unavoidable in the era of digitisation and process automation. Third, many organisations lack sufficient budgets or skilled personnel to implement advanced security measures – in Poland, the increase in the cybersecurity budget from €600 million to €1 billion is a response to this need. Fourth, the role of human error remains crucial: phishing campaigns still succeed, and employees often unknowingly share their login credentials or install malicious software. Finally, long supply chains – software and devices from multiple vendors may contain hidden vulnerabilities or deliberately placed backdoors – mean that even the best‑secured organisation can fall victim to an attack through a weak link in its supply chain.
Countermeasures and protection strategies
In response to the growing threat, government and international bodies are developing strategies to protect critical infrastructure. One of the key EU‑level tools is the NIS2 Directive, which entered into force in Poland on 3 April 2026 through an amendment to the Act on the National Cyber Security System. NIS2 imposes on essential and important entities, including critical infrastructure operators, the obligation to implement comprehensive information security management systems, report serious incidents and undergo regular audits. Non‑compliance carries high administrative fines and personal liability for managers. At the same time, mechanisms are being developed to ensure the security of ICT supply chains for critical infrastructure sectors covered by NIS2.
In the United States, the Cybersecurity and Infrastructure Security Agency launched the “CI Fortify” initiative in May 2026, encouraging operators to build robust isolation and recovery capabilities, as well as contingency planning to maintain delivery of essential services even if malicious actors disrupt communications and third‑party connections. The initiative recommends assuming that in a conflict scenario, third‑party connections will be unreliable and attackers will already have some access to OT networks. Operators should prepare to isolate systems for up to three months, develop and test response plans to operate autonomously, and plan for system recovery after major incidents. Isolation means proactively disconnecting from third‑party dependencies and operating without reliable telecommunications and internet, while recovery means quickly restoring damaged systems in an isolated state. Critical infrastructure operators should, during isolation, prioritise service delivery to other critical infrastructure entities and consider switching to manual operation rather than relying on OT.
On the technical side, experts recommend implementing a Zero Trust architecture – a model in which no device, user or application is trusted by default, even if they are inside the internal network. In practice, this means requiring authentication and authorisation for every access request regardless of its source, and using micro‑segmentation to prevent attackers from moving freely between systems. Implementing multi‑factor authentication (MFA) for all remote connections to OT systems is considered an absolute minimum, as is regularly changing default passwords and using unique credentials for each device. Regular penetration testing, security audits and attack simulation exercises help identify weak points in security measures. Equally important is cybersecurity training for employees, especially in recognising phishing attempts – in many cases, a single employee’s carelessness or lack of knowledge opens the door to the entire organisation. Finally, creating immutable backups – copies of data that cannot be encrypted or deleted by an attacker – makes it possible to restore systems after a ransomware attack without paying a ransom. Statistics show that only 32 percent of companies that paid a ransom in 2024 recovered their data – in the remaining cases, attackers either did not provide decryption keys or the data had been irreversibly destroyed.
This publication is for informational purposes only and does not constitute investment analysis, investment advice, an offer or a recommendation regarding financial instruments. Bloomberg Intelligence is a research unit. The views expressed in this material are those of the analyst and do not necessarily reflect the position of Bloomberg LP or its affiliated entities.
