Russia forged new cyber weapons to attack Ukraine. Now they're going international
A view of the Kremlin’s Spasskaya Tower and St. Basil’s Cathedral in central Moscow, Russia, on April 24, 2024, with a code overlay. (Photo: Alexander Nemenov / AFP via Getty Images; Collage: The Kyiv Independent)
At the end of December, the person manning the digital boards at PSE, Poland's national electricity operator, noticed a flurry of solar stations suddenly flicker off grid.
Poland in the dead of winter can be a gloomy place. But the grid wasn’t seeing a drop-off in generation in line with the recent solstice. These were full disconnections, synchronized, at a time when the grid needed the power..
"They thought it was just a malfunction of the device because the plant was still producing power, they just couldn't get the remote connection," Marcin Dudek, head of CERT Polska, Poland's national cybersecurity authority, told the Kyiv Independent. "But we got the information that something was happening from the operator, who's monitoring all the plants."
Only once the operators stabilized the grid did the Polish cyber authorities get the breathing space to ask who exactly attacked their solar grid. A subsequent investigation by CERT-PL found that the attacker had also gotten into the systems of a major combined heat and power plant, where it had spent most of 2025 wiping firmware.
The hackers used code and methodology largely descended from Sandworm, a hacker group operating under Russia’s Main Intelligence Directorate, or GRU, that since a massive attack on the Ukrainian power grid back in 2016, has become one of the most infamous such groups in the world.
The attack was related but different. CERT-PL stopped short of naming their suspected hackers. But simultaneous reports from Google Cloud identified them as a group within Russia's Federal Security Bureau, or FSB, that was analogous to the GRU’s Sandworm unit.
The solar attack was "the first publicly described destructive activity attributed to this activity cluster," as CERT-PL phrased it in diplomatic terms.
"They did a lot of espionage in the past but not destruction," Dudek explained. "In Poland, if we have anything related to traffic systems, it's usually the hacktivists," he added, referring to hacking groups that generally operate outside of government control, often via public Telegram groups or Discord channels.
While Russian intelligence discretely coordinates many such hacktivist groups, the attack on Polish energy was more direct.
Polish authorities went on to describe the attack as one from the FSB.. Specifically, the unit behind the attack is "Center 16," a Soviet era KGB-originated signals group that has burrowed into an unknown number of systems globally.
The disconnection in Poland didn’t result in rolling blackouts across the nation like the Russian aerial bombardments that roiled Ukraine’s power and heating plants over the winter.
But given Russia’s escalating hybrid warfare on Ukraine’s Western backers, the activation of a new cyber entity directly tied to its main intelligence agency is alarming. This is especially true given that nobody knows how many critical systems like power grids the FSB has burrowed into since the 2014 annexation of Crimea.
"If there's a serious attack tomorrow there will be a longer list, a retrospective of incidents that clearly demonstrate to us that there was already a conflict." John Hultquist, head of Google Cloud, told the Kyiv Independent.
"Russia is boiling the frog in Europe. They are slowly turning up the temperature when it comes to sabotage and these gray zone attacks."
What is Center 16?
The FBI in August put out a warning about the FSB unit Center 16, and the various internet front entities it used to attack international infrastructure, most frequently Berserk Bear and Dragon Fly.
Center 16 is also known as Military Unit 61608, their official chief leader is Aleksei Rarenko, and they are good at what they do.
"We have seen them dig into global critical infrastructure for 12 years now," Hultquist said . "The concern has always been that they’re sleeper agents. Their job is that when a serious conflict comes, they’re going to activate and start breaking things."
Hultquist worked at the State Department's cyber intelligence until forming his prior firm, ISight. ISight was the first to identify the Sandworm unit back in 2014. Also known as 74455, the Sandworm unit is an equivalent cyber-warfare structure within the GRU.
The FSB in theory focuses on domestic intelligence, but the two agencies jockey for power constantly. Center 16 has however historically kept its hacking activities to espionage.
"The good news has always been, that as opposed to Sandworm/the GRU, (Center 16) have never pulled the trigger previously, ever. At least not that we have seen."
Russian hackers are nothing new, but the great bulk of Russian hackers are, mercifully, incompetent. This includes the bulk of the hacktivists who may somewhere down the line be getting orders from Russian intel but are certainly not using their most effective methods.
NATO is seeing a massive uptick in the number of mass DDoS attacks that groups like CyberArmyofRussia_Reborn are staging, but those are almost all on "low-hanging fruit," as Hultquist put it.
"Recently, in Poland, but also in many countries, there are hacktivist groups that are targeting industrial control systems that are exposed to the internet and not well configured," said Dudek.
