Polish government warns federal, private entities of increased Russia-linked cyber attacks

The Polish government has warned public administration domains and private companies of increased occurrences classified as ‘computer incidents,’ including attacks perpetrated by Russian hackers, in the country’s cyberspace. The escalating situation is believed to be a response of the Russian Federation to Poland’s support of Ukraine, and an attempt to destabilize the situation in the Central European country. 

“Both public administration domains and private companies, the media and ordinary users become the target of hacker attacks,” the Polish government wrote in a recent advisory. “Entities from strategic sectors, such as energy or armaments, are particularly at risk. Some of these hostile campaigns can be linked directly to the activities of pro-Russian hacking groups.”

The Polish government explained that since the beginning of the Russian invasion of Ukraine, the nation has been a constant target of the Kremlin’s hybrid actions, including attacks in cyberspace. “Recently this hostile activity has intensified. This is the consequence of our commitment to helping Ukraine but also of the fact that Poland is strongly advocating in the international arena for providing help to Kyiv. Through hostile operations in cyberspace Russia wants to exert pressure on Poland, as a frontline country and a key Ukraine’s ally on the NATO eastern flank,” it added.

The advisory said that this was the case, for example, with the recent attack on the website of the Polish parliament (Sejm). “The CSIRT GOV team operating in the Internal Security Agency (ABW) identified problems with the accessibility of the sejm.gov.pl website. Data analysis showed that the website’s unavailability was the result of an attack carried out by the pro-Russian group NoName057(16). This group on the Telegram portal has set the parliamentary website as one of its goals.” 

The Polish government added that the attack was a response to the adoption by the Sejm of the Republic of Poland of a resolution recognizing Russia as a state sponsor of terrorism. 

Identifying that every attack in cyberspace pursues complex objectives and has various implications – social, political, or financial ones, the Polish government said that cyberattacks are increasingly used in order to spread Russian disinformation and serve Russian special services to gather data and vulnerable information. 

The Polish government said that the operation carried out using both of these methods is the ‘GhostWriter’ campaign. “It consists in attacking email addresses and accounts in social media of public figures in the CEE countries, mainly in Poland. The authors of this campaign are trying to seize information resources for the purposes of the Russian disinformation. In recent months this operation has been focused on actions against Poland,” it added.

Prevailion’s Adversarial Counterintelligence Team (PACT) provided in September 2021 details on unknown domains associated with UNC1151 and the Ghostwriter influence campaign. “UNC1151 is likely a state-backed threat actor waging an ongoing and far-reaching influence campaign that has targeted numerous countries across Europe. Their operations typically display messaging in general alignment with the security interests of the Russian Federation; their hallmarks include anti-NATO messaging, intimate knowledge of regional culture and politics, and strategic influence operations (such as hack-and-leak operations used in conjunction with fabricated messaging and/or forged documents),” the researchers disclosed.  

In May, Google’s Threat Analysis Group (TAG) observed that hackers have increasingly targeted critical infrastructure entities, including oil and gas, telecommunications, and manufacturing in its latest update. TAG has been closely monitoring cyber activity in Eastern Europe with regard to the war in Ukraine and has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns.

The Polish government also said that false structures are also used for aggressive actions, such as websites impersonating real websites. “In the first days of December, the CSIRT GOV Team received information about the registration of a phishing website impersonating the website in the government domain ‘gov.pl.’ The content of the fake website suggested that the President of the Republic of Poland signed a decree on compensation for Polish residents, financed from European funds.” 

“The ‘I’d like to know’ link led through a phishing process and then redirected to a phishing payment card page under the guise of charging a verification fee to pay compensation,” the advisory revealed. “Thanks to the intervention of the Internal Security Agency, the website was blocked. This is a typical operation aimed at sowing chaos, undermining the state, but also collecting personal data and extorting money.”

Given the increasing scale of threats, Polish cyberspace is constantly monitored as far as potential dangerous incidents are concerned in order to react to them as fast as possible. “At the same time, it is important to implement measures in order to prevent attacks. In Poland, the Prime Minister has also introduced the third security alert CHARLIE-CRP which is related to the cybersecurity and responds to growing threats in cyberspace,” the government warned.

Last November, the European Union Agency for Cybersecurity (ENISA) released its ENISA Threat Landscape 2022 (ETL) report, covering the state of the cybersecurity threat landscape for the reporting period from July 2021 up to July 2022. The ETL report finds that with the geopolitical context giving rise to cyber warfare and hacktivism, alarming cyber operations and malignant cyberattacks have altered the trends of the 10th edition of the report.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.