Poland Sounds Alarm on Russian HackingGovernment Says Hackers' Goals Are 'Destabilization, Intimidation and Sowing Chaos'
Polish intelligence issued a year-end warning over Russian hackers active in national cyberspace, saying they are intent on destabilizing a vital ally to Ukraine.
Poland is a staging ground for military aid to Kyiv and a destination for more than 1.4 million refugees who fled Moscow's war of conquest, now in its 10th month. The country says it has extended $9 billion in aid to its eastern neighbor.
Russian hacking in Poland predates the February 2022 invasion but hostile activity has since intensified, the Office of the Government Plenipotentiary for Cybersecurity said in a Friday alert.
Hacking groups "linked to the Kremlin" use ransomware and distributed denial-of-service and phishing attacks with the goals of "destabilization, intimidation and sowing chaos," the Polish government agency wrote.
"Russia wants to exert pressure on Poland, as a frontline country and a key Ukraine’s ally on the NATO eastern flank," it added.
The alert is in step with other warnings that include a December missive from Microsoft stating that Russia may amplify digital operations in Europe, including disinformation (see: Microsoft Warns of Growing Russian Digital Threats to Europe).
Security researchers from Microsoft earlier attributed a novel ransomware campaign active in Ukraine and Poland to the same Kremlin threat actor responsible for NotPetya malware. The threat actor is associated with Russia's GRU military intelligence agency and is most often known by the moniker Sandworm, although Microsoft tracks it as Iridium.
International observers doubt the effectiveness of Russian hacking within Ukraine and conclude that Russian missiles are much more effective in destroying Ukrainian infrastructure than data wipers. Intelligence collection rather than destruction is likely the main cyberthreat to Kyiv, concluded a recent paper published by the Carnegie Endowment for International Peace.
Polish intelligence cites the activities of a campaign known as GhostWriter as evidence of Russian espionage and disinformation. Among other activities, it has used fake personae to spread narratives that Ukrainian refugees are a burden on Poland's economy and healthcare system while stoking fears that "neo-Nazis" will exploit the flow of refugees into Poland to carry out attacks, threat intelligence firm Mandiant reported earlier this year. GhostWriter also sought to convince Ukrainians that a Polish criminal ring was harvesting organs from refugees. Mandiant assesses with "moderate confidence" that close Russian ally Belarus is at least partially responsible for the GhostWriter campaign.
Besides spreading disinformation, Poland says GhostWriter operators are attacking the social media accounts and email addresses of Polish public figures.
The warning also states that the national computer security incident response team detected a website impersonating an official government site. The fake site harvested payment card data by falsely asserting that Polish residents were eligible for a European Union-funded grant. "This is a typical operation aimed at sowing chaos, undermining the state, but also collecting personal data and extorting money," the Polish Plenipotentiary for the Security of Information Space wrote.
It also cites an October incident that disrupted the Polish Senate website one day after the chamber unanimously voted to recognize Russia as a "terrorist regime." Poland attributes the incident to a group designated as NoName057(16) (see: Cyber Events Disrupt Polish, Slovakian Parliament IT Systems).