Polish Cyber Defenses and the Russia-Ukraine War
The crisis between NATO countries and Russia following Russia’s invasion of Ukraine has involved aggressive rhetoric, military warnings, sabotage of critical infrastructure, nuclear saber-rattling, and cyberattacks. Experts have warned that international crises are a fertile ground for cyber escalation, including the current conflict in Ukraine. Outside of Ukraine, Poland has been a major target of Russian cyberattacks, both for espionage and disruptive purposes. Poland needs to prepare for a potential Russian escalation in cyberspace by increasing its collaboration with international partners and its cyber defense readiness.
Why has Poland been targeted?
Poland has been the target of Russian cyber operations and cyber enabled information warfare for years, but after the February invasion, Russian cyberattacks only increased. Poland has become the main logistical hub for military and humanitarian aid to Ukraine, accepted the largest number of refugees, and spearheaded strong sanctions toward Russia. Polish armed forces observed the increase of Russian activities against own systems, with the number of cyberattacks on IT systems and networks in the first quarter of 2022 surpassing the whole total number of 2021.
The Viasat attack and the aftermath
Polish subscribers were among the victims of the attack on the Viasat satellite internet system, when Russian hackers disabled modems that communicate with Viasat’s satellite network to cut the Ukrainian military and population off from the internet. While Polish networks were affected by the Viasat outage, the effects were less disruptive than in Ukraine. In addition to the spillovers s from the Viasat attack, the country also faced more deliberate attacks during the start of the war. Polish email addresses were flooded with phishing attempts throughout February and March.
Russia has continued to attack Polish networks in order to diminish Ukrainian resistance. In November 2022, Microsoft revealed that Sandworm, a hacking group tied to the GRU, Russia’s military intelligence service, was targeting Ukrainian and Polish logistical networks with new ransomware, known as Prestige. These attacks are among the first Russian state-sponsored attacks that intentionally target NATO members with destructive malware since the war in Ukraine began.
Patriotic hackers like the Russian group Killnet have also attacked Poland, although their capabilities have thus far been limited to mostly harmless denial of service attacks. The most spectacular attack targeted the website of the Polish High Chamber of Parliament–the Senate. The attack came days after the Senate declared Russia a state sponsor of terrorism. Another Moscow aligned hacker group, Killnet, has frequently issued threats on social media against countries supporting Ukraine and has threatened Poland specifically several times.
Prospects for Poland’s cyber defense
Measures introduced before the invasion by the Polish government have bolstered the country’s cyber defenses. In February 2022, three days before the invasion, Poland increased its threat rating to the CHARLIE-CRP level, the second highest, to increase the cybersecurity readiness of government entities. Poland also closely cooperated with allies from NATO and the European Union and private sector companies to disrupt potential Russian operations, and has contributed to a low success rate [PDF] for Russian cyberattacks against Poland, only 29 percent. The success of Ukrainian operators in defending their own networks shows the value of establishing and maintaining ties with private partners, like Microsoft, and Poland has similarly done well on this front.
As Western governments weigh new, more advanced, weapons shipments, Poland needs to be ready for an escalation of Russian cyberattacks, which may target airports, railways, or other components of logistics and transportation. Russia has already targeted these networks in Poland once, during its Prestige ransomware campaign. Rzeszów airport, a crucial logistical hub, could be a prime target for Russians trying to disrupt the flow of arms and aid to Ukraine. Signaling outages have already shown how vulnerable Polish railways are; an outage in March 2022 rendered nearly 80 percent of the Polish train network inoperable for over a day.
Poland's government should request U.S. Cyber Command undertake a hunt forward operation on Polish logistics networks, if it has not already. The government needs to increase information sharing and cyber defense collaboration with private sector companies, and ensure it is ready to raise its cybersecurity alert level from CHARLIE to DELTA, the highest level, which would involve increasing the physical security of select institutions and require frequent reviews of networks to ensure their security. Poland has so far done an excellent job defending against Russian cyberattacks, but it needs to stand ready for a significant escalation of attacks targeting critical logistics infrastructure.
Andrzej Kozlowski is the Head of Research at the Casimir Pulaski Foundation, an assistant professor at the University of Lodz, and a Cybersecurity Fellow at the European Cyber Conflict Research Initiative.