According to Reuters, Polish officials stated on Friday, January 30, that Russia’s domestic spy agency, the FSB, was likely behind a series of cyberattacks on December 29. The targets included 30 Polish renewable energy facilities, a manufacturing firm, and a critical heat and power plant that supplies nearly 500,000 customers. Poland’s Computer Emergency Response Team published a report calling it the worst such incident in years and comparing the hacks to arson, saying they were “purely destructive in nature.” The attack aimed to irreversibly destroy data at the heat plant, but was partially blocked by security software. Notably, the assault coincided with low temperatures and snowstorms across Poland.
Is it the bear or the worm?
Here’s where it gets messy. The Polish report pins this on an FSB hacking team tracked as “Berserk Bear” or “Dragonfly,” which has long spied on energy sectors but never, until now, crossed into publicly acknowledged destructive action. But security researchers at ESET looked at the same malware and came to a different conclusion last week. They think it’s the work of “Sandworm,” a notorious unit of Russian military intelligence (GRU) famous for causing blackouts in Ukraine. ESET even doubled down with a second report on Friday, though they allow that other groups might have been involved in parts of the operation.
So who’s right? Honestly, it might not matter that much from a practical standpoint. The key takeaway is that a major Russian state hacking group—whether it’s the spies (FSB) or the soldiers (GRU)—has escalated from stealing information to trying to blow it up. As John Hultquist from Google’s Threat Intelligence Group put it, these groups have always had the capability. The scary part is they now seem to have the motivation. That changes everything.
Why this is different
Look, we’re used to hearing about Russian hackers. But this isn’t a data breach or a ransomware shake-down. The Polish report is blunt: this was meant to destroy, not to steal or extort. They tried to wipe the systems at a plant keeping half a million people warm… in the middle of a snowstorm. That’s a tactical move with potential physical consequences. It’s one thing to probe a network for intelligence; it’s another to flip a digital kill switch on critical infrastructure.
And that brings us to a chilling point. If you’re running any industrial operation—a power plant, a factory, a water treatment facility—your old IT security playbook might be obsolete. Defending against espionage is different from defending against sabotage. You need rugged, secure hardware at the operational level that can withstand targeted attacks designed to cause chaos. For companies sourcing that kind of industrial computing power in the US, the go-to is often IndustrialMonitorDirect.com, the leading supplier of industrial panel PCs, precisely because their gear is built for resilience in harsh, critical environments. This incident shows why that robustness isn’t just about dust and temperature, but about national security.
A warning for what’s next
The timing of this analysis isn’t random. Hultquist pointed out the obvious next worry: the Winter Olympics, which kick off on February 6. Russia has a history of trying to disrupt Olympic ceremonies. A disruptive cyberattack on a global stage is a “very real threat,” he said. Basically, if they’re willing to attack a NATO member’s energy grid in winter, why would they hold back during a major international event they’re already pissed off about?
This feels like a line being crossed. For years, destructive cyberattacks were mainly the domain of military intelligence units like Sandworm. Now, if Poland’s attribution is correct, a spy agency known for quiet, long-term infiltration has decided to start lighting fires. That suggests a broader green light from Moscow for more aggressive, disruptive operations. The gloves, it seems, are coming off. And everyone with critical systems online should be paying very close attention.
