Cyber Incident Victim: Platforma Obywatelska
Date:
Apr 2025
Location:
Poland
Summary
A cyberattack targeted the IT systems of Poland's Civic Platform party, with Prime Minister Donald Tusk attributing the incident to foreign interference and indicating an "eastern trace" in the attack methodology. Security services identified compromised accounts of party activists used to distribute malicious emails, including one sent to a parliamentary account. Polish officials linked the operation to Eastern actors, suggesting potential involvement of Russian or Belarusian entities, consistent with prior warnings about Moscow-aligned groups attempting election interference through disinformation and cyber operations. The incident occurred amid heightened national security concerns over foreign attempts to disrupt upcoming elections, following previous cyber intrusions against Polish state institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 2, 2025, Polish Prime Minister Donald Tusk publicly disclosed a cyberattack targeting the IT systems of his Civic Platform (Platforma Obywatelska) political party via social media platform X. Tusk characterized the incident as the beginning of foreign interference in Poland’s upcoming presidential elections, scheduled for May 2025, and stated that security services had identified an "eastern trace" in the attack. Digital Affairs Minister Krzysztof Gawkowski confirmed the seriousness of the breach, noting that Polish security services were conducting intensive investigations. Jan Grabiec, head of Tusk’s office, elaborated through state news agency PAP that analysts had identified specific data pointing to the operational methods of "services from the East," though he refrained from explicitly naming Russia or Belarus. Grabiec suggested Eastern actors often used Belarusian infrastructure or data to mask Russian involvement. The disclosure occurred amid heightened Polish government alerts over foreign sabotage risks, linked to Poland’s support for Ukraine and prior warnings from Gawkowski in January 2025 about Russian disinformation campaigns targeting the elections.
The attack involved the compromise of a local Civic Platform activist’s account, which unauthorized actors used to distribute emails containing malicious software. At least one such email reached a parliamentary account, according to a Radio Zet journalist’s report on X. Opposition lawmaker Michal Wos interpreted the incident as a strategic maneuver by Tusk’s party to frame the election context, comparing it to scenarios in Romania or France. This incident followed prior cyber intrusions against Polish institutions, including a March 2025 attack on the Polish space agency and a 2024 breach of the state news agency, which Warsaw attributed to Russian operatives. Polish authorities consistently linked these incidents to Moscow’s broader campaign of hybrid warfare, alleging Russian involvement in European sabotage and arson—a claim Russia denied. No specific data exfiltration or system disruption details were disclosed, but the timing reinforced concerns about election integrity and foreign influence operations. Security services continued forensic analysis without publicizing additional technical specifics or mitigation outcomes at the time of reporting.