Home-District Heating Under Hybrid Attack: Europe’s Municipal Gap and Ukraine’s Resilience Model

District Heating Under Hybrid Attack: Europe’s Municipal Gap and Ukraine’s Resilience Model

Europe secured its gas pipelines and hardened its electricity grids. It left the last mile of heat delivery — the municipal layer that keeps 100 million people warm — virtually undefended.

Institute for Central Europe — Policy Mini Brief | 17 March 2026

Executive Summary

Russia has demonstrated across four winters that centralised district heating infrastructure is a high-yield strategic target — through repeated kinetic and cyber strikes.

On 29 December 2025, this threat reached EU territory. A coordinated cyberattack attributed to an FSB-linked actor targeted a Polish CHP plant serving nearly half a million customers. The plant survived because it had endpoint detection software. Most European municipal heating operators do not.

The NIS2 and CER Directives classify district heating as critically important. But the regulatory perimeter does not match operational reality: most municipal suppliers in Central and Eastern Europe fall below NIS2’s size threshold, transposition is incomplete, and no tested crisis doctrine exists at the municipal level where heat is delivered.

Ukraine has built an operational resilience model under fire — decentralised cogeneration, rapid-deployment modular capacity, municipal emergency doctrine — that is directly transferable. On 3 March 2026, Ukraine’s National Security and Defense Council formally approved regional energy resilience plans institutionalising this model nationwide. The institutional frameworks for knowledge transfer exist. The transfer pace does not match the threat.

 

The Threat Demonstrated

The targeting of Ukraine’s heating infrastructure has followed a discernible operational logic since 2022. Russia systematically struck nodes where thermal energy is generated and networks through which it is distributed — concentrating on assets whose destruction produces cascading civilian impact.

The IEA’s October 2025 pre-winter assessment quantified cumulative damage: 18 CHP plants, 800+ boiler houses, and 354 kilometres of heating pipes attacked by end of 2024 (IEA). The UN Human Rights Monitoring Mission assessed these operations as “widespread and systematic” (UN).

The 2025–2026 heating season brought further escalation: near-daily strikes across seventeen regions in January 2026, with Kyiv’s Darnytsia CHP plant hit repeatedly, each strike severing heat to approximately 6,000 residential buildings. Indoor temperatures of 8–9°C were recorded in affected districts while ambient temperatures reached minus 19 (Kyiv Independent).

On 13 March, Energy Minister Denys Shmyhal told the Verkhovna Rada that Russia had damaged more than 9 GW of generation capacity since the start of the heating season — making this, in his words, “the most difficult winter in Ukraine’s history” (Ministry of Energy of Ukraine).

The cyber dimension compounds the kinetic one. In January 2024, attackers deployed FrostyGoop — ICS-specific malware communicating via Modbus TCP — against Lvivteploenergo, a municipal heating company in Lviv. The malware manipulated temperature controllers to feed cold water into apartment buildings, cutting heat to 600+ residential blocks for 48 hours.

Dragos identified it as the first confirmed Modbus exploitation achieving real-world heating disruption — and found internet-exposed Modbus controllers in Lithuania and Romania, confirming the attack surface extends beyond Ukraine (Dragos).

Centralised district heating — a single plant serving thousands of apartments through shared pipes — is high-value, difficult to defend, and slow to repair. A successful strike in January can kill.

 

Adversaries Crossed into EU Territory

On 29 December 2025, Poland’s national CSIRT documented a coordinated destructive operation targeting a large CHP plant supplying heat to nearly half a million customers, more than 30 wind and photovoltaic installations, and a manufacturing company. The objective was purely destructive — CERT Polska compared it to deliberate arson (CERT Polska).

The forensic timeline revealed patient, long-term preparation. Investigators traced initial network penetration to March 2025 — nine months before the attack was triggered. The actor mapped industrial control systems, captured screenshots of operational interfaces, harvested credentials, and ultimately deployed a bespoke wiper malware (designated DynoWiper by ESET) through the plant’s own software update mechanism (Balkan Insight).

CERT Polska attributed the operation, with high confidence, to the activity cluster tracked as Static Tundra (Cisco) / Berserk Bear (CrowdStrike) / Ghost Blizzard (Microsoft) — an FSB-linked group historically associated with espionage, not sabotage.

The report explicitly noted this was “the first publicly described destructive activity attributed to this activity cluster” — marking a qualitative escalation in which an intelligence-collection actor pivoted to operational disruption.

The implication is significant: the same actor infrastructure previously used to conduct long-term reconnaissance of Western energy networks has now demonstrated the intent and capability to destroy them.

The CHP plant survived because its endpoint detection and response (EDR) software identified and blocked the wiper before execution. The US Cybersecurity and Infrastructure Security Agency subsequently issued an advisory noting that the attackers had exploited internet-facing FortiGate devices lacking multi-factor authentication and OT control devices running default passwords — a vulnerability profile that is endemic across municipal heating utilities in Central and Eastern Europe and beyond (CISA).

 

The Protection Gap

The EU’s legislative architecture formally recognises district heating’s criticality. The NIS2 Directive lists it as a sector of high criticality; qualifying operators face mandatory cybersecurity risk management and incident reporting. The CER Directive adds physical resilience requirements (NIS2, CER).

In practice, this perimeter misses the operational centre of gravity. Central and Eastern Europe’s district heating is dominated by small municipal operators — many serving populations of tens of thousands through Soviet-era infrastructure.

