DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Sweden attributes attempted cyberattack on heating plant to pro-Russian group

15 April 2026 · Western Sweden, Sweden
Satellite Imagery © Esri

What happened

Sweden disclosed on 15 April 2026 that a pro-Russian hacker group had attempted a destructive cyberattack against a heating plant in western Sweden. As reported by TechCrunch, the country's Minister for Civil Defence, Carl-Oskar Bohlin, said the intrusion had in fact taken place earlier, in spring 2025, and was only being attributed publicly roughly a year later following an investigation by the Swedish Security Service (Sapo).

According to SecurityWeek, the attackers targeted the operational technology and industrial control systems that run the facility's physical heating processes, with the apparent aim of disrupting or damaging its operation. The attempt failed: a built-in protection mechanism at the plant stopped the attack before it could take effect, and officials said there were no service disruptions or other serious consequences for customers or the wider energy supply.

Swedish authorities deliberately withheld details that could identify the facility, naming only its general location in western Sweden and not disclosing the plant, its town or the specific threat group involved. Euronews reported that Bohlin presented the case as evidence that pro-Russian groups previously known for denial-of-service campaigns are now attempting sabotage-style attacks on European critical infrastructure, citing related warnings from Poland, Norway, Denmark and Latvia.

Assessment

Sweden has officially attributed the attempted attack to a pro-Russian group that Sapo assesses to have links to Russia's security and intelligence services, though no specific named threat group was disclosed and Russia did not respond to requests for comment. The attribution is an official government assessment rather than a court-tested finding, and the attribution itself came about a year after the spring 2025 intrusion. The case fits a wider 2026 pattern of suspected Russia-linked activity against European infrastructure, including the cyberattack on the European Commission's Europa web platform. Details, including the plant's identity, may change as more public information emerges.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.