Interview

Why have cyberattacks in Poland spiked since Donald Tusk’s election?

Threat intelligence expert Richard Hummel dissects why cyberattacks in Poland have increased drastically since Tusk was elected in conversation with Alex Blair.

Tusk’s support for Ukraine has been a major factor behind pro-Russian cyberattacks on Poland. Credit: Viktor Kovalchuk / Getty Images

Worldwide cybercrime costs are estimated to reach $10.5trn annually by 2025, with both companies and governments bearing the brunt of cyberattacks by malicious actors. 

As a threat intelligence lead for data security firm NetScout, Richard Hummel is seasoned in analysis of malware, intrusion detection and threat migration. His sixteen-plus years’ experience in the cybersecurity sector has seen Hummel encounter all types of threat. 

Recent attention has centred on the rise in distributed denial-of-service (DDoS) attacks, which “attempt to overwhelm network connections to make them unavailable” rather than intruding into the network itself, according to Hummel. 

Here, Hummel explains the form of and forces behind the drastic surge in DDoS activity in Poland since Prime Minister Donald Tusk took office in December.

Alex Blair: What is the current political and cybersecurity landscape in Poland?

Richard Hummel: Changes in political leadership can cause disruptions in many areas. One notable area is in cyberspace, where DDoS attacks often spike when a new head of government is elected. This increase in attack activity often results from hacktivists and other threat actors opposing the viewpoints of newly elected official and wanting to take action. 

There has been a significant surge in DDoS attack activity in Poland since the new Prime Minister, Donald Tusk, was sworn in on 13 December 2023. Attack volume began to increase around Christmas and has continued to remain elevated to this day, spiking on 14 January with more than 5,000 total attacks. This surge in attacks, fuelled by the new government’s support of Ukraine, resulted in a massive four times increase in DDoS attack volume. 

The most notable group targeting Poland is NoName057. The pro-Russian, highly prolific hacktivist group has targeted several types of websites, including government administration, transportation and logistics, finance and air transport. 

This wave of DDoS attacks targeting Poland will raise alarm bells around the world, given the series of leadership elections taking place this upcoming year. As such, governments, service providers, and enterprises, as well as society at large, should be prepared for these attacks.

Alex Blair: Why have cyberattacks increased since Tusk gained office?

Richard Hummel: ​​​​​​​DDoS attacks often spike with a change of the guard. These spikes often result from hacktivist and other groups opposing the viewpoints of newly elected officials. Some notable groups that do this include Killnet, Anonymous Sudan, and NoName057, who often target countries that are perceived as ‘anti-Muslim’ or show support and solidarity with Ukraine. 

Groups like NoName057 will continue to wage a political and religious war against any nation that stands in the way of their ideals and goals. NoName057 is also strongly pro-Russian, targeting Tusk for reversing his predecessor Mateusz Morawiecki’s decision to halt arms exports to Ukraine. 

Alex Blair: What form have cyberattacks against the Polish government and other institutions taken?

Richard Hummel: ​​​​​​​A large portion of the attacks include Botnet-driven attacks. These can take several forms including http/https application-layer attacks, which is a staple of Killnet and NoName057. The latter of these two uses code called DDoSia often hosted on public hosting infrastructure. 

These bots can also launch any number of volumetric attacks and perform network intrusion activity like brute-forcing, scanning, and exploitation. In conjunction to the botnet attacks, there is a large amount of Reflection/Amplification attack traffic. These attacks are often easy, cheap, and readily accessible via booter and stresser services in the Underground internet. 

Given the political views of the current administration in Poland, there are likely a lot of hacktivists and opportunists taking up digital arms with DDoS leveraging these underground services. 

Alex Blair: Are the perpetrators state actors, or independent hacktivist groups?

Richard Hummel: ​​​​​​​We often classify them as arms-length state actors. What we mean by that is they often look like state actors, target those opposed to specific nations, and seem to have state backing, but are in fact criminal groups. 

We have no doubt that many of them take cues from, and perhaps even targeting from state actors, but we have yet to make a definitive connection that ties them to funding received directly from government entities or direct operational control. 

Go to article: Home | Military SATCOM: is UK defence fit for purpose?Go to article: Editor's letterGo to article: ContentsGo to article: Bombardier Company InsightGo to article: Dassault Systèmes Company InsightGo to article: BriefingGo to article: News in NumbersGo to article: Latest NewsGo to article: Latest DealsGo to article: Project UpdatesGo to article: In DepthGo to article: Military SATCOM: is UK defence fit for purpose?Go to article: Critical fires: naval main guns maintain relevance Go to article: Australia’s multi-domain spending spreeGo to article: Analysis: Western artillery provision to Ukraine Go to article: Loitering munitions: from niche to necessityGo to article: Japan: reemergence of an Asia-Pacific powerGo to article: FLRAA: programme progress and global impactGo to article: British Army: Challenger 3 or Leopard 2A7s? Go to article: Diehl DefenceGo to article: Thematic TakeGo to article: Thematic Take: contentsGo to article: Foreword: Cybersecurity in the age of AI Go to article: Navigating the AI-driven cybersecurity landscapeGo to article: Key trends impacting cybersecurity Go to article: Timeline: a history of cybersecurity Go to article: Explainer: The most common types of cyberattacks Go to article: The impact of cybersecurity on defence Go to article: Case studies: cybersecurity in defence Go to article: Leading cybersecurity adopters and providers in defence Go to article: Latest news: Ukraine war dominant in cyber operationsGo to article: AI attacks now ‘the main cybersecurity concern’ for businesses across sectors Go to article: The state of cybersecurity: AI and geopolitics mean a bigger threat than ever Go to article: Companies’ own AI applications are ‘a huge cybersecurity problem’ Go to article: Sweden’s Nato accession: a cyberattack-filled saga Go to article: Germany recalls ambassador to Russia over cyberattacks Go to article: Why have cyberattacks in Poland spiked since Donald Tusk’s election? Go to article: How did China hack the UK Ministry of Defence? Go to article: Will IoT in defence continue to grow amid cybersecurity concerns? Go to article: AI Innovations wants to use semi-autonomous drones to save lives in Ukraine Go to article: Deal activity related to cybersecurity in the aerospace & defence industry since 2021  Go to article: Regulators must protect the cybersecurity market from a private equity takeover Go to article: GlobalData Thematic IntelligenceGo to article: Sponsored supplementsGo to article: ListingsGo to article: EventsGo to article: Event: Land ForcesGo to article: Excellence AwardsGo to article: Innovation RankingsGo to article: Buyer's GuidesGo to article: Frankfurt LaserGo to article: Next issue