Center 16's specialty is hacking highly secure industrial systems. In technical terms they focus on operational technology, or OT, rather than informational technology, or IT.
Instead of attacking a network, they use a network to infiltrate and manipulate physical systems via industrial controllers. With ever more critical processes from power plant operations to airplane controls to advanced hospital equipment going online, skilled OT hackers can take aim at targets for sabotage unimaginable in previous eras.
A report from US cyber authority CISA back in 2018 noted Center 16's sophistication in breaking into high-level industrial facilities via "watering holes," third-party targets like "trade publications and informational websites related to process control, industrial control systems, or critical infrastructure."
Almost like an ad agency, Center 16 takes aim at web users via business-to-business publications light on regular readers and heavy on professionals with access to control boards. Instead of selling the target audience boutique equipment it hijacks their boutique access.
Industrial scale
Center 16's surveillance success has been eerie. The breadth of systems it has invaded is unknown but extensive.
"I mean nuclear systems, oil and gas, Norwegian oil fields, Irish airports — all over the world, they’ve dug in all these places, and they sit there," Hultquist says, listing his encounters with the FSB's code.
The actual clues in the code that gave the organization away as a Russian intel operation include some of the tell-tale signs of Sandworm. That includes Russian-language notes layered into malware scripts. Given the industrial-scale copying and pasting that dominates the world of hackers, that also sometimes includes overt theft of scraps of code designed for control stations by makers like Siemens or Hubei. In some cases, that includes the references to Frank Herbert's Dune that gave Sandworm its name, Hultquist says.
Another is what's known as a wiper. CERT Polska spent two months on the post-mortem of the December attack in part because the hackers tried to wipe the system logs. A wiper destroys both data on machines and evidence of hackers. Most ransomware includes a wiper that activates if the victim doesn't pay the digital ransom.
The actual wiper script in Poland, however, was called Dynowiper, which looks to be descended from Sandworm favorite, ZOV. The resemblance is close enough that some cyber researchers initially attributed the attack on Polish energy to GRU rather than FSB.
Ukrainian Testbed
Russian hackers test their techniques close to home. In 2014, Ukraine took on the role of ground zero for all newfangled hacks. The best parallel available remains the work of the GRU unit responsible for Sandworm.
The Sandworm unit took out a power network concentrated in Prykarpatiia, near the borders with Slovakia and Hungary in December 2015. An almost identical attack hit Kyiv the next winter.
The full-scale invasion in Feb. 2022 subjected all of Ukraine to attacks across domains — the cyber realm was no exception. The cream of Russia’s digital crop are certainly working on breaking into Ukrainian military systems. The fog of war has indeed masked many of them from the public eye. Among aggregate estimates, however, Ukrainian authority CERT-UA puts total attacks on Ukraine in 2025 at 5,927, in a figure that grows significantly every year.
Ukrainian intelligence more recently blamed the GRU team for an attack that disabled KyivStar, the largest mobile network provider in Ukraine, in Dec. 2023.
The next year, Diia, a mobile application through which Ukrainians manage an ever-increasing proportion of their government documentation, went down mysteriously for almost a month.
A series of registries housed under the Justice Ministry went offline in an attack that the minister similarly attributed to the GRU. Similar attacks took ministry sites offline in Slovakia and Hungary shortly thereafter.
"This starts in Ukraine. But we know that Russia’s endgame is not the Donbas," as European Vice President Kaja Kallas phrased it in Munich in February.
"Beyond Ukraine, Russia already seeks to cripple economies through cyberattacks, disrupt satellites, sabotage undersea cables, fracture alliances with disinformation, coerce countries by weaponizing oil and gas."
Westward migration
The activation of Center 16 and the attack on Poland's solar grid is, as a result, a key moment in the escalation of Russia's cyber war on the West, especially the European Union.
"I’m not aware of any attacks like this on NATO or Europe on the energy infrastructure," said Dudek. "Not only in Poland, but in the world, it's quite rare to have attacks on the industrial world. There are cases, but a lot of the cases are in Ukraine."
There is little doubt that Center 16's targets are heavy on the military. A 2024 analysis of Center 16's methodology included highly tailored access to individuals within global defense and aviation companies.
Hultquist at the outset of Russia's full-scale invasion wrote: "We believe these breaches are preparation for a contingency when Russia is prepared to cause serious disruptions."
Four years into its full-scale invasion on Ukraine, Russia's physical advance has stalled. Its financial and political ties in the West are withering. With other leverage running out, Russia is expanding its cyber campaign against the EU and U.S.
