Poland remains one of the key targets for state-linked cybercriminal groups, according to the latest ESET report. The turn of 2025 and 2026 saw a marked increase in advanced persistent threat (APT) operations, encompassing both cyber espionage and destructive attacks.
The report, covering the last quarter of 2025 and the first quarter of 2026, highlights a surge in activity by groups sponsored by or connected to states. Their operations focused on cyberspying or disruptive cyberattacks, with targets including Venezuela, Syria, Gulf states, Ukraine, and Poland. Analysts note that the direction and intensity of APT group actions are now key indicators of real international tensions.
Russia and China lead the charge
Chinese-linked groups targeted Venezuela for economic and strategic reasons. The group FamousSparrow attacked a maritime economy institution, likely to monitor oil shipments after US intervention. Another group, SteppeDriver, struck the Syrian government network, while UNC5221 used SPAWN malware against government targets in Cambodia and Panama, as well as an AI and robotics firm in South Korea.
Russian-linked groups, meanwhile, maintained their focus on Ukraine and Poland due to Poland’s support for Ukraine since the war began. One notable attack was a December 2025 assault on the energy sector, described as unprecedented in scale. In January 2026, a phishing campaign attributed to the Sednit group (linked to Russia’s GRU) exploited vulnerability CVE-2026-21509 to infect systems, targeting Ukrainian government institutions, Polish transport companies, and logistics firms in Turkey.
Geopolitical tensions drive cyber activity
The outbreak of war in Iran in late February 2026 also influenced cybercriminal activity in the region. Paradoxically, their operations were partially halted due to restrictions imposed by the Iranian regime and connectivity issues. Meanwhile, hacktivists increasingly targeted Israel, the US, and other nations hostile to Tehran. ESET researchers noted a rise in attacks on Israel by new clusters: Rusty Boots and MoKhargosh.
North Korean-linked groups focused primarily on quick financial gain and infiltrating software supply chains. Their activities, while less targeted politically, still posed significant risks.
Cybersecurity as a central battlefield
ESET data shows that 36.2% of recorded attacks in the period were from Chinese-linked groups, 28% from Russian ones, 13.5% from North Korean groups, and 11.6% had no attribution. The analysis underscores that cyberspace is becoming a key area of state rivalry. Attacks not only accompany armed conflicts but increasingly serve as their backdrop, impacting critical infrastructure, economies, and information security.
These issues will be discussed at the upcoming CYBERSEC Expo & Forum, scheduled for June 15-16, 2026, in Katowice. The event will bring together government representatives, military officials, cybersecurity experts, and analysts to debate topics like geopolitics, technological sovereignty, and the fight against disinformation.
Źródło: WNP.PL, Fot. Oleg Podlesnykh/Unsplash, Arthur Wang/Unsplash, Glenn Carstens-Peters/Unsplash