A substantial share fall below NIS2’s size cap, are not subject to its obligations, and have no pathway to the cybersecurity baselines it mandates. Even among qualifying operators, transposition is incomplete — multiple member states missed the October 2024 deadline to enact the required national legislation.

Many municipal heating operators are perpetually underfunded, running ageing SCADA and industrial control systems with limited network segmentation, no dedicated IT security staff, and incident response plans that have never been tested under realistic conditions. The Polish incident is instructive in both directions: the one operator that invested in EDR survived; the vulnerability profile that enabled nine months of undetected reconnaissance is shared by the majority of its counterparts across the region.

The 2026 Munich Security Report frames this in strategic terms: cyberattacks rank as the top G7 security risk, with Russian operations “increasingly blending cyber and kinetic tactics” against energy infrastructure (Munich Security Report). The Preparedness Union Strategy sets out 30 key actions — none operationalise heating-specific resilience at the municipal level.

 

Ukraine’s Operational Model

Under sustained bombardment, Ukrainian heating operators developed a resilience model that no peacetime planning exercise could have produced. Its core elements are:

Decentralised generation. Municipal cogeneration units capable of producing both electricity and heat independently of the national grid. By November 2025, the Ukrainian district heating sector was operating 182 cogeneration units (83 at full capacity, combined output 147 MW) and 239 block-modular boilers (~635 MW), forming autonomous “energy islands” around hospitals, water utilities, and residential heating networks (New Eastern Europe).

Compressed deployment cycles. Modular units installed and commissioned in days — a tempo European procurement measures in months or years.

Rapid repair doctrine. Pre-positioned spare parts, emergency communication systems, and standing repair crews trained to restore service under ongoing threat.

Municipal-level decision authority. Operational autonomy at city and utility level to act without waiting for national coordination — essential when centralised command is disrupted.

This model has now been formally institutionalised. On 3 March 2026, President Zelenskyy chaired a meeting of the National Security and Defense Council at which comprehensive energy resilience plans for all of Ukraine’s regions and cities were approved.

Deputy Prime Minister Oleksii Kuleba confirmed that the plans were developed together with local communities and are explicitly aimed at ensuring that “settlements decentralise their water and heat supply systems and are as resilient and adaptable as possible to enemy attacks” (President of Ukraine). What began as improvised wartime adaptation is now codified national doctrine — and a directly exportable framework.

The IEA’s lessons-learned framework identifies these capabilities as among the most transferable pillars of Ukraine’s energy resilience. European institutions have taken note — but the knowledge has not reached the municipal operators who would implement it (IEA).

 

Four Steps Before Next Winter

The EU has identified district heating as critical, documented the hybrid threat, and begun developing preparedness frameworks. The challenge is that the municipal utilities delivering heat remain outside the effective reach of these frameworks.

Recent analysis has examined Russia’s infrastructure campaign from the perspective of air defence provision (RUSI), European energy market spillovers (Atlantic Council, October 2025), and Ukraine’s broader infrastructure resilience as a transferable model (Atlantic Council, December 2025). None has addressed the specific dimension this brief focuses on: the sub-threshold operators, the cyber-specific exposure, and the gap between directive-level classification and operational readiness where heat is actually delivered.

The challenge is not diagnosis. The challenge is that the municipal utilities delivering heat remain outside the effective reach of the frameworks designed to protect them.

  1. Extend the Preparedness Union Strategy’s minimum criteria explicitly to district heating operators below the NIS2 size threshold. Baseline requirements for cybersecurity hygiene and physical crisis preparedness should apply to any operator serving a defined population threshold, regardless of firm size.
  2. Mandate operationally tested crisis protocols for municipal heat suppliers. Member states should require heat suppliers above a defined capacity to conduct annual crisis exercises coordinated with civil protection agencies and municipal authorities — modelled on NATO readiness exercises but adapted for civilian critical infrastructure.
  3. Establish a structured Ukraine–EU knowledge transfer programme through the Energy Community Secretariat and the emerging energy Ramstein format. Ukraine has proposed a new ministerial-level coordination architecture — the “energy Ramstein” — with the first meeting scheduled in Brussels in mid-March, and plans to attract over €5 billion from international partners for next-season preparation (Ministry of Energy of Ukraine).

The Energy Community Secretariat’s Ukraine Energy Support Fund, which has already signed memoranda on district heating coordination, provides the sub-ministerial delivery channel. Together, these two frameworks should deliver systematic operational training — rapid repair doctrine, modular deployment protocols, emergency communication — to municipal operators in Poland, Slovakia, Romania, and the Baltics (Energy Community).

  1. Commission an honest assessment of municipal heating cyber exposure. ENISA, in coordination with national CSIRTs, should survey OT security posture across European district heating operators — including Modbus-enabled controllers exposed to the internet, default-credential prevalence, and EDR deployment rates. The Polish incident demonstrated that one operator with EDR survived; the CISA advisory demonstrated that the vulnerability profile is widespread. Without baseline data, remediation cannot be calibrated.

 

 

Conclusion

Russia has spent four winters demonstrating that centralised district heating is a strategically productive target — and as of December 2025, has extended that campaign to EU territory. The EU has built the legislative framework but has not closed the gap between directives and the operational reality of hundreds of underfunded municipal utilities.

Ukraine’s operators built a resilience model that works. And as of 3 March 2026, that model is formal national doctrine, not improvised adaptation. The channels to transfer that knowledge exist and are becoming more structured by the week. The question is whether Europe activates them at the pace the threat demands.