A new report from cybersecurity firm ESET reveals that state-sponsored cybercriminal groups have significantly increased their activity in late 2025 and early 2026, with Poland remaining one of the primary targets alongside Ukraine, Venezuela, and Syria. The analysis covers advanced persistent threat (APT) operations linked to China, Russia, and North Korea, highlighting the growing role of cyberespionage and destructive attacks in global geopolitical conflicts.
According to the ESET report, the last quarter of 2025 and the first quarter of 2026 saw a marked rise in APT activity, driven by groups that are either directly sponsored by governments or closely aligned with their strategic interests. These operations focus on cyberespionage and disruption, often targeting critical infrastructure, government networks, and key industries.
Kamil Sadkowski, an ESET security analyst, explained that APT groups are defined by their ability to conduct long-term, stealthy attacks against high-value targets, such as government agencies and corporations. Their goal is to steal classified data or maintain persistent access for future operations. The scale and direction of their attacks mirror real-world international tensions, with each major geopolitical flashpoint reflected in the digital realm.
China and Russia: The dominant threat actors
Chinese-linked groups were responsible for 36.2 percent of all state-sponsored attacks detected by ESET in the period, while Russian-affiliated groups accounted for 28 percent. North Korean hackers contributed 13.5 percent, with the remainder unattributed or linked to other actors.
The Chinese group FamousSparrow targeted a maritime economy institution in Venezuela, likely to monitor oil shipments after American military intervention. Another Chinese cluster, SteppeDriver, attacked Syrian government networks, while UNC5221 used the SPAWN malware to infiltrate government entities in Cambodia and Panama, as well as a South Korean AI and robotics firm.
Russian APT groups, including Sednit (linked to the GRU), continued to focus on Ukraine and on Polish logistics firms. A January 2026 phishing campaign exploited the CVE-2026-21509 vulnerability to infect Ukrainian government systems and Polish transport companies, as well as logistics operators in Turkey.
Poland as a prime target for cyberespionage
Poland’s position as a key supporter of Ukraine and a hub for NATO logistics makes it a persistent target for Russian cyber operations. The report notes that Polish firms in the transport and logistics sectors were specifically hit in the recent Sednit campaign. The country also faces threats from Chinese-linked groups seeking to gain economic or strategic intelligence.
The ESET analysts also observed that the outbreak of war in Iran in late February 2026 temporarily slowed Iranian-linked APT activity, likely due to regime-imposed internet restrictions. However, hacktivist groups such as Rusty Boots and MoKhargosh intensified attacks against Israel and U.S. allies. North Korean groups, meanwhile, focused primarily on financial gain and supply chain infiltration.
Overall, the data paints a clear picture: cyberspace has become a frontline in state rivalry. Attacks are no longer just accompaniments to physical conflicts but often prelude or amplify them, affecting critical infrastructure, economies, and information security across the globe.
The findings will be discussed at the CYBERSEC Expo & Forum in Katowice on June 15-16, 2026, where experts from government, military, and industry will debate technological sovereignty, resilience, and the fight against disinformation.
Źródło: WNP.PL, Fot. Oleg Podlesnykh/Unsplash, Arthur Wang/Unsplash, Glenn Carstens-Peters/Unsplash
