Polish Grid Hack Underlines European Need for Active Defense

Critical Infrastructure Security
,
Geo-Specific

Russian Hacking Shows Limits of Preventive Measures

David Meyer •
January 30, 2026    

Europe must step up its active defenses against cyberattacks and modernize its IT infrastructure, a leading expert has warned in the wake of a major attack on Poland’s energy grid attributed to Russian hackers.

See Also: Expert Panel | ANZ’s Guide to Data Classification: The Foundation of Cybersecurity Compliance

The region is already moving to beef up the security of its critical infrastructure through somewhat uneven implementation of the 2022 Network and Information Security 2 Directive. But that’s only half the battle, said Haya Schulmann, chair for cybersecurity of the Institute of Computer Science at Goethe University in Frankfurt, and a board member of Germany’s Athene, formerly known as the National Research Center for Applied Cybersecurity.

“A country nowadays cannot focus solely on preventative protection,” Schulmann told Information Security Media Group in a Thursday interview. “You have to focus on doing resilience and resilient infrastructure, but you also have to focus on developing defensive capabilities that can contain and stop cyberattacks in progress, because some attack vectors you can’t prevent just by making your infrastructure resilient.” She cited attacks against internet routing infrastructure and supply chains as examples.

Active cyber defense is often equated with the ability to take offensive countermeasures against the attacker’s own infrastructure – so-called hack-backs. In Germany, there is a very “emotional” debate around this. Current law forbids hacking back but the government has promised imminent legal changes to allow the tactic.

Schulmann said active defense goes far beyond hacking back, which can be geopolitically risky due to the difficulty of accurately attributing cyberattacks and the possibility of “false flag” operations that are intended to misdirect blame.

“You don’t necessarily have to attack the attacker. Active cyber defense means having the ability to intervene defensively, to isolate and neutralize malicious activity inside your own networks and dependencies,” she said. “You can do analysis by simulating the effect of such active countermeasures, to the point that you can predict with high confidence which traffic would be affected… The way the internet works, you can change or filter things in a certain way that doesn’t require hacking the attacker’s infrastructure.”

“I definitely do think that Europe has to invest in [active cyber defense] capabilities, firstly to understand and have expertise in them, and second to have the option to use them if needed.”

More details of the late-December attack on Poland’s energy infrastructure have come out in the last week or so, following Prime Minister Donald Tusk’s revelation of the incident on Jan. 15. It appears clear from cybersecurity firms’ analyses that Russia was to blame, with Eset fingering the Sandworm cyber sabotage division of Russia’s Main intelligence Directorate last Friday (see: Wiper Malware Targeting Poland’s Power Grid Tied to Moscow).

Dragos this week pointed to the Electrum group, which has some overlap with Sandworm, although the two remain distinct.

Whichever Russian entity was responsible, the attackers targeted the distributed edge of the Polish grid, rather than the centralized systems that have targeted in previous Electrum-attributed attacks. They went for operational technology systems at around 30 sites, including remote terminal units and communications network infrastructure – the kind of systems that are crucial when harnessing distributed energy sources such as wind and solar.

“The Poland attack is significant because of the coordinated nature of the attacks across numerous sites simultaneously and the demonstrated intent of a sophisticated adversary to systematically target this infrastructure,” Dragos marketing manager Danielle Gauthier wrote in a blog post.

The attackers may have demonstrably gained a foothold in these OT systems, but they didn’t cause any blackouts, and it’s not clear why.

According to Gauthier’s post, there could have been operational impacts if the attackers had developed “deeper knowledge of specific site configurations or [achieved] similar access across larger numbers of sites simultaneously.”

Schulmann suspects this was a sabotage operation that was designed to stop short of anything that might lead to major geopolitical consequences.

“It sends a very strategic signal: intimidation, doubt and erosion of trust. It shows people, ‘Your government cannot protect you. We can reach your critical infrastructure,'” Schulmann said. The attackers might also have been conducting an experiment, seeing what the effects of such an assault on the grid’s distributed edge might be, and how the attacked operators might respond. “The goal was to signal and to test, probing technical limits and institutional responses, without crossing a threshold that would trigger a military or diplomatic escalation, and that is really classic in this hybrid warfare.”

Should Poles and other Europeans be satisfied with the response to the attack? “The response was operationally good, but the risks of course remain,” said Schulmann. There was no public impact and the attack was contained to the edges of the network, she noted, while also praising the Polish authorities’ statements about the incident.

“Public communication avoided panic, they made attribution and they communicated the situation – that is important because lack of communication can create chaos, and it can contribute to the effects of attacks,” she said. “So one could say it was a real stress test and they passed it… but systems were still damaged, and many energy facilities had systems wiped. This means that this is going to cost a lot of money. Equipment will need replacement. All of this is not trivial.”

Schulmann believes European countries are “not sufficiently prepared” to deal with an uptick in cyberattacks. But she doesn’t think the region is particularly behind on this front. Every country is dealing with the same issues. The core problem, she said, is the tension between the need for security and the ongoing push to digitize society – a shift that is taking place in a “non-controlled, unstrategic way.”

The Athene research center regularly surveys the landscape of digitalization across Germany’s 16 states, and Schulmann said there is evidence of clear progress, in line with the country’s digital transformation strategy. Much of this is being built on legacy IT infrastructure, leading to a sharp increase in the number of vulnerable systems that are end-of-life or that lack the necessary personnel to properly manage or patch them.

Politicians get to tout the benefits of the new digital services, but the shift is also creating a much larger attack surface. “Attackers come exactly for these systems,” Schulmann said. “They don’t need to attack the most secure link; they will go for the weakest.” The Polish attack demonstrated how “you don’t need to [attack] the center… you can just attack somewhere through which you can get to the center,” she added.

Athene has run simulations of what will happen if Germany continues growing its IT services without modernizing and securing its IT infrastructure, and if current trends continue, then in five to 10 years “the situation is going to be horrible,” she said, warning of “catastrophic, devastating effects from coordinated attacks.”

Compliance exercises and audits, which are mostly done through paperwork, are important but insufficient without a parallel focus on modernizing infrastructure and making it more resilient. “Security management is an important thing, but it only brings value if you already have security,” Schulmann said. “If your infrastructure is not secure, it will not help you.”