During a press conference (link requires translation) yesterday, Sweden publicly attributed a failed cyberattack on a thermal heating plant in western Sweden in 2025 to a pro-Russian group with links to Russian intelligence and security services.
The attack targeted energy infrastructure systems, though officials confirmed the attempt was unsuccessful and did not disrupt operations.
Swedish Civil Defense Minister Carl-Oskar Bohlin said the incident involved efforts to carry out a destructive cyberattack against the facility, reflecting a shift from earlier activity such as denial-of-service attacks toward operations aimed at impacting industrial control systems. The government did not disclose technical details of the intrusion or how access was attempted.
Officials compared the incident to other recent attacks in Europe, including cyberattacks on energy infrastructure in Poland affecting systems serving up to 500,000 customers.
Damon Small, Board of Directors, Xcape, Inc.:
“Sweden’s attribution of the failed 2025 thermal plant attack to Russian-linked actors signals a chilling shift in the European threat landscape. It is the graduation from digital harassment to attempted kinetic destruction. By targeting Industrial Control Systems (ICS) rather than mere public-facing websites, these actors are signaling an intent to cause physical suffering. In this case, the adversary is doing so by attempting to disable heating during freezing temperatures.
“The real danger, as seen in the parallel 2025 Polish power plant attacks, is not just a temporary service outage, but the deployment of destructive wiper malware like DynoWiper to permanently “brick” field devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs).
“For infrastructure operators, this move from cyber vandalism to disrupting Operational Technology (OT) means the era of treating Information Technology (IT) and OT as separate security domains is over. Attacks against critical infrastructure must be expected as a primary instrument of modern geopolitical conflict. Where missiles cannot reach, packets sent across the Internet can.
“The fact that this attack was successfully defended is a testament to Sweden’s “built-in protection mechanisms,” but it also serves as a final warning that national defense now begins at the firewall. Security teams must prioritize the immediate hardening of the IT/OT boundary.
“If your thermal plant’s security is still relying on “security through obscurity,” you’re not a defender; you’re a volunteer for a Russian stress test.”
Steven Swift, Managing Director, Suzu Labs:
“There’s not a lot of detail provided in the public statement from Sweden on this attack. That’s normal for this sort of thing, they don’t have an incentive to over share. In fact, the only meaningful thing they really shared was that 1) an attack was attempted and 2) they were prepared for it, resulting in no impact. That’s mostly just PR on their part.
“Critical infrastructure has long been a high value target. Both for cyber as well as traditional attacks. Cyber is interesting here, in that these attacks can be launched with less fanfare, at higher frequency, against a larger number of targets.
“While it’s obviously a win for Sweden that this attack failed, it should be noted that most attacks fail. Attackers don’t care that much about the success of individual campaigns. They solve this with scaling. Both by targeting a large number of targets, and by running a variety of independent campaigns.
“Defenders have to get it right 100% of the time, or they experience a breach. Attackers are the opposite, they only need 1 success, it doesn’t matter much how many failures it takes to get there.”
Josh Marpet, Senior Product Security Consultant, Finite State:
“Cyberattacks against utilities are common and increasing in number and sophistication. That curve doesn’t appear to be flattening, indicating that a stronger response is indicated. Since most utilities are municipal and revenue constrained, it’s difficult for them to up their defenses quickly. Larger utility companies can, but there are many municipal water and power transmission organizations that would have to do a bond issue in order to fund any such expenditures.
“Effectively, power generation, power transmission, water, internet, and other such utilities are finding themselves increasingly targeted by attackers growing in sophistication and motivation.
“Unless they outsource their defenses, it seems almost inevitable that they will have incidents and be breached. Whether it’s customer data or mass disruption, none of the outcomes are desirable.
“Unless and until the federal government provides some help, it’s down to the states, municipalities, and utilities themselves to figure out this issue.
“Raising prices is perpetually unpopular. So, outsourcing for maximum efficiency, and working as community members in the various ISAC’s and associations, is the way to go.
“With the sheer volume of IoT and OT equipment in the utilities, they need to pick the right outsourced help, and get it soon.”
While this attack failed, the next one might not. Because threat actors will learn from their failure and refine how they launch attacks to that next one succeeds. Defenders should keep that in mind.
