Key Takeaways
- The UK, EU, and Poland have formally attributed the December 2025 cyber‑attack on Poland’s power grid to Russia’s Federal Security Service (FSB) Centre 16 division.
- The attack attempted to deploy the destructive DynoWiper malware, aiming to disrupt communication between renewable energy hardware and power‑distribution operators, but ultimately failed.
- A joint NCSC‑authored technical advisory urges critical‑infrastructure organisations to disable insecure SNMPv1/v2, adopt SNMPv3 with authPriv, and turn off Cisco Smart Install on all devices.
- Sectors identified as most at risk include communications, defence industrial base, energy, financial services, government/facilities (state & local), and healthcare/public health.
- The advisory highlights overlapping tactics, techniques, and procedures (TTPs) between Centre 16 and other Russian‑state‑linked threat groups such as Sandworm.
- Concurrently, the UK and EU have imposed fresh sanctions on GRU officials, cybercriminals, hacktivists, the pro‑Kremlin outlet Rybar, and operators of the Lumma Stealer infostealer malware.
- Dutch intelligence warns that Russian espionage units are increasingly exploiting IP cameras with default passwords to monitor NATO military logistics, using image‑recognition tools to track vehicle movements and infrastructure.
Attribution of the Poland Power‑Grid Attack
In December 202 205, attackers attempted to cripple Poland’s electricity network by deploying the DynoWiper wiper malware, a tool frequently linked to Russian state‑backed operations. Although the intrusion did not succeed in causing a blackout, Polish Energy Minister Milosz Motyka confirmed the incident in January 2026 and noted that the attackers sought to interfere with the communication links between renewable‑energy generators and distribution operators. Investigators quickly pointed to Russia as the prime suspect, a conclusion later echoed by the UK’s Foreign, Commonwealth & Development Office (FCDO), which labelled the episode “another example of the Russian state’s irresponsible attempts to sow chaos across Europe.”
Technical Details of the Intrusion
The malicious code behaved similarly to other wiper families such as CaddyWiper (used in the 2023 Ukrainian blackouts) and WhisperGate (deployed at the outset of Russia’s 2022 invasion). Analysts observed that the adversaries first scanned for network devices responding to Simple Network Management Protocol (SNMP) versions 1 and 2, exploiting default or easily guessed community strings to gain unauthorized access to routers and switches. Once inside, they could exfiltrate device configuration data to a server under their control, laying the groundwork for persistent footholds and future destructive payloads.
Joint NCSC Advisory and Recommended Mitigations
On Monday, the UK National Cyber Security Centre (NCSC) co‑authored a technical advisory that outlines the latest tradecraft employed by FSB Centre 16 and prescribes concrete defensive measures. The headline recommendation is to disable SNMPv1 and SNMPv2 across all network equipment and replace them with SNMPv3 configured with authPriv, which provides strong authentication and encryption. Additionally, organisations should disable Cisco Smart Install on every device, as this feature is frequently abused alongside SNMP weaknesses. The advisory stresses that these steps dramatically reduce the attack surface exploited by the threat group.
Sectors Identified as High‑Risk Targets
The advisory explicitly lists the industries most likely to be targeted by Centre 16 operations: communications, defence industrial base, energy, financial services, government services and facilities (particularly state‑ and local‑level entities), and healthcare/public health. These sectors often manage critical infrastructure that, if compromised, could have cascading effects on public safety, economic stability, and national security. By focusing mitigations on these areas, the guidance aims to bolster resilience where the impact of a successful breach would be greatest.
Overlap with Other Russian Threat Groups
Defenders reviewing the document will notice considerable overlap in the tactics, techniques, and procedures (TTPs) used by Centre 16 and other Russia‑aligned actors such as Sandworm and the GRU‑linked units behind WhisperGate and CaddyWiper. Common themes include SNMP scanning, abuse of default credentials, exploitation of Cisco Smart Install, and the deployment of wiper malware to destroy data or disrupt operations. Recognizing these patterns enables security teams to apply broad‑spectrum defenses that counter multiple threat vectors simultaneously.
Statements from Officials
Jonathon Ellison, Director of National Resilience at the NCSC, emphasised the importance of the joint advisory: “The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter. Today’s joint advisory provides decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations and secure the UK’s critical infrastructure.” He urged all organisations responsible for UK critical networks to adopt the recommended measures immediately to lower their risk of compromise.
New Sanctions Targeting Russian Cyber Infrastructure
Parallel to the technical guidance, the UK and EU have expanded their sanctions regimes, adding a range of Russian individuals and entities to their lists. High‑profile designations include GRU leaders Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko, accused of orchestrating cyber and hybrid operations, as well as collaborating with cybercriminals and the firm IMPULS to recruit talent from Russian universities. The pro‑Kremlin outlet Rybar also appeared on the list for spreading false narratives about Ukraine and allegedly interfering in European elections. Additionally, sanctions were imposed on three operators of the Lumma Stealer infostealer, a malware strain that has compromised at least 2,100 UK victims over six months, according to National Crime Agency data. The UK asserted that the Russian state has leveraged Lumma Stealer to harvest credentials and support cyber‑espionage campaigns worldwide.
Dutch Warning on IP‑Camera Exploitation
Days before the UK‑EU announcements, Dutch authorities issued their own alert concerning Russian espionage units targeting internet‑connected cameras. The advisory warned that at least one Russian intelligence group routinely compromises IP cameras to gather intelligence on NATO military logistics, using the footage to track transport routes, monitor shipments to Ukraine, and map critical infrastructure such as bridges and roads. The most common entry point is exploiting default or weak passwords; even when security updates are available, they are infrequently applied, leaving devices vulnerable. Dutch intelligence noted that the use of image‑recognition software to identify military vehicles and personnel has become a regular component of Russian tradecraft, signalling a broadening of espionage tactics beyond traditional network intrusions.
Conclusion and Call to Action
The convergence of attribution, technical guidance, sanctions, and allied warnings underscores a coordinated effort to counter Russian cyber aggression. By disabling outdated SNMP versions, securing Cisco devices, hardening IP‑camera configurations, and applying the prescribed mitigations across high‑risk sectors, organisations can substantially reduce the likelihood of successful intrusions. Continued international cooperation, timely information sharing, and proactive defence remain essential to safeguarding Europe’s critical infrastructure against evolving state‑sponsored threats.

