On 30 January 2026, CERT.PL published findings concerning an electric sector attack on Poland in December 2025. This report, presumably the most complete on the incident covering multiple sources and coming from those directly responding to the total incident, arrived after earlier reporting from commercial organizations on elements of the same event, as well as social media speculation. While a more complete and accurate view of events from late December 2025 has now emerged, the flurry of publication in late January 2026 added some additional confusion.

Conflicts in Attribution

There are elements of reporting on the December 2025 event concerning impacts on distributed energy resources (DERs), alleged similarities to the (non-cyber) Iberian power incident from 2025, and the potential grid impacts in Poland had the incident disrupted generating assets that are fruitful areas for further technical investigation and analysis. But what caught the eye of most entities following publication was a significant difference in incident attribution. Earlier Dragos and ESET reporting linked events to the Sandworm threat actor, specifically linked by various governments to Russia’s military intelligence (GRU) Main Center for Special Technologies (GTsST), field post number 74455. CERT.PL reporting arrived at a different conclusion, linking events to Berserk Bear, a long-running entity linked to Russia’s Federal Security Services (FSB) Center 16, also by multiple governments. 

Although both entities are associated with Russian state-directed cyber operations, the groups in question are otherwise quite different. Sandworm is linked to various publicly documented offensive, disruptive cyber operations including the 2015, 2016, and 2022 Ukraine power incidents, as well as various wiper attacks and the Prestige pseudo-ransomware incident impacting Ukraine and Poland. Berserk Bear, while linked to various critical infrastructure intrusion campaigns since the early 2010s, is NOT associated with any publicly known, proven disruptive incident. In addition to campaign impact and technical differences, there is also the issue of long-running interservice rivalries (if not outright competition) between Russia’s intelligence services, which makes these entities (along with the foreign intelligence service, or SVR) often quite distinct operationally.

Thus the “Sandworm or Berserk Bear?” attribution question is less an issue of narrow differences among related or similar threat actors (e.g., “was this Sandworm or Seashell Blizzard or ELECTRUM?”), but rather two very different entities entirely. To probe this further from a cyber threat intelligence tradecraft perspective and identify potential lessons to be learned, we can approach the subject from angles of available data sources, potential adversary links and relationships, and finally adversary (and intelligence) tradecraft. Finally, before digging in deeper, I would like to emphasize that the below represents analysis and not criticism of public work based on publicly-available details, and is not intended to besmirch the entities involved but rather to identify ways threat intelligence reporting may improve through self-reflection and review.

Different Data, Different Perspectives

The most straightforward reason for different attribution outcomes is access to different data resources. While none of the reporting entities mentioned thus far have documented completely what data was available (or unavailable) for analysis, we do have several issues documented that show varying perspectives:

1. ESET’s reporting and analysis appears to be based almost exclusively on one malware family, DynoWiper, and its technical relationships with other Sandworm-linked wiper malware.
2. Dragos’ analysis, rooted in incident response to one entity that had some assets involved in the incident, focuses on behavioral similarities to previous electric sector incidents associated with Sandworm, notably the 2015 and 2016 (but not the 2022) power events.
3. CERT.PL’s in-depth research, unlike the other entities involved, appears to include initial access and related network infrastructure visibility, which through infrastructure tracking and analysis derives a link to current assessed Berserk Bear activity.

Three different perspectives, two markedly different conclusions, yet based on visibility (or the biases inherent in it) plausible. ESET’s malware analysis almost certainly identified accurate technical links with prior wiper samples. However, the technical link may mean a variety of items aside from “this is Sandworm.” As previously documented, malware-focused analysis ultimately identifies the malware developer, and not necessarily the user, in unique fashion. That DynoWiper is meaningfully similar to ZOV wiper can be a very true and accurate statement, but the reasons for this can vary from “this is a sample uniquely associated with Sandworm” to “the developer(s) of ZOV were previously working for Sandworm but also or now support Berserk Bear.” The latter is especially interesting given what has been learned of contractor networks supporting Russian (and many other country’s) cyber operations, such as NTC Vulkan, that appear to support multiple groups or agencies.

