Cyber Incident Victim: Polish Parliament
Date:
Dec 2022
Location:
Poland
Summary
Poland reported intensified cyberattacks by Russia-linked threat actors, including the GhostWriter group and pro-Russian hacktivists NoName057(16), targeting critical infrastructure and government entities. A distributed denial-of-service attack disrupted parliamentary website access following a resolution condemning Russia, while GhostWriter conducted phishing campaigns impersonating official domains to steal funds and personal data. The group also compromised social media accounts to disseminate disinformation, aligning with historical efforts to spread anti-NATO narratives. In response, the government elevated its cybersecurity threat level, implementing enhanced monitoring and operational readiness measures across public administration and strategic sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early 2023, the Polish government reported intensified cyberattacks attributed to Russian-aligned threat actors, specifically highlighting incidents targeting the Parliament of Poland and other critical entities. On an unspecified date following the Polish parliament's adoption of a resolution designating Russia as a state sponsor of terrorism, the pro-Russian hacktivist group NoName057(16) executed a distributed denial-of-service (DDoS) attack against the parliament's official website (sejm.gov.pl). This attack rendered the parliamentary website inaccessible to the public, disrupting digital services during a period of heightened geopolitical tensions. Concurrently, the state-sponsored GhostWriter group—linked by the European Union to Russia's GRU military intelligence and by cybersecurity firm Mandiant to Belarus—conducted phishing operations against Polish targets. The group established counterfeit websites mimicking Poland's legitimate gov.pl domain, promoting fraudulent financial compensation programs purportedly backed by European funds. Victims clicking embedded links were redirected to phishing pages soliciting small verification fees, likely enabling financial fraud and credential harvesting.
The attacks coincided with Poland's increased military support for Ukraine amid Russia's invasion, with Polish authorities attributing the cyber campaign to retaliation for this foreign policy stance. GhostWriter's operations extended beyond financial scams, involving attempts to compromise email accounts for intelligence collection and hijacking social media accounts to disseminate disinformation. Historical analysis indicated GhostWriter had operated since at least 2017, previously impersonating journalists in Lithuania, Latvia, and Poland to propagate anti-NATO narratives. The DDoS against parliament and GhostWriter's phishing infrastructure collectively threatened governmental operations, citizen trust in digital services, and national security frameworks. In response, Poland's Prime Minister elevated the national cybersecurity threat level to "CHARLIE-CRP," mandating 24-hour operational readiness across public administration offices and critical infrastructure organizations. This directive aimed to bolster monitoring, incident response coordination, and resilience against ongoing adversarial cyber activities targeting strategic sectors including energy and defense.