Poland ranks sixth in Europe regarding cyber threats, in the lead next to Hungary, Cyprus, Slovakia, Estonia and Belarus. The data shows that in 2022, domestic companies experienced hacker attacks on average every 9 minutes. The targets are not only private firms and Internet users, but increasingly hospitals, transport companies, banks and all administration branches. Who is attacking? Well, cyber-attacks, like war, are a political tool.
In recent days, government websites (which also fell victim to hackers in 2022) have again published a series of warnings against increasing attacks in Polish cyberspace: „This is a response of the Russian Federation to the Poland’s support provided to Ukraine and an attempt to destabilise the situation in our country. Through hostile operations in cyberspace Russia wants to exert pressure on Poland, as a frontline country and a key Ukraine’s ally on the NATO eastern flank.”
In the eye of the hacker cyclone: up to 30% of attacks on Polish government agencies may be succesful
Since the outbreak of war in Ukraine, Poland has been one of the critical targets of cybercriminals – the number of incidents is growing exponentially. „Both public administration domains and private companies, the media and ordinary users became targets of hacker attacks,” warned the government. „Entities from strategic sectors, such as energy or armaments, are particularly at risk. Some of these hostile campaigns can be linked directly to the activities of pro-Russian hacking groups.”
The state administration sector has recently been more threatened than the usual targets of hackers - the finance and banking sector. Since October 2022, the number of attacks (per entity) has increased from 1,214 attempts per week to a record 2,316, according to experts from Check Point Research.
The scale of the threat has doubled in relatively brief period of time. Moreover, the public administration sector in Poland is attacked twice as often as other institutions of this type worldwide, according to Check Point data. "In 2022, government agencies or organizations of critical infrastructure, which is crucial for the continuity of the functioning of the state, were most often attacked," state the Check Point report. "In 2023, the number of cyberattacks against utility infrastructure such as gas and electricity companies, public transport, healthcare and water supply companies is projected to increase even further."
Experts warn that unexpected and uncontrolled shutdowns of key infrastructure could cause large-scale civil unrest. “Critical infrastructure is a complex system whose protection requires not only security but constant monitoring of threats and analysis of the methods that cybercriminals use to attack systems around the world,” says Wojciech Głażewski, general director of Check Point Research branch in Poland.
In November 2022, Microsoft announced that Russian hackers launched massive attacks on Ukrainian digital infrastructure and Polish transport and logistics organizations. „In recent months, cyberthreat actors affiliated with Russian military intelligence have launched destructive wiper attacks against energy, water and other critical infrastructure organizations’ networks in Ukraine as missile strikes knocked out power and water supplies to civilians across the country. Russian military operators also expanded destructive cyberactivity outside Ukraine to Poland, a critical logistics hub, in a possible attempt to disrupt the movement of weapons and supplies to the front,” wrote Clint Watts, General Manager at the Digital Threat Analysis Center. At the end of December, hackers' activities peaked, and for many months the Polish authorities have been calling for particular caution due to the increased possibility of cyber attacks.
The number is unofficial, so it should be treated with reserve, but it is said that 25-30% of attacks on government agencies, operators of critical infrastructure and IT companies are successful. For this reason, on October 6, the Polish government introduced the second level of Bravo alert concerning the Polish energy infrastructure outside the country. Previously, the second stage of Bravo was activated inside the country (along with the third stage of Charlie-CRP, which concerns cyber security).
Robert Kośla, member of the Safe Cyberspace Foundation Council and former director of the Cybersecurity Department at the Chancellery of the Prime Minister, emphasizes, however, that the attacks in cyberspace did not start with the Russian invasion of Ukraine. They had been going on for many years, and their target was critical infrastructure. Today, however, Poland found itself in the eye of the hacker cyclone. The attempts made by cybercriminals are more sophisticated and on a larger scale.
