The recent hack of the prime minister’s chief of staff, as well as attacks against thousands of other email accounts belonging to Polish citizens, are linked to the Russian security services, say the Polish authorities.
Earlier this month, emails purporting to be from the private account of Michał Dworczyk, the head of Prime Minister Mateusz Morawiecki’s chancellery, began to be posted on messaging service Telegram. Dworczyk subsequently confirmed that both he and his wife had been hacked.
Correspondence has since continued to be leaked, in a manner seemingly intended to embarrass Dworczyk and Morawiecki. The Polish authorities have indicated that some material is faked, though have not confirmed the authenticity of individual documents.
Last Friday, Jarosław Kaczyński – chairman of the ruling Law and Justice (PiS) party and deputy prime minister with oversight of national security – declared that it could be “clearly stated that the cyberattack was carried out from the territory of the Russian Federation”.
At a closed session of parliament earlier this week, Kaczyński reportedly told MPs that Russia has plans to attack Poland and that recent cyberattacks against officials and institutions may be part of that operation https://t.co/dsVAuh1DYl
— Notes from Poland 🇵🇱 (@notesfrompoland) June 19, 2021
Further details linking the attack to the Russian state were revealed this week by Stanisław Żaryn, spokesman for Poland’s security services. He announced that attempted attacks had been made against 4,350 Polish email accounts, including those belonging to 100 people holding “public functions”.
“The findings of the Internal Security Agency and the Military Counterintelligence Service show the attack [was] carried out by the UNC1151 [cyber espionage] group,” said Żaryn. “[We] have reliable information linking the actions of the UNC1151 group with the Russian security services.”
“All information obtained so far indicates that the actions of the UNC1151 group that have affected Poland in recent weeks are part of the ‘Ghostwriter’ campaign, the aim of which is to destabilise the political situation in Central European countries,” added Żaryn.
On April, 2021, FireEye updated the report to indicate an expansion of narratives & targeted audiences & by attributing with high confidence some components of Ghostwriter’s influence activity to UNC1151, a suspected state-sponsored cyber espionage actor.https://t.co/uyJBbhknXy
— NerijusM (@NerijusM) June 16, 2021
He also revealed that the attacks had been carried out through “phishing” (tricking users into clicking a malicious link and/or providing personal information) and that this had resulted in “several outside logins to the mailbox used by Michał Dworczyk”.
Both Żaryn and Kaczyński have said that the attacks targeted not just figures linked to the ruling camp, but also opposition politicians as well as people working for NGOs.
“[These] activities are carried out on a mass scale and are part of the disinformation operation that the Russian side is conducting against Poland, but also against other countries on NATO’s eastern flank,” Żaryn told TVN24.
The foreign minister, Zbigniew Rau, also told the Polish Press Agency (PAP) that all signs “point to Russia” and that this had been “an attack on democratic values, freedom of speech, freedom of public debate”, and intended to “undermine trust in NATO”. He suggested “cyber sanctions” could be imposed in response.
In a separate interview with PAP yesterday, a spokesman for the US State Department commented on the issue. “The Polish government has publicly noted that the latest cyberattack was carried out from Russian territory,” he said, adding that the US would be happy to help Poland combat such attacks.
“Russia uses a number of tools, including disinformation and hostile actions in cyberspace, to take advantage of the weaknesses it perceives and increase divisions within and between democracies,” he continued. “[Poland is] an unbreakable ally in Central Europe and one of the strongest partners of the US.”
New material purporting to be from Dworczyk’s email account has continued to be regularly posted on Telegram. Among the latest are documents relating to anti-tank missiles the Polish military either uses or intends to obtain.
Leaking of the information contained in those documents, some of which was not otherwise public, is harmful to Poland’s security, two anonymous military officers told the Onet news website.
While it remains unconfirmed how much of the various published material is authentic, the fact that Dworczyk and others – reportedly including Morawiecki – were conducting official business using private email accounts has also raised concern.
Poland's prime minister has for years been using a private email address to conduct government business, according to unofficial findings by @wirtualnapolska and @tvn24.
Security experts say that this can seriously compromise the security of communication https://t.co/cUiMS612oG
— Notes from Poland 🇵🇱 (@notesfrompoland) June 17, 2021
“Yes, I corresponded with various people from a private mailbox,” admitted Dworczyk in an interview with Wprost. “[But] this is not in breach of any regulations.” While correspondence contained some “sensitive information…to my knowledge there was no classified information”, he added.
Żaryn and Morawiecki both said this week that an “action plan” had been approved to take steps to “limit the effects of an attack on people performing public functions” and to “protect people who could fall victim to an attack”.
Opposition parties have, however, called for Dworczyk’s to lose his job over the issue. “The email scandal shows the depths of the pathology that, unfortunately, has accumulated in government circles,” read a no-confidence motion submitted by the largest opposition party, Civic Platform (PO).
In a heated session last night, opposition motions against Dworczyk, two other ministers, and the head of PiS’s parliamentary caucus were all rejected by a majority of MPs in the PiS-controlled lower of parliament.
Ja nie wiem z czego posłowie PiS się cieszą. Terlecki nadal będzie nimi gardził, Sasin niszczył wszystko, czego dotknie, Kaminski ich podsłuchiwał, a Dworczyk z prywatnego maila zarządzał "wybory kopertowe". Tyle, że ich rodziny utrzymają stolik w spółkach skarbu państwa 🤷🏻♀️ pic.twitter.com/rdNihOBN3v
— Monika Rosa (@moanrosa) June 23, 2021
Main image credit: Adam Guz / KPRM (under public domain)
Daniel Tilles is editor-in-chief of Notes from Poland. He has written on Polish affairs for a wide range of publications, including Foreign Policy, POLITICO Europe, EUobserver and Dziennik Gazeta Prawna.