Dragos’ more behavior-centric analysis linking events in Poland with decade-old events in Ukraine highlights some high-level commonalities between the incidents that could be used to link the events to the same behavioral cluster (ELECTRUM). However, the tradecraft in question is both rather old—meaning multiple threat actors are aware of these actions and, if found useful, can replicate them in current events—and does not take into account more recent electric sector disruptive tradecraft, notably the 2022 Ukraine incident executed by Sandworm which is notably different from 2015 and 2016 in methodology. Specific evidence and related items are not presented in Dragos’ report so other items may have been used to make the assessed link, but focusing on these now-superficial behavioral overlaps appears both too limited and likely misguided given ten years’ worth of adversary development and evolution.

Lastly, CERT.PL’s analysis relies on linking the last-hop infrastructure associated with the incident with proxy network infrastructure associated with Berserk Bear. Proxy networks are increasingly popular for many threat actors to establish reliable command and control networks while avoiding easy attribution. IF the associated proxy network is UNIQUELY linked to Berserk Bear operations, then this would presumably represent very strong evidence that this is the entity responsible. However, without further details on the proxy network, similar issues such as what arose in the malware discussion arise. Notably, many proxy networks are associated with dedicated entities for their maintenance and development, ranging from PRC-associated items like the KV Botnet to potential Russian actions such as proxy network creation possibilities from NTC Vulkan’s Scan-V project. Additionally, multiple entities may utilize the same proxy network on a leased basis for their operations, making links back to a particular network insufficient to identify the actual entity involved in a given intrusion.

We arrive at a point where the visibility available to each of the reporting entities, or the types of data emphasized in making attributive claims, shows significant influence on the nature and result of such claims. It is also worth noting that the biases and limitations identified do not necessarily mean any of the claims are wrong, but instead simply highlights issues to be considered in evaluating them either in isolation or in aggregate. The latter is especially interesting in light of the “service provider” and similar relationships noted for both malware and infrastructure, for one possible conclusion might be: what if the incident was the action of more than one adversary?

Adversary Links, Overlaps, and Relationships

There is an overall, continuing bias within cyber threat intelligence investigations to assign responsibility for an event to a single entity. Yet this masks increasing diversification and division of labor within cyber operations. Most clearly tracked in cyber criminal ecosystems, where different entities manage different phases of operations from info stealers to phishing to hands-on-keyboard operations, such relationships also play out in state-sponsored space as well. We already looked at one (admittedly non-Russian) instance in the KV Botnet and related infrastructure being managed by one entity but used by multiple (and not just Volt Typhoon). When expanding our visibility to contractors, private companies, and related items, we glimpse ever greater diversity, with examples found in PRC intrusions as well as Russian operations.

One easy association given existing attribution claims would be that Berserk Bear and Sandworm were both involved in the Polish incident. ESET, Dragos, and CERT.PL’s claims could thus all be accurate but identifying different phases of the overall operation, with Berserk Bear aligned more with initial access phases and Sandworm associated with actions on objectives. Yet institutional relationships would seem to argue against such cooperation, given previously noted research into the at times antagonistic relationship among different sections of Russia’s intelligence services. Seeing GRU and FSB entities working together and coordinating operations, while not impossible, appears unlikely. Historically such relationships (or lack thereof) have even led to different agencies breaching the same networks in uncoordinated fashion simultaneously.

A more likely relationship would be one where some authority or decision maker established the objective of disrupting electric sector operations in Poland, with this activity then delegated to relevant technical entities for execution. In this case, different organizations with specialized skills, such as initial access development or operational technology (OT) intrusions, would be tasked to complete different phases of the operation and coordinate actions accordingly. In this sense one of the entities behind the attributed groups may be responsible (FSB Center 16 or GRU unity 74455), but the overall nature of the intrusions would map to several distinct activity clusters, or groupings of clusters, depending on which phase of the operation was analyzed.

The above leads us to the sourcing issue where having limited visibility, or favoring one type of analysis over another would bias results towards that particular element of operations, rather than analyzing the operation in its totality. Performing the latter is more difficult and complicated, and may yield seemingly contradictory results in different operational phases resembling different entities. Yet when also viewed in light of resourcing, personnel, and business relationships, plausible scenarios emerge where certain capabilities (or the entities responsible for creating historical capabilities) may be shared among different organizations leading to the identified overlaps.