Poland, one major target for Russia’s cyber attacks
Russia for years has been actively using digital space to pursue its own interests, often violating international law. With the help of specialized units within military intelligence (GRU), foreign intelligence (SVR), security service (FSB), and state-sponsored hacker groups, it attacks public institutions and private entities in other countries. Russia uses such attacks to steal, encrypt, or destroy data, and to infect computer networks, which become a source of malware spread to other entities. The actions of Russian hackers are primarily an element of hybrid activities, which Russia often coordinates with online disinformation for a greater impact. Russians carried out extensive cyberattack and disinformation activity during the 2016 U.S. presidential elections and Brexit campaign in the UK, influencing the result in both cases. Russia is also responsible for the 2007 paralysis of Estonian banks, ministries and media outlets, and for the NotPetya malware attack in 2017, considered the most destructive in history (the malware targeted Microsoft Windows–based systems). Originally aimed at Ukraine, it spread to dozens of countries and caused losses estimated at 10 billion dollars.
Russia also conducted intensified activities in cyberspace in preparation for its 2022 invasion of Ukraine. The most serious attack took place in mid-February, when Russian hackers disrupted several Ukrainian government websites, including the ministries of Foreign Affairs and Defence, as well as two of the largest state-owned banks. An hour before the invasion started, in order to surprise and slow down the response, Russia launched a cyberattack on the KA-SAT satellite network operating in Europe and the Mediterranean. By doing so, it disabled communication between several thousand public and private users in Ukraine and disrupted broadband connectivity to tens of thousands of recipients in several EU Member States. In the following months, victims of this massive Russian offensive in cyberspace included Ukrainian authorities, media, and critical infrastructure. Hackers, using mainly phishing campaigns and system loopholes, stole information needed by Russia, destroyed key data on the Ukrainian side, or conducted espionage operations. These cyberattacks were correlated with other actions taken by Russia, and in some cases they directly preceded events on the front, such as the offensive on the city of Sumy, the shelling of the TV tower in Kyiv, and the seizure of the nuclear power plant in Zaporizhzhia.
Moreover, Russia has intensified its activities in cyberspace, targeting, for example, public institutions, humanitarian organisations, and think tanks in more than 40 countries supporting Ukraine. The main target of the Russian operations is the U.S., perceived as the primary adversary on the international level. Poland is the most frequently attacked country in Europe because most transports with military and humanitarian aid to Ukraine pass through its territory. Other NATO Member States, as well as Finland and Sweden, are also targeted. The threat posed by Russia is serious because it has the aim of not only breaking Western security measures (according to estimates, hackers are successful in about a third of the cases) but also to conduct long-term espionage in cyberspace. As in the case of Ukraine, some actions aimed at Western countries remain correlated with events of a political nature, for example, on 23 November the European Parliament’s website was attacked by hackers after it declared Russia a state sponsor of terrorism.
The cyberwar is heating up
The Russian authorities use cyberattacks to increase the effectiveness of their actions on the international level. Russia’s intensified offensive activities in the digital space are aimed at creating instability in democratic states, with the purpose to, among other things, discourage them from supporting Ukraine. The Russian authorities are willingly and increasingly more open to using such tactics because cyberattacks, which are treated as actions below the threshold of war, are rarely responded to by public or private victims. The reasons include the difficulty in identifying the sources of the attack and the limited possibility of punishing the perpetrators. For example, the first sanctions in the EU’s history for cyberattacks (including NotPetya) were adopted only in 2020 and covered just three entities and six persons.
Russia’s full-scale invasion has increased the support of Western states in building up Ukraine’s cyberdefence capabilities. Already in February 2022, the EU launched the Cyber Rapid Response Team (CRRT) for the first time as part of PESCO, delegating experts from the Member States to assist the Ukrainians. Furthermore, Ukraine in March joined as a contributing participant the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). We need to remember that even if Russian troops are pushed out of Ukraine, Kremlin will retain its aggressive cyber capabilities. In this context, „it is important to initiate deepening of cooperation between EU and NATO countries in this area, as well as extending the capabilities to Ukraine and other partners such as Moldova and Georgia. This is crucial not only to improve information exchange and strengthen cybersecurity measures but also to prepare action plans in case of attacks,” analysts of The Polish Insitute of International Affairs noted recently.
Due to the intensification of cyberattacks in the second half of last year, the Information Exchange and Analysis Center was established in Poland, which aims to counteract these attacks. In the latest security report, Gartner estimates that in 2023 the budgets allocated to information security and risk management may reach as much as 188 billion dollars. Furthermore, within three years, it is estimated that the funds for this purpose will increase by over 40%. The cyberwar is heating up.