April 16, 2026 
Sweden’s Security Police have identified the pro-Russian group behind a failed cyberattack on a heating plant in western Sweden last spring. The Swedish government disclosed the incident on Wednesday April 15th, confirming that the attackers had connections to Russian intelligence and security services.
The attack took place during spring 2025 but caused no disruption to heating services, according to Carl-Oskar Bohlin, Sweden’s Civil Defence Minister. The facility’s built-in security systems prevented the attackers from achieving their objective of disrupting operations at the heating plant which supplies residential and commercial properties in the region.
“The Swedish Security Service handled the case and was able to identify the actor behind it which has ties to Russian intelligence and security services,” Bohlin told reporters at a press conference in Stockholm. The Security Police have closed their investigation, according to agency spokespeople.
Russia Targets Operational Technology, Not Just IT Systems
The heating plant attack represents a tactical shift from Russian-linked groups according to Swedish authorities. Rather than launching distributed denial-of-service attacks that flood IT systems with traffic, the attackers targeted operational technology that controls physical infrastructure.
“Pro-Russian groups that have previously carried out denial-of-service attacks are trying to carry out destructive cyber attacks against organizations in Europe,” Bohlin said. These operational technology systems control heating, power generation, water treatment and manufacturing equipment, disrupting them can cause physical damage rather than just digital inconvenience.
Pontus Johnson, a professor at KTH Royal Institute of Technology, confirmed that attacking operational technology requires more sophisticated capabilities than basic DDoS campaigns. “You don’t just send traffic their way, but you are trying to find vulnerabilities to enter the systems to then be able to affect them,” Johnson told Euronews.
The 48-hour attribution to Russian intelligence that appeared in some early reports should be treated with appropriate scepticism but the Swedish government’s formal disclosure after a completed Security Police investigation carries more weight than vendor threat reports or social media speculation.
Similar Attacks Hit Norway, Denmark and Poland
Sweden is not alone in facing Russian cyber operations against energy infrastructure. Bohlin compared the heating plant incident to similar attacks in neighbouring countries that authorities have attributed to Russian intelligence services.
Norwegian police reported in August 2025 that pro-Russian hackers had remotely opened a valve in a dam, allowing water to pour out. Denmark disclosed in December that Russian cyberattacks on a water utility in 2024 had left some houses without water supply. Poland experienced what authorities described as a much larger-scale attack on its power grid, attributed to the Russia-linked Sandworm group.
“This points to a changed, more risk-prone and more reckless behaviour from Russia which could lead to potentially very harmful effects on society,” Bohlin said. The pattern across the Nordic region suggests coordinated reconnaissance and targeting of critical infrastructure rather than opportunistic attacks.
The Russian embassy in Stockholm rejected the accusations. Ambassador Sergey Belyaev told Russian state news agency RIA Novosti that the allegations “remain at the level of the ‘highly likely’ principle favoured by Western countries, that is, unfounded suspicions.” Russia routinely denies involvement in cyberattacks against Western infrastructure.
Sweden’s “Security Debt” in Operational Technology
The heating plant attack exposed broader vulnerabilities in Sweden’s industrial control systems. John Billow, head of Sweden’s National Cyber Security Centre (NCSC), said the country carries a ‘security debt’ in cybersecurity, particularly for operational technology systems.
“Operational technology systems are often older and cybersecurity aspects have not always been taken into account which is why they can be vulnerable to attacks,” Billow said. Many of these systems were installed when network security was not a primary concern and have since been connected to corporate networks or the internet without adequate protection.
Organisations operating critical infrastructure need to prioritise cybersecurity “from management down,” according to Billow. This means treating operational technology security as a board-level risk rather than delegating it to technical teams. Sweden’s experience suggests that built-in protection mechanisms can prevent successful attacks but only if they are properly implemented and maintained.
The timing of Sweden’s disclosure, coinciding with increased tensions over Nordic support for Ukraine, reflects what Bohlin called the need to “let threat-actors know that we see what you are doing.” Whether that deterrent effect works against intelligence services remains to be seen.
References
- Sweden foiled pro-Russian cyberattack on thermal power plant in 2025, minister says
- Sweden says pro-Russian hackers attempted to breach thermal power plant
- Pro-Russian group attempted attack on Swedish heating plant in spring 2025
- Swedish Power Plant Targeted by Pro-Russian Cyber Group
- Sweden blames pro-Russian group for cyberattack on energy infrastructure
This post is also available in:
Svenska