Sweden discloses failed 2025 cyberattack on thermal plant
Posted in Commentary with tags Russia on April 16, 2026 by itnerdDuring a press conference (link requires translation) yesterday, Sweden publicly attributed a failed cyberattack on a thermal heating plant in western Sweden in 2025 to a pro-Russian group with links to Russian intelligence and security services.
The attack targeted energy infrastructure systems, though officials confirmed the attempt was unsuccessful and did not disrupt operations.
Swedish Civil Defense Minister Carl-Oskar Bohlin said the incident involved efforts to carry out a destructive cyberattack against the facility, reflecting a shift from earlier activity such as denial-of-service attacks toward operations aimed at impacting industrial control systems. The government did not disclose technical details of the intrusion or how access was attempted.
Officials compared the incident to other recent attacks in Europe, including cyberattacks on energy infrastructure in Poland affecting systems serving up to 500,000 customers.
Damon Small, Board of Directors, Xcape, Inc.:
“Sweden’s attribution of the failed 2025 thermal plant attack to Russian-linked actors signals a chilling shift in the European threat landscape. It is the graduation from digital harassment to attempted kinetic destruction. By targeting Industrial Control Systems (ICS) rather than mere public-facing websites, these actors are signaling an intent to cause physical suffering. In this case, the adversary is doing so by attempting to disable heating during freezing temperatures.
“The real danger, as seen in the parallel 2025 Polish power plant attacks, is not just a temporary service outage, but the deployment of destructive wiper malware like DynoWiper to permanently “brick” field devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs).
“For infrastructure operators, this move from cyber vandalism to disrupting Operational Technology (OT) means the era of treating Information Technology (IT) and OT as separate security domains is over. Attacks against critical infrastructure must be expected as a primary instrument of modern geopolitical conflict. Where missiles cannot reach, packets sent across the Internet can.
“The fact that this attack was successfully defended is a testament to Sweden’s “built-in protection mechanisms,” but it also serves as a final warning that national defense now begins at the firewall. Security teams must prioritize the immediate hardening of the IT/OT boundary.
“If your thermal plant’s security is still relying on “security through obscurity,” you’re not a defender; you’re a volunteer for a Russian stress test.”
Steven Swift, Managing Director, Suzu Labs:
“There’s not a lot of detail provided in the public statement from Sweden on this attack. That’s normal for this sort of thing, they don’t have an incentive to over share. In fact, the only meaningful thing they really shared was that 1) an attack was attempted and 2) they were prepared for it, resulting in no impact. That’s mostly just PR on their part.
“Critical infrastructure has long been a high value target. Both for cyber as well as traditional attacks. Cyber is interesting here, in that these attacks can be launched with less fanfare, at higher frequency, against a larger number of targets.
“While it’s obviously a win for Sweden that this attack failed, it should be noted that most attacks fail. Attackers don’t care that much about the success of individual campaigns. They solve this with scaling. Both by targeting a large number of targets, and by running a variety of independent campaigns.
“Defenders have to get it right 100% of the time, or they experience a breach. Attackers are the opposite, they only need 1 success, it doesn’t matter much how many failures it takes to get there.”
Josh Marpet, Senior Product Security Consultant, Finite State:
“Cyberattacks against utilities are common and increasing in number and sophistication. That curve doesn’t appear to be flattening, indicating that a stronger response is indicated. Since most utilities are municipal and revenue constrained, it’s difficult for them to up their defenses quickly. Larger utility companies can, but there are many municipal water and power transmission organizations that would have to do a bond issue in order to fund any such expenditures.
“Effectively, power generation, power transmission, water, internet, and other such utilities are finding themselves increasingly targeted by attackers growing in sophistication and motivation.
“Unless they outsource their defenses, it seems almost inevitable that they will have incidents and be breached. Whether it’s customer data or mass disruption, none of the outcomes are desirable.
“Unless and until the federal government provides some help, it’s down to the states, municipalities, and utilities themselves to figure out this issue.
“Raising prices is perpetually unpopular. So, outsourcing for maximum efficiency, and working as community members in the various ISAC’s and associations, is the way to go.
“With the sheer volume of IoT and OT equipment in the utilities, they need to pick the right outsourced help, and get it soon.”
While this attack failed, the next one might not. Because threat actors will learn from their failure and refine how they launch attacks to that next one succeeds. Defenders should keep that in mind.
Leave a comment »