Polish Prime Minister Donald Tusk has publicly attributed a cyberattack targeting his Civic Platform party’s systems to “origins in the east,” strongly implying Russian involvement. The incident, detected on April 2, 2025, occurred weeks before Poland’s presidential election (scheduled for May 18), raising concerns about foreign interference in democratic processes. Technical analysis suggests ties to Belarusian proxy groups historically linked to Russian intelligence operations1.
Technical Analysis of the Attack
The attack employed phishing emails laden with malware designed to infiltrate election staff computers. According to Poland’s CERT, the campaign lasted approximately 12 hours but was contained before data exfiltration could occur2. IP traces linked the activity to GhostWriter, a Belarusian threat group known for targeting NATO members supporting Ukraine4. The malware’s command-and-control infrastructure reused patterns from the 2024 Polish news agency hack, which NATO attributed to Russian GRU operatives3.
Political and Operational Context
The timing aligns with Poland’s presidential race, where Civic Platform candidate Rafał Trzaskowski leads polls at 35%. Opposition party Law & Justice (PiS) has called for an independent investigation, questioning whether the attribution serves political objectives5. The EU Cyber Rapid Response Team was deployed to assist Polish authorities, marking the first activation under the bloc’s 2024 Hybrid Threat Protocol6.
| Indicator | Details |
|---|---|
| Attack Vector | Phishing emails with weaponized Excel macros |
| C2 Infrastructure | IPs traced to Minsk-based hosting providers (AS50952) |
| Mitigation | Network segmentation of election systems + endpoint detection rules deployed |
Security Recommendations
For organizations monitoring similar threats:
- Implement YARA rules to detect GhostWriter’s signature DLL sideloading technique
- Monitor for anomalous traffic to Belarusian ASNs during critical political events
- Review Microsoft Office macro execution policies for election-related workstations
The incident underscores the growing trend of cyber operations targeting electoral infrastructure in NATO’s eastern flank. While attribution remains challenging, the reuse of Belarusian proxy infrastructure provides measurable indicators for defenders. Future attacks will likely employ more sophisticated obfuscation given the public disclosure of these TTPs.
References
- “Poland cyberattack: Donald Tusk blames Russia for ‘eastern origins’ hack,” Express UK, Apr. 2, 2025.
- “Polish PM says cyberattack targeted party systems ahead of election,” AP News, Apr. 2, 2025.
- “Polish PM Tusk says there has been cyberattack on IT systems of his political party,” Reuters, Apr. 2, 2025.
- “Poland thwarts cyberattacks linked to Russia and Belarus,” Security Affairs, Apr. 3, 2025.
- “PiS demands independent probe into cyberattack claims,” Polskie Radio, Apr. 3, 2025.
- “Poland’s PM says party systems targeted in cyberattack,” Euronews, Apr. 2, 2025.
