CERT Orange Polska 2025 report: in the network of threats

The conclusions are simple: system protection alone is no longer sufficient – broadly understood cyber resilience is becoming more important.

When in 1988, just three years after registering the first domain with the .com extension, Robert Morris released the first virus (or rather worm) into the network – his intentions were pure. The experiment was only intended to demonstrate the weakness of the security measures at that time. Four decades later, the Internet has become a pillar of modern life, accompanying us almost everywhere and practically constantly. As it develops, not only the opportunities but also the threats increase. Today, malware creators searching for security weaknesses are not motivated by pure intentions, as clearly shown by the latest CERT Orange Polska Report for 2025.

During the conference accompanying the publication of the report, experts from Orange Polska had no doubts: we are entering a stage where cybersecurity becomes more than just system protection. It is a matter of resilience – of entire organizations, infrastructure and ourselves. If we look at the network as a digital battlefield, we can clearly see the increasing role of artificial intelligence. And on both sides of the barricade.

What has been happening on the Polish Internet in recent months and what should we pay attention to today so as not to become part of the statistics in next year’s report?

5.5 million protected Poles

Let’s start with the good news. Although the threats are increasing, defense systems are becoming more and more intelligent. The first line of defense for millions of Poles is CyberTarcza Orange, which in 2025 blocked as many as 345,000 phishing domains alone. That’s nearly 15 percent. more blockades than a year earlier.

Thanks to this protection, 5.5 million users have avoided financial loss or loss of valuable data.

However, technology is only half the battle. As Liudmila Climoc, president of Orange Polska, notes in the introduction to the report, cybersecurity is no longer only the sole responsibility of specialists, but a common obligation that requires the active involvement of each of us.

Last year alone, Internet users sent 15,000 text messages to a special number 508 700 900, informing about suspicious messages. This is an almost fourfold increase compared to previous years, which shows our increasing vigilance.

In turn, the free Password Alert tool from Orange is already used by over 40,000 people. people, checking whether their data has not been leaked online. What is new is the ability to verify malicious domains – before we even click on them. Ultimately, this control is to take place in real time.

The three biggest threats on the Internet

Robert Grabowski, head of CERT Orange Polska, emphasizes that the list of the three most common threats has remained unchanged for years.

– There are minor changes in the percentages of these threats, but from the reports we have registered, phishing is still on top – he adds

In 2025, it accounted for 47.5% in the Orange network. recorded incidents. DDoS attacks came second – 15.8%. It is worth noting that while the average intensity of a single attack decreased, the power of the strongest ones increased significantly. What is also important, DDoS is increasingly not an end in itself. Instead, it becomes a tool supporting other activities – from disinformation campaigns, through extortion, to attempts to divert attention from more advanced operations. This is, among other things, the effect of the so-called platformization of cybercrime. Today, attacks can be ordered like a service – planned, launched and terminated without much technical knowledge.

Third place in this ranking went to malware – 13.3%. Stealers dominate here, whose main task is to steal data from the user’s device. They are becoming more and more difficult to detect, and they reach victims in a variety of ways – through advertisements, forums and even YouTube videos.

The most common trap on the Internet

The report clearly shows which direction cybercriminals are going. In 2023, 28 percent websites blocked in the Orange network concerned alleged investments. A year later it was 60 percent, and in 2025 – as much as 68 percent.

This is not a coincidence. As Robert Grabowski explains, we are dealing with full automation: the creation of domains, campaigns, and even entire “investment platforms” is carried out en masse, often with the support of AI. These are no longer individual fraud attempts – they are an organized, scalable criminal business. The pattern is usually similar: a social media ad, a compelling story, sometimes a famous face generated by AI, and then quickly moving on to the “investment of a lifetime.” The whole thing is designed so that the user doesn’t have time to think.

The way SMS fraud is conducted, i.e. smishing, is also changing. Until recently, messages sent from physical devices dominated – the so-called phone farms. Today, as much as 75 percent Malicious SMS messages are generated automatically by applications, often via legitimate communication platforms. The result is a larger scale and higher effectiveness.

Messages are more consistent, better tailored, and harder to distinguish from the real thing. What’s more, they increasingly do not contain any links – instead, they encourage contact via instant messaging, where fraudsters continue the conversation using advanced social engineering.

There are many smishing scenarios: from detained courier parcels, unpaid fines and alleged blocking of bank accounts, through false job offers promising exorbitant daily wages, to particularly insidious “family member” scams. In the latter case, criminals send messages like “Hi dad, this is my new number, my old phone fell into the water, write me on WhatsApp.” This is a modern version of the “grandchild” method. More and more often, these messages do not even contain a link – their purpose is to establish contact and manipulate people to transfer money or extort data.

– The imagination of criminals has no end and these scenarios are constantly multiplying – notes the head of CERT Orange Polska.

AI is changing the rules of the game

The year 2025 brought another clear change when it comes to the use of artificial intelligence. And here experts agree – it is a tool that simultaneously strengthens defense and drives threats.

As Piotr Jaworski, Member of the Management Board of Orange Polska for Networks and Technology, said during the presentation of the main conclusions of the report, time is of the essence in the fight against cyber threats. In modern networks, the number of events and alerts is counted in hundreds or thousands per second. A human cannot analyze them all. AI allows you to filter, organize and indicate the really important ones.

The problem is that cybercriminals gain exactly the same advantage. Artificial intelligence helps them create more compelling campaigns, exploit vulnerabilities faster and automate actions on an unprecedented scale. More advanced scenarios are also increasingly emerging – for example, malware that “consults” AI models to operate more effectively in an infected system. This is no longer a futuristic vision, but a real direction in the development of threats.

Robert Grabowski pointed out that malware has already been reported that is 100 percent written by AI, and its code cannot be matched to anything previously known.

– We look at AI as a double-edged sword and treat it as such. We implement many solutions to protect against this “sharp edge” – he added.

Unfortunately, it is expected that further development of AI will generate even greater threats and challenges. Grabowski also points out an overlooked problem. The amount of code created by artificial intelligence is increasing, bypassing the secure software development cycle, which increases the vulnerability of such code to attacks.

From protection to immunity

For years, cybersecurity has been associated mainly with protection – firewalls, antiviruses, blocking attacks. Today it is no longer enough. The scale and, above all, the variety of threats make it impossible to predict or stop everything. Therefore, not only their