Poland’s political infrastructure faced a significant cyberattack in April 2025, with Prime Minister Donald Tusk attributing the incident to Russian-linked actors. The attack targeted the Civic Platform (PO) party’s IT systems weeks before the presidential elections, raising concerns about foreign interference. Technical evidence points to APT29 (Cozy Bear), a group historically tied to Russian intelligence1.
Incident Overview
The attack occurred on April 2, 2025, compromising systems belonging to Poland’s ruling party. Phishing emails with malicious attachments initially breached a local PO activist’s account before spreading to national members2. The 12-hour infiltration specifically targeted election staff, with data theft and potential content fabrication as suspected objectives. Digital Affairs Minister Krzysztof Gawkowski confirmed Poland remains the EU’s most cyber-targeted nation, stating Russia has been “waging a war against Poland in cyberspace” since January 20253.
Technical Methodology
Attack vectors mirrored known APT29 tactics, including:
- Spear-phishing campaigns with weaponized documents
- Lateral movement through compromised party member accounts
- Potential use of AI-generated content for social engineering
Security analysts noted similarities to previous Russian operations against JetBrains TeamCity servers, where attackers exploited unpatched vulnerabilities4. The Polish government has not disclosed whether zero-day exploits were involved, but historical patterns suggest possible use of CVE-2023-42793 (a TeamCity vulnerability) or similar flaws.
Geopolitical Context
The cyberattack occurred amid heightened tensions between Poland and Russia. Poland, NATO’s top defense spender at 4.7% GDP, had recently proposed expanding its army to 500,000 troops and training all adult males for potential conflict5. The timing—weeks before critical elections—aligns with Russia’s historical pattern of election interference operations across Europe.
Defensive Recommendations
For organizations facing similar threats:
- Implement strict email filtering for political domains
- Enforce mandatory MFA for all election-related systems
- Conduct purple team exercises simulating APT29 TTPs
- Monitor for suspicious TeamCity-related network traffic
Network defenders should particularly watch for:
| Indicator | Description |
|---|---|
| Phishing Lures | Election-themed subjects with Polish political terminology |
| C2 Traffic | Connections to known APT29 infrastructure |
| Lateral Movement | Unexpected SMB/NTLM authentication attempts |
Conclusion
The Poland cyberattack demonstrates the continuing evolution of state-sponsored election interference tactics. With technical links to Russian APT groups and clear geopolitical motivations, this incident serves as a case study in modern hybrid warfare. Organizations should review their defenses against sophisticated phishing campaigns and maintain heightened awareness during election cycles.
References
- “Polish PM Donald Tusk says his party’s computer systems targeted in cyberattack,” Euronews, 2025. [Online]. Available: https://www.euronews.com/my-europe/2025/04/02/polands-pm-donald-tusk-says-his-partys-computer-systems-targeted-in-cyberattack
- “Poland cyberattack: Tusk warns of foreign interference,” Polskie Radio, 2025. [Online]. Available: https://www.polskieradio.pl/395/7784/Artykul/3506204
- “Polish PM blames foreign interference for cyberattack,” The Nation, 2025. [Online]. Available: https://www.nation.com.pk/03-Apr-2025/polish-pm-blames-foreign-interference-for-cyberattack
- “Poland thwarts cyberattacks from Russia and Belarus,” Security Affairs, 2025. [Online]. Available: https://securityaffairs.com/168258/cyber-warfare-2/poland-thwarted-cyberattacks-russia-and-belarus.html
- “Poland cyberattack: Donald Tusk points finger at Russia,” Express, 2025. [Online]. Available: https://www.express.co.uk/news/world/2036197/poland-cyberattack-fonald-tusk-russia
