Cyberattack Targets Polish Ruling Party Ahead of Presidential Election

Polish Prime Minister Donald Tusk confirmed a cyberattack targeting his Civic Platform (PO) party’s IT systems on April 2, 2025, just weeks before the country’s presidential election. The attack, attributed to foreign actors with an “eastern footprint,” attempted to compromise computers belonging to party employees and election staff over a 12-hour period¹. This incident follows a pattern of increasing cyber threats against Poland, which security officials describe as the European Union’s most targeted nation for digital attacks².

Attack Methodology and Targets

The attackers employed a multi-vector approach, combining compromised credentials with malicious emails sent from a hacked activist account. According to reports from Radio Zet, some emails reached parliamentary addresses, suggesting an attempt to infiltrate government systems³. Digital Affairs Minister Krzysztof Gawkowski characterized the attack as “quite dangerous,” noting similarities to previous operations linked to Russian and Belarusian hacking groups⁴. The timing, one month before Poland’s May 18 presidential election, raises concerns about potential interference in democratic processes.

Historical Context and Attribution

This incident follows multiple documented cyber operations against Polish infrastructure. In January 2025, Polish authorities accused Russia of recruiting citizens via darknet forums to spread disinformation ahead of elections⁵. Earlier in September 2024, security services dismantled a Russia-Belarus-linked cyber sabotage group targeting government and military systems⁶. The current attack’s tactics align with known Russian hybrid warfare playbooks, including the 2016 U.S. election interference and 2017 French election meddling campaigns.

Date	Incident	Attribution
April 2025	PO party cyberattack	Foreign interference (eastern footprint)
January 2025	Darknet recruitment for disinformation	Russian actors
September 2024	Cyber sabotage group dismantled	Russia-Belarus collaboration

Technical Response and Mitigation

Polish security services have initiated a full investigation, with NATO and EU allies receiving alerts about the incident. The attack’s focus on election staff computers suggests potential objectives ranging from data theft to the generation of fake content¹. Security professionals should monitor for:

Unusual login attempts to political or election-related systems
Phishing emails with Polish election themes
Compromised credentials circulating in dark web markets

Political Implications and Reactions

The attack occurs as PO’s presidential candidate, Warsaw Mayor Rafał Trzaskowski, leads polls with approximately 35% support. Opposition lawmaker Michał Woś accused Tusk of fabricating the incident for political gain, highlighting the divisive nature of cybersecurity incidents during election periods³. Poland’s space agency reported similar attacks in March 2025, suggesting a broader campaign against critical infrastructure⁴.

Security Recommendations

Organizations involved in election processes should implement enhanced monitoring for:

Endpoint detection on all election staff devices
Network traffic analysis for command-and-control communications
Multi-factor authentication for all political party systems

This incident underscores the growing intersection between cybersecurity and democratic processes. As Poland prepares for its presidential election, the international community will closely watch how the government balances transparency with operational security in its response to this attack.