In 2025, pro-Russian threat actors attempted to disrupt a Combined Heat and Power (CHP) facility in western Sweden. A failed attack on dual-purpose critical infrastructure serving both electricity generation and district heating networks.
The Minister for Civil Defence of Sweden, Carl-Oskar Bohlin, revealed in a news conference that the cyber-attack had been conducted in the spring of 2025 and the perpetrators were acting on behalf of Russian intelligence services.
An activist group loyal to Russia attempted an attack against a company in Sweden, but the attack failed, Bohlin added, pointing out that the security functions embedded within the system thwarted the threat.
Swedish security agencies investigated the matter, and there were no disruptions in its operations.
Despite this, officials noted that a larger issue underlies the trend in which these tactics are being used. Russian activists have started moving away from the traditional DDoS attack tactics towards OT systems, he explained.
Typically, the attacks target operational systems. If these systems were hacked or remotely compromised, the consequences would be disastrous.
Not the first incident in the EU
Similar incidents have been reported across Europe, including in Poland (where attacks have been more extensive) as well as in Norway and Denmark. Bohlin described the trend as evidence of more “risk-prone and careless” behaviour by Russia, with the potential to cause significant societal harm.
According to John Billow, head of the Swedish National Cyber Security Centre, the agency has been ramping up efforts in helping businesses manage critical infrastructure. This encompasses greater visibility into potential threats, increased collaboration across industries, and pre-incident and incident response support.
Billow further cautioned that there is a “security debt” in Sweden regarding cybersecurity preparedness.
This means that although some well-defended sectors show great resilience, we have to raise the baseline for all. Investment is needed, but the price of failing is much steeper, Billow added.
A chilling shift in the EU threat landscape
Damon Small, Board of Directors, at Xcape Inc, commented: “Sweden’s attribution of the failed 2025 thermal plant attack to Russian-linked actors signals a chilling shift in the European threat landscape. It is the graduation from digital harassment to attempted kinetic destruction. By targeting Industrial Control Systems (ICS) rather than mere public-facing websites, these actors are signalling an intent to cause physical suffering. In this case, the adversary is doing so by attempting to disable heating during freezing temperatures.
Small said the real danger, as seen in the parallel 2025 Polish power plant attacks, is not just a temporary service outage, but the deployment of destructive wiper malware like DynoWiper to permanently “brick” field devices such as Remote Terminal Units and Programmable Logic Controllers.
“For infrastructure operators, this move from cyber vandalism to disrupting Operational Technology (OT) means the era of treating Information Technology (IT) and OT as separate security domains is over. Attacks against critical infrastructure must be expected as a primary instrument of modern geopolitical conflict. Where missiles cannot reach, packets sent across the Internet can.”
He added that the fact that this attack was successfully defended is a testament to Sweden’s “built-in protection mechanisms,” but it also serves as a final warning that national defence now begins at the firewall. Security teams must prioritize the immediate hardening of the IT/OT boundary.
“If your thermal plant’s security is still relying on “security through obscurity,” you’re not a defender; you’re a volunteer for a Russian stress test.”
No incentive to overshare
Steven Swift, Managing Director, at Suzu Labs added that there’s not much detail provided in the public statement from Sweden. “That’s normal for this sort of thing, they don’t have an incentive to over share. In fact, the only meaningful thing they really shared was that one, an attack was attempted and two, they were prepared for it, resulting in no impact. That’s mostly just PR on their part.”
Swift said: “Critical infrastructure has long been a high value target. Both for cyber as well as traditional attacks. Cyber is interesting here, in that these attacks can be launched with less fanfare, at higher frequency, against a larger number of targets.”
He added that while it’s obviously a win for Sweden that this attack failed, it should be noted that most attacks fail. “Attackers don’t care that much about the success of individual campaigns. They solve this with scaling. Both by targeting a large number of targets, and by running a variety of independent campaigns.
“Defenders have to get it right 100% of the time, or they experience a breach. Attackers are the opposite, they only need 1 success, it doesn’t matter much how many failures it takes to get there.”
It’s down to the states, municipalities, utilities to figure this out
Josh Marpet, Senior Product Security Consultant at Finite State, said: “Cyberattacks against utilities are common and increasing in number and sophistication. That curve doesn’t appear to be flattening, suggesting that a stronger response is indicated. Since most utilities are municipal and revenue-constrained, it’s difficult for them to up their defences quickly. Larger utility companies can, but there are many municipal water and power transmission organizations that would have to do a bond issue in order to fund any such expenditures.”
He added that effectively, power generation, power transmission, water, internet, and other such utilities are finding themselves increasingly targeted by attackers growing in sophistication and motivation. “Unless they outsource their defences, it seems almost inevitable that they will have incidents and be breached. Whether it’s customer data or mass disruption, none of the outcomes are desirable.
“Unless and until the federal government provides some help, it’s down to the states, municipalities, and utilities themselves to figure out this issue.
Marpet said raising prices is perpetually unpopular. “So, outsourcing for maximum efficiency, and working as community members in the various ISAC’s and associations, is the way to go. With the sheer volume of IoT and OT equipment in the utilities, they need to pick the right outsourced help and get it soon.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.