A Note On Tradecraft

The last point highlights how adversary tradecraft has evolved over the years and how cognitive biases and limitations have done a disservice to tracking operations. As noted previously, whether discussing cybercrime or state-directed intrusions, operations have reached a level of complexity where “single intrusion, single actor” no longer makes much sense. While such a relationship is still possible, evaluation of events and available evidence makes it increasingly unlikely. That does not necessarily mean FSB and GRU are working together, but we may be witnessing items such as multiple, distinct teams operating within FSB and GRU and coordinating internally on an as needed basis. Alternatively, FSB and GRU may utilize the same network of contractors and commercial technical skills leading to overlaps in observed technical capabilities even when the controlling or tasking authority resides in significantly different and separate organizations.

We thus highlight two elements of tradecraft that need to be understood:

• ADVERSARY tradecraft that increasingly adopts a division of labor approach such that unitary attribution may be at best problematic, and at worst inaccurate.
• INTELLIGENCE tradecraft that must adapt to this environment and acknowledge the greater diversity and at times difficulty in performing technical attribution of cyber operations.

The former must be acknowledged by the latter, leading to events where the Polish electric sector incident becomes more complex than “threat actor X is responsible for event Y.” 

Notably this applies for technically or behaviorally-focused threat attribution as seen through the application of models such as the Cyber Kill Chain, the Diamond Model, or use of the MITRE ATT&CK framework. In this type of analysis, guided by incident analysis and technical observations, multiple collections of behaviors or artifacts may be identified satisfying different phases of operations. Yet from a “primary attribution” (i.e., “who did it?”) perspective, all such actions may nonetheless roll up to the same authority. In this case, “Sandworm or Berserk Bear?” transforms into what appears on its face to be a similar question but in fact is something else entirely: “GRU or FSB?”

This question has significant implications for traditional intelligence and political-military decision making as it may reveal important changes in Russian cyber operations, a diversification in entities involved in disruptive actions, and potential implications for moving existing conflict outside of Ukraine (with possible NATO Article V implications). Yet from a cyber defense perspective, this question and its implications become less relevant compared to determining “how did this take place, and how do I defend against it.”

Conclusions

Based on available information at the time of writing, the Polish electric sector incident in December 2025 is likely the result of multiple groups interacting to achieve an objective. However, such “multiple groups” almost certainly does not include a collaboration or coordination between Sandworm (GRU) and Berserk Bear (FSB) for reasons already stated, making ultimate specific attribution (GRU or FSB?) unclear at this time based on public information, even if we can begin to form behavioral clusters of the observed activities.

The above may seem so much trivia in the face of an egregious attack on civilian critical infrastructure, but nonetheless has importance for the conduct of cyber threat intelligence and informs its objectives. First, intelligence practitioners must be alert to shortcomings and biases inherent to data sources and how focus on specific perspectives may influence subsequent conclusions. Second, all-source fusion and mapping out intrusions as best as possible can identify potential “hand offs” among distinct behavioral clusters, or better allow us to challenge results that rely too heavily on one single source of evidence for subsequent conclusions.

A third and final point must also be made: what is this all for? In this case we need to ask, what is the purpose of our investigation and what decisions do we aim to support and enable? In this sense, attribution, behaviorally or otherwise, may not matter compared to rigorous event analysis that identifies how an intrusion such as this took place to facilitate subsequent detection, attack surface management, and similar actions to identify or prevent future similar events. Where prior items come into play is that a focus on group-specific attribution, and some of the pitfalls previously identified, may color or influence our analysis as analysts work to make events “fit” a certain known behavioral profile, to the detriment of accurate reporting and defensive support.

Like many incidents, the December 2025 incident in Poland is quite recent in its execution and its analysis. Further research, analysis, and potentially the subsequent disclosure of information not yet public will shape our understanding of this incident over time, particularly as more analysts and subject matter experts review findings and compare them with other datasets. In the meantime, as analysts in a still-emerging profession, critical review and understanding of events, and how different entities arrive at their conclusions (particularly when they conflict) is important for personal development and the continued maturation of the field of cyber threat intelligence.