{
	"id": "c9664ae3-b617-4701-b50e-469587081dbc",
	"created_at": "2026-04-06T00:21:11.262855Z",
	"updated_at": "2026-04-10T03:34:24.422038Z",
	"deleted_at": null,
	"sha1_hash": "45926558e5d13169e1ec1e32fd20b2ff5a84ccb7",
	"title": "Russian cyberattacks - Special Services - Gov.pl website",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68199,
	"plain_text": "Russian cyberattacks - Special Services - Gov.pl website\r\nArchived: 2026-04-05 15:58:56 UTC\r\n30.12.2022\r\nWith the ongoing war in Ukraine, in the Polish cyberspace, there are more and more occurrences classified as\r\ncomputer incidents, including attacks perpetrated by Russian hackers. This is a response of the Russian Federation\r\nto the Poland’s support provided to Ukraine and an attempt to destabilise the situation in our country.\r\nSince the beginning of the Russian invasion against Ukraine Poland has been a constant target of the Kremlin’s\r\nhybrid actions, including attacks in cyberspace. Recently this hostile activity has intensified. This is the\r\nconsequence of our commitment to help Ukraine but also of the fact that Poland is strongly advocating in the\r\ninternational arena for providing help to Kyiv. Through hostile operations in cyberspace Russia wants to exert\r\npressure on Poland, as a frontline country and a key Ukraine’s ally on the NATO eastern flank.\r\nBoth public administration domains and private companies, the media and ordinary users become the target of\r\nhacker attacks. Entities from strategic sectors, such as energy or armaments, are particularly at risk. Some of these\r\nhostile campaigns can be linked directly to the activities of pro-Russian hacking groups.\r\nThis was the case, for example, with the recent attack on the website of the Polish parliament (Sejm). The CSIRT\r\nGOV team operating in the Internal Security Agency (ABW) identified problems with the accessibility of the\r\nsejm.gov.pl website. Data analysis showed that the website's unavailability was the result of an attack carried out\r\nby the pro-Russian group NoName057(16). This group on the Telegram portal has set the parliamentary website as\r\none of its goals. This attack was a response to the adoption by the Sejm of the Republic of Poland of a resolution\r\nrecognizing Russia as a state sponsor of terrorism.\r\nSuch incidents in cyberspace are retaliatory actions typical of Russia, which are a response to steps taken by other\r\ncountries, that are unfavorable and inconvenient for the Russian Federation. Hacker groups linked to the Kremlin\r\nhttps://www.gov.pl/web/special-services/russian-cyberattacks\r\nPage 1 of 2\n\nuse ransomware, dDos and phishing attacks, and the goal of hostile actions coincides with the goals of a hybrid\r\nattack: destabilization, intimidation and sowing chaos.\r\nFalse structures are also used for aggressive actions, such as websites impersonating real websites. In the first days\r\nof December, the CSIRT GOV Team received information about the registration of a phishing website\r\nimpersonating the website in the government domain gov.pl. The content of the fake website suggested that the\r\nPresident of the Republic of Poland signed a decree on compensation for Polish residents, financed from European\r\nfunds. The \"I'd like to know\" link led through a phishing process and then redirected to a phishing payment card\r\npage under the guise of charging a verification fee to pay compensation. Thanks to the intervention of the Internal\r\nSecurity Agency, the website was blocked. This is a typical operation aimed at sowing chaos, undermining the\r\nstate, but also collecting personal data and extorting money.\r\nEvery attack in cyberspace pursues complex objectives and has various implications – social, political or financial\r\nones. More and more often cyberattacks are used in order to spread Russian disinformation and serve Russian\r\nspecial services to gather data and vulnerable information. The operation that is carried out using simultaneously\r\nboth of these methods is the „GhostWriter” campaign. It consists in attacking email addresses and accounts in\r\nsocial media of public figures in the CEE countries, mainly in Poland. The authors of this campaign are trying to\r\nseize information resources for the purposes of the Russian disinformation. In recent months this operation has\r\nbeen focused on actions against Poland.\r\nTaking into consideration an increasing scale of threats, the Polish cyberspace is constantly monitored as far as\r\npotential dangerous incidents are concerned in order to react to them as fast as possible. At the same time, it is\r\nimportant to implement measures in order to prevent attacks. In Poland, the Prime Minister has also introduced the\r\nthird security alert CHARLIE-CRP which is related to the cybersecurity and responds to growing threats in\r\ncyberspace.\r\nGovernment Plenipotentiary for the Security of Information Space of the Republic of Poland.\r\nSource: https://www.gov.pl/web/special-services/russian-cyberattacks\r\nhttps://www.gov.pl/web/special-services/russian-cyberattacks\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.gov.pl/web/special-services/russian-cyberattacks"
	],
	"report_names": [
		"russian-cyberattacks"
	],
	"threat_actors": [
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775792064,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45926558e5d13169e1ec1e32fd20b2ff5a84ccb7.pdf",
		"text": "https://archive.orkl.eu/45926558e5d13169e1ec1e32fd20b2ff5a84ccb7.txt",
		"img": "https://archive.orkl.eu/45926558e5d13169e1ec1e32fd20b2ff5a84ccb7.jpg"
	}
}