Poland’s National Security Compromised By Minister’s Email Hack

In recent weeks the world has been focused on the revelations around the Pegasus spyware created by Israeli company NSO, which has been used by numerous individuals and nation states. Before the Pegasus story broke, however, another scandal concerning hacking emerged in Poland. At the beginning of June the emails of the Chief of the Chancellery of the Prime Minister (KPRM), Michal Dworczyk, was hacked by unknown perpetrators. Since then, secret data including communication between the Prime Minister’s Chancellory (KPRM) and other ministers were leaked to the public via Telegram. Dozen of emails regarding national security were exchanged with the use of private accounts of ministers.


The Law and Justice party (PiS), that currently holds a majority in the Polish Sejm, consists of three factions: the hardliners, the liberal wing, and a group centred on the leadership. The Minister of the Interior, Mariusz Kaminski who is also the coordinator for the cooperation between the secret services and the government, is one of Jaroslaw Kaczynski, the leader of PiS, most trusted colleagues. Kaczynski himself is the Deputy Prime Minister of Poland and the Chief of the National Security Committee. In reality, this means that Kaczynski and Kaminski have theoretical access to correspondence exchanged between ministers by the use of mailboxes secured by the Ministry of Interior and the Internal Security Agency (ABW).

The potential ability of both Kaczynski and Kaminski to have access to emails of members of various wings inside of the party and the personal dependence of members of parliament on Kaczynski to hold their position in the government forced them to overcome the issue of using encrypted mailboxes by the use of private ones which are vulnerable to attack. Everything unfolded around 8th June when Chief of the Prime Minister Chancellory fell victim to such an attack that resulted in the publication of the emails. Secret documents and professional commentary began to appear on two Telegram accounts that translated them from Polish to Russian. Many suspect that this action was somehow backed by the governments of Belarus or Russia. But what was in those emails that caused a national outcry and a huge scandal?

Minister Dworczyk announcement on the hacking of his email account

The First Email

The first email published on the Telegram account presents a message from Col. Krzysztof Gaj, a retired member of the Polish Armed Forces who was appointed to the KPRM in 2018. Gaj was a close co-worker of the previous Ministry of National Defense, Antoni Macierewicz, who represented the hardline wing of the PiS. Macierewicz gained recognition among the media as the leader of the commission dedicated to the investigation of the presidential Tu-154 crash and suggesting foul play may have been the cause. In the leaked email, Gaj tries to discredit the ICBS integrated command module for Raytheon Patriot Missile that Poland ordered back in 2018.

“[…] in the Armamement Inspectorate (IU) there are randy enthusiasts of the American IBCS system. They push for the purchase so much that they are ready to turn down our own national system (Narew).”

Author’s translation of part of Col. Gaj email to Dworczyk, Source: onet.pl

The email was sent during the last phase of gathering motions before closing the analysis and conception stage of the tender. For some experts, this means the exposure of national safety and exposure to state secrets. Besides that, the message sent by Gaj to Dworczyk shed some light on the conflict between Prime Minister Chancellory (KPRM) and the MoD regarding armament procurement. The MoD is interested in developing a national military industry, that is often incapable of delivering pieces of equipment required by the Polish Armed Forces, while KPRM seeks foreign off-the-shelf solutions.

Military on the Streets?

The second email that shocked the public was originally sent in October 2020. In the late Fall of 2020, the government decided to raise its concerns over the issue of abortion of genetically damaged foetuses and the possibility of terminating a pregnancy in case of a threat to a mother’s life. An official motion was raised by the PiS officials and introduced before the Constitution Tribunal. The verdict stated that abortion of damaged foetuses is unconstitutional and cannot be undertaken by doctors. This caused a massive wave of protests in major Polish cities, forcing the government to consider ways to suppress the protestors. The context of the email shows that government officials considered using the military to contain the protests. Yet, minister Dworczyk stated that such a solution would be unforgivable by the public and this idea should be dropped immediately.

“The use of military in the current situation raises many risks of potential provocations, accusations, huge image loss for the government and the military and it creates extremely grim associations [Martial state in Poland 1981-83 – red.]. The current situation should be contained by the police which should be supported by firefighters.”

Author’s translation of part of Michal Dworczyk email to Prime Minister Mateusz Morawiecki, Source: onet.pl

Everybody Has Been Hacked

According to the Internal Security Agency (ABW) over 4,350 email addresses in Poland have been attacked by hackers. 100 of them belong to the members of parliament of various political parties. The extent of damage has not yet been confirmed by anyone within the government. This massive strike on mailboxes of members of parliament raises grave concerns over the security of state officials and the Polish government’s ability to deal with cyberattacks.

The site Wirtualna Polska that maintained Dworczyk’s email account confirmed that hackers used the correct login and password to gain access to the inbox. This information suggests that minister Dworczyk fell victim to phishing that allowed them to easily obtain control over his private email.

Who is Responsible?

While there is much speculation, the people responsible for the hacking remain unknown. According to Gazeta Wyborcza, Dworczyk’s account was compromised by a close co-worker who committed some sort of an act of revenge on the minister. This information was publicly denied by Dworczyk himself and he demanded Gazeta Wyborcza refute the article. The ABW and the Military Counterintelligence Service (SKW) state that a group named UNC1151 committed breaches into several inboxes of government officials. The UNC1151 activity traces back to 2020 and their Ghostwriter activity against German government officials.

However, in the eyes of public opinion, Dworczyk is seen as responsible for the leak. According to TVN and Dworczyk’s own statement, he was ready to resign on the first day of the leak. The Prime Minister, Mateusz Morawiecki, decided not to sack his Chief of the Chancellery.

The Information War

The current affair is very complicated. There is no way to confirm that the messages and information harvested from Dworczyk’s inbox are authentic and accurate – other than the government’s reaction. One must remember that Poland is a focal point of an information warfare conducted by the Russian Federation. Thus it is worth mentioning that every piece of information published by the two Telegram accounts can be seen as a part of this information warfare, with the aim of creating fake, disruptive news. This article serves only as an introduction to the events unfolding in Poland. At the time of writing, no further documents have been publicly leaked.

Header: Blogtrepreneur CC-BY