A combined heat and power (CHP) plant serving nearly half a million Poles was targeted in a cyberattack in December. The goal was to freeze people in their homes on one of the coldest weeks of the year.

Polish intelligence traced the plot back to at least March 2025 and identified nine months of reconnaissance, stolen credentials, and malware designed to destroy data in the plant’s computer systems. They linked the operation to Russia’s intelligence services, and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a formal alert.

The attack demonstrated a widening of Russia’s strategy to target the infrastructure that keeps cities warm, which has seen near-daily missile strikes on energy facilities across Ukraine. The International Energy Agency reported that by the end of 2024 at least 18 Ukrainian CHP plants, more than 800 boiler houses, and 354km (220 miles) of heating pipes had been attacked.

The Polish plot was foreshadowed by a January 2024 cyberattack using a previously unknown malware called FrostyGoop that shut down heating for more than 600 apartment buildings in Lviv, western Ukraine.

It was the first publicly documented case of hackers exploiting the industrial Modbus electronic communications protocol to directly disrupt heating systems. Researchers later found exposed controllers using the same protocols in Lithuania and Romania.

District heating, in which a single plant serves thousands of apartments through shared pipes, is a target that is high-value, difficult to defend, and slow to repair. And a successful strike in winter can kill and even cause population movement.

Get the Latest
Sign up to receive regular emails and stay informed about CEPA's work.

It is the primary way cities in Central and Eastern Europe stay warm, particularly those in the former communist bloc. In Slovakia, district heating supplies 1.8 million people, and there are similar levels of provision across Poland, the Czech Republic, Hungary, and the Baltics.

Heat is delivered through a fragmented landscape of municipal operators with no common operational baseline and no tested crisis doctrine. While the EU’s NIS2 Directive classifies district heating as a sector of “high criticality,” most municipal suppliers fall below the directive’s size threshold.

Those who do qualify often find the rules applied inconsistently. Many EU member states missed the October 2024 deadline to incorporate the directive into national law. So while the regulatory architecture exists on paper, it has barely reached the providers who need it most.

But there may be some simpler fixes. CISA’s advisory on the Polish attack said the attackers exploited internet-facing devices with default passwords, noting that such vulnerabilities are endemic in municipal heating operations across the continent.

Many are perpetually underfunded, run ageing control systems with limited network segmentation and have not tested incident response plans.

Ukraine avoided large-scale winter collapse through hard-won adaptation: rapid repairs, pre-positioned capacity, and co-generation units producing heat independently of the power grid. By November, it was operating 182 co-generation units and 239 block-modular boilers, which it was able to deploy in days rather than months.

This experience is attracting attention in European civil-protection circles, but has not yet been taken fully on board by providers who need to follow Ukraine’s lead. Europe must take concrete steps to close this gap.

  • First, the minimum criteria of the European Union’s Preparedness Union Strategy should be extended explicitly to district heating operators, including sub-threshold municipal providers, with baselines for both physical resilience and cybersecurity.
  • Second, member states should mandate operationally tested crisis protocols for heat suppliers in coordination with civil protection and local government. The Polish CHP plant survived because its detection software blocked the wiper malware, but most municipal heating operators do not have that capability.
  • Third, Ukraine’s operational knowledge should be systematically transferred through the Energy Community Secretariat frameworks that connect it with its neighbors. The infrastructure for knowledge transfer is there, it just needs to be activated.

Poland’s December brush with disaster should serve as an alarm call for the rest of Europe.

Miro Sedlák is a senior energy sector executive, a security and defense studies doctoral candidate at the Armed Forces Academy of General M.R. Štefánik, Slovakia and an Associate Research Fellow at the Institute for Central Europe.

Europe’s Edge is CEPA’s online journal covering critical topics on the foreign policy docket across Europe and North America. All opinions expressed on Europe’s Edge are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.

Ukraine 2036

How Today’s Investments Will Shape Tomorrow’s Security

Read More

CEPA Forum 2025

Explore CEPA’s flagship event.

Learn More
Europe's Edge
CEPA’s online journal covering critical topics on the foreign policy docket across Europe and North America.
Read More