Sweden Publicly Attributes Attempted Destructive Cyberattack on Power Plant to Russian-Linked Hackers

Summary

Sweden has publicly attributed a failed destructive cyberattack on a thermal power plant in western Sweden to pro-Russian hacker groups with connections to Russian intelligence and security services. The attack, which occurred in spring 2025, targeted the plant’s operational technology (OT) systems — the industrial control systems that directly manage physical processes.

The attack was unsuccessful thanks to the plant’s built-in protection mechanisms, but Swedish Civil Defense Minister Carl-Oskar Bohlin emphasized the significance of the attempt. Swedish officials say this incident reflects a tactical escalation by pro-Russian cyber groups, who are moving beyond denial-of-service attacks toward genuinely destructive operations against European critical infrastructure.

Sweden noted that similar OT-targeting attempts have been reported across other European nations including Poland, Norway, and Denmark, suggesting a coordinated campaign against Western energy infrastructure.

Sources

• The Record — Sweden attributes power plant attack to Russian hackers
• Security Affairs — Sweden reports cyberattack attempt on heating plant
• TechRadar — Russia hits European thermal power plant in attempted destructive cyberattack

Commentary

The shift from DDoS to attempted physical destruction of energy infrastructure is exactly the escalation that OT security professionals have been warning about for years. DDoS is disruptive but temporary. An attack that targets the control systems of a power plant is designed to cause lasting physical damage — potentially affecting heating supply for civilian populations.

Sweden’s decision to publicly attribute this is notable. Governments typically hedge on attribution, especially when intelligence methods might be revealed. Going public signals both confidence in the evidence and a deliberate effort to build an international coalition against these operations. The fact that similar attacks have been detected across multiple Nordic and European nations paints a picture of systematic infrastructure probing by Russian-aligned groups, testing defenses and looking for weak points across the continent.