Sweden: Russian-linked hackers attempted to destroy a heating plant's control systems

Sweden disclosed Tuesday that a pro-Russian hacker group with connections to Russian intelligence and security services attempted a destructive cyberattack on a thermal heating plant in western Sweden in the spring of 2025.

The attack targeted operational technology systems -- the industrial software that controls physical equipment like boilers, pumps, and valves -- rather than the IT networks that most cyberattacks hit. It failed because of built-in safety protections in the plant's control systems.

"These groups that once carried out denial-of-service attacks are now attempting destructive cyberattacks against organizations in Europe."

That was Carl-Oskar Bohlin, Sweden's Minister for Civil Defence, speaking at a press briefing in Stockholm alongside John Billow, head of Sweden's National Cyber Security Centre. Bohlin said the Swedish Security Police (SÄPO) investigated the incident and identified the attackers.

"The underlying actor has connections to Russian security services. This points to more risk-inclined and reckless conduct from Russia."

The shift that matters

The distinction between IT attacks and OT attacks is the difference between inconvenience and catastrophe.

A denial-of-service attack takes a website offline for hours. It's disruptive but temporary -- the digital equivalent of blocking a doorway. Russia and its proxy groups have launched thousands of these against European targets since the 2022 invasion of Ukraine, particularly against countries supporting Kyiv.

An OT attack targets the systems that control physical infrastructure: the valves that regulate gas flow, the switches that route electricity, the controls that manage water treatment. A successful OT attack on a heating plant in winter could leave thousands of residents without heat. It could damage equipment that takes months to replace. In extreme cases, it could cause explosions or chemical releases.

Sweden's announcement signals that Russian-linked groups have crossed that line -- moving from digital harassment to attempted physical sabotage of civilian infrastructure.

A European pattern

Sweden is not alone. The attempted attack fits a pattern of escalating Russian cyber operations against European energy infrastructure.

In December 2025, Russia's Sandworm group -- one of the most capable state-sponsored hacking units in the world, operated by Russia's GRU military intelligence -- launched a coordinated attack on Poland's energy grid. The operation deployed data-wiping malware called DynoWiper against more than 30 wind and solar farms and a combined heat and power plant that supplies heat to nearly 500,000 customers. The attack failed to disrupt service, but its scale and ambition alarmed European security officials.

Norway and Denmark have experienced similar attempted intrusions into their energy systems, according to Swedish officials.

Sweden's exposure

The attack carries particular weight for Sweden because of two factors.

First, Sweden joined NATO in March 2024 after decades of military non-alignment, a direct response to Russia's invasion of Ukraine. That decision made Sweden a target for Russian retaliation. Cyberattacks on Sweden increased more than 300% in 2024, and Sweden hosts roughly 57% of the Baltic region's internet-connected industrial control systems -- making it the region's largest attack surface.

Second, Sweden has been building its cyber defenses at a speed that suggests the government recognized the threat before this incident became public. In December 2025, Sweden enacted a new cybersecurity law requiring operators of critical infrastructure to protect their networks and report significant incidents. In March 2026, the government announced 91 measures to strengthen cyber resilience across public administration and essential services. The National Cyber Security Centre, whose head joined Bohlin at Tuesday's briefing, has been given expanded authority and resources.

The heating plant in western Sweden withstood the attack because its safety systems worked as designed -- a detail Bohlin emphasized as validation that these investments matter. But the fact that Russian-linked hackers attempted to cross the line from disruption to destruction suggests the next attempt may target a facility with weaker defenses.