“Over the past year, Russia’s methods have shifted,” Swedish Civil Defense Minister Carl-Oskar Bohlin said on Wednesday. “Pro-Russian groups that once carried out denial-of-service attacks are now attempting destructive cyberattacks against organizations in Europe.”
During his press conference in Stockholm, Bohlin announced that the Swedish government has concluded that a 2025 cyberattack on a heating plant in western Sweden was carried out by a pro-Russian group with links to Russian security and intelligence services. Bohlin went on to compare this attack to a December 2025 attack on Poland’s power grid. Our experts in Stockholm, Warsaw, and Washington take up the story from there:
STOCKHOLM—Sweden’s announcement this week marks an important shift in how the country publicly frames the threat from Russia. Cyber intrusions against Swedish targets are not new, but for the first time, Swedish authorities have openly attributed such activity to actors linked to Russian security and intelligence services, connecting it to an attempted intrusion into critical infrastructure on Swedish territory.
In Sweden, the reaction has been measured but serious, with the incident seen as part of a systematic pattern. Officials have explicitly linked it to similar attacks against energy systems in Poland in December, where coordinated operations targeted heat and power supply at scale, as well as in Norway and Denmark. The Swedish case caused no major disruption, as protective systems held, but it nevertheless represents an attempt to affect civilian infrastructure in a NATO member state.
The incident also points to a shift in Russian tactics. Operations are increasingly directed at operational technology controlling physical functions, raising the potential for real-world disruption, particularly in the energy sector, where even limited interference can generate disproportionate societal effects. Against the backdrop of more than 150 incidents of sabotage, cyberattacks, and influence operations linked to Russia across Europe since 2022, this reflects a more risk-acceptant approach within a sustained campaign to pressure European states supporting Ukraine, testing resilience, creating uncertainty, and demonstrating reach without triggering direct military confrontation.
This has accelerated a policy shift. Sweden and its regional partners are placing greater emphasis on civil preparedness, infrastructure protection, and public-private coordination, while deepening cooperation through NATO and the European Union. The broader conclusion is that such attacks form part of the same strategic continuum as Russia’s war against Ukraine, with Moscow probing how far it can go below the threshold of open conflict.
WARSAW— The incident in Sweden can be easily linked to events in Poland in December 2025. That month saw fewer incidents on average than the rest of the year—but it included one of the most serious operations against Polish critical infrastructure in years, along with related “hybrid” pressure activities. Taking place on December 29-30, this coordinated cyberattack against the Polish power grid targeted wind and solar farms, combined heat and power plants, as well as industrial systems such as IT and operational technology.
It did not trigger a nationwide blackout, but critical control systems were disrupted, some industrial equipment was damaged beyond repair, and communication between energy assets and operators was degraded.
Such Russian “hybrid warfare” (or as the Poles would rightfully call it, “terrorism”) is nothing new. In the first year of Russian President Vladmir Putin’s open aggression against Ukraine, Poland saw cyberattacks increase by over 300 percent. The December attack fits Russia’s “below threshold” warfare model against NATO members, which is designed not to trigger an Article 5 response. It was also timed during the winter holidays, obviously to maximize pressure. What makes it stand out is that it represents a shift toward integrated cyber and physical attacks.
The Polish reaction followed a rapid national security mobilization playbook typically favored here. The attack was detected and stopped before any blackouts could occur. The government convened emergency meetings with the relevant ministers, intelligence agencies, and energy sector operators. Full operational readiness of security services was ordered. Russia was publicly called out with Polish officials officially blaming “groups directly linked to Russian services.” Finally, the government accelerated work on the new National Cybersecurity System Act. Viewing itself as a frontline state under pressure, Poland prioritizes speed, resilience, and signaling.
The general attitude here is to view such attacks on Poland and other European states as a part of Russia’s aggression in Ukraine. In other words, not separate. Despite increased friction between Kyiv and Warsaw over the years, Poland is under no illusion as to what Russia is ultimately after—a redesigned security order in Europe based on spheres of influence. We also saw, as so often before in Poland, national unity during a moment of crisis linked to foreign aggression.
WASHINGTON—Sweden’s accusation is the latest in a long line underscoring the sophisticated, well-resourced, and persistent threat that Russia’s sprawling cyber operations ecosystem poses to Sweden, to Europe and NATO, and to the West and the United States.
It is important to understand that Russia’s cyber operations fit within Russia’s broader conflict and subversion apparatus, and that down to the agency-perpetrator level, the operations reflect the cultures of the organizations that carry them out. Russian military intelligence (GRU) personnel are brazen and aggressive in the physical domain, carrying out assassinations, sabotage, and the like. It’s a similar story when it comes to cyber operations, as the GRU is believed to be behind the majority of Russia’s most destructive cyber operations to date, including the infamous, repeated shutdowns of Ukrainian power grids over a decade ago. Troublingly, if a fairly recent Polish government report is to be believed, Russia’s Federal Security Service (FSB) may be getting into the disruptive cyber operations game.
“Russia-backed” or “Russia-aligned” cyber actor is also a phrase worth unpacking. Russia is home to a large, shifting, very opaque web of cyber actors, from patriotic hackers to cybercriminals to state agencies. Some are bribed. Some are tasked. Some have nothing to do with the government, even as they bribe low-level officials and get implicit protection. Breaking down these distinctions is critical—even if all the resulting cyber action is harmful to European or Western security—to better identify specific actors, trace responsibility up or down the government hierarchy, and prepare more precisely to defend against attacks in the future.
Nation-states can’t deter cyber espionage (because it’s espionage), but they can do a better job shaping it. They can also do a better job of imposing costs on the wide range of activities that Russia sees as part of “active measures” but go well beyond espionage, such as disruptive cyber operations against civilian energy infrastructure outside of war. But the problem is, every time one of these operations happens, half of the reactions call it (yet another) “wake-up call” and don’t always match that with clear, decisive action.
