Hybrid threat: How drones over Poland translate into cyber risk

The night of 9-10 September 2025 will go down in history as the moment when the war across our eastern border ceased to be a mere media report and became a tangible threat. Russian drones over Poland and their downing by the Polish armed forces is an unprecedented event.

However, anyone who views this incident solely in military terms is making a strategic mistake. For the violation of airspace was a high-profile prologue to the silent offensive that is about to begin in Polish cyberspace.

Drones over Poland and the anatomy of Russian cyber-aggression: how does the Kremlin machine work?

To understand what lies ahead, we must first grasp the adversary’s philosophy of operation. For years, Russia has perfected a doctrine of hybrid warfare in which missiles, beats and disinformation form a single, integrated arsenal.

The aim is no longer just to conquer territory, but to paralyse the state from within – breaking its economy, destroying trust in its institutions and dividing its society.

In this strategy, cyber attacks play a key role, with specialised secret service units acting with finesse and brutality.

These operations are headed by two main actors whose code names should be familiar to any security professional:

• GRU (APT28/Fancy Bear): This is the digital equivalent of the Specnaz units. Units subordinate to military intelligence specialise in high-profile, destructive and sabotage operations. Their goal is chaos. They are behind the attacks on Ukraine’s power grid, the hacking of electoral systems or the devastating Wiper malware attacks that irretrievably erase data. If something is to be destroyed, switched off or paralysed – the GRU steps in.
• SVR (APT29/Cozy Bear): They are the aristocracy of Russian digital intelligence. They operate more quietly, more subtly and their operations are characterised by extreme patience. The Foreign Intelligence Service focuses on long-term espionage. They are responsible for the notorious attack on the SolarWinds software supply chain, which gave them access to the networks of thousands of companies and government agencies around the world for months. Their focus is on information, strategic advantage and quietly placing 'digital sleeper agents’ on key enemy systems.

Significantly, Russian services are blurring the line between state operations and common cybercrime.

Ransomware groups such as Conti or LockBit often receive tacit permission from the Kremlin to operate in exchange for fulfilling 'orders’ hitting Western targets – hospitals, corporations or local governments. This allows them to wreak havoc at the hands of seemingly independent criminals and further complicates the attribution of attacks.

Scenarios for Poland: predicted attack vectors

In the context of recent events, Poland is becoming a high-priority target. We can expect to be hit from several directions simultaneously.

Scenario 1: Impact on critical infrastructure (ICS/SCADA)

This is the most dangerous scenario. Industrial control systems on which the functioning of the state depends will be targeted. Attacks could target:

• Energy sector: Attempts to take control of transformer substations in order to trigger regional or even national blackouts.
• Transport and logistics: Paralysis of rail traffic management systems, which would have a direct impact on support shipments to Ukraine, but also on the national economy.
• Water supply and treatment plants: manipulation of control systems can lead to interruptions in water supply or, in extreme cases, to water contamination.

Scenario 2: Administrative paralysis and data theft

Key institutions of the state will become the main target of espionage operations (conducted by the SVR). Massive spear-phishing campaigns should be expected, precisely targeting officials and military officers from the Ministry of Defence, the Ministry of Foreign Affairs or the Ministry of Digitalisation.

The aim will not only be to steal security data and defence plans, but also to take control of accounts that can be used for further escalation or disinformation operations.

Scenario 3: Information warfare and social chaos

This attack is already underway, but it will now enter a new, intense phase. Its aim is to destroy the social fabric. We can expect:

• DDoS attacks on major news portals and banking services to give the impression that the state is losing control.
• Defacement (content substitution) of government websites to publish false messages and sow panic.
• Massive disinformation campaigns on social media, run by troll farms and bots. Narratives will focus on undermining the effectiveness of the Polish army (’they didn’t shoot everything down’), accusing the government of 'provoking Russia’ and stoking anti-Ukrainian sentiment.

Why is increased activity inevitable?

These predictions are not mere speculation. They stem directly from an analysis of Russian war doctrine and the logic of the current situation.

1. First: Asymmetric Retaliation. Russia cannot afford an open armed conflict with a NATO country. The downing of its drones was a slap in the face that cannot go unanswered. Cyberspace is the ideal theatre for retaliation – allowing painful blows to the economy and infrastructure while avoiding crossing the threshold of open war.
2. Second: Phase Two of the Operation. The drone attack was designed not only to strike Ukraine, but also to test the response time and procedures of the Polish defence. Now Phase Two begins: creating internal chaos in a country that is a key logistical hub for Ukraine and a pillar of NATO’s eastern flank. Weakened and preoccupied with its own problems, Poland is a strategic target for the Kremlin.
3. Third: Testing the Alliance. Russia wants to test in practice how Article 5 solidarity mechanisms work, not only in the military dimension but also in the cyber dimension. A massive attack on Poland will be a test for response procedures and cooperation within NATO.

The front runs through every server room today

We must abandon the illusion that cyber security is a technical problem locked up in IT departments. Today, it is the foundation of national security, with every administrator, developer and manager becoming a defender on the digital front line.

The time of reactive firefighting is irrevocably over. A paradigm shift towards proactive defence and resilience building is required.

It is worth emphasising at this point: the purpose of this analysis is not to sow panic, but to build strategic awareness and resilience. It is sound knowledge and cool risk assessment, not fear, that provide the basis for effective preparation for scenarios that could materialise at any time.

For the IT industry, this means immediate action is required:

• The implementation of the 'Zero Trust’ architecture: The principle of „never trust, always verify” must become standard in every corporate and government network.
• Proactive Threat Hunting: Security teams need to actively hunt for signs of intruders on their networks, rather than passively waiting for alerts from SIEM systems.
• Audit and Testing of Incident Response Plans (IRPs): Having a plan on paper is not enough. It needs to be tested regularly through simulations so that when a crisis occurs, everyone knows what to do.
• Building Public Resilience: The IT sector has a huge role to play in educating employees and the general public on how to recognise disinformation and phishing.

The red sky over eastern Poland was a test of our military procedures. The upcoming digital offensive will be a test of the resilience of our entire state and society. This is not a time for fear, but for the consolidation of forces – for cooperation between the private sector and public administration, for sharing knowledge about threats and for building a digital shield that neither massive DDoS attacks nor precision spying operations can break. History teaches that Poland’s greatest strength in the face of threats has always been its ability to mobilise and adapt. Today, this mobilisation must take place in our networks, server rooms and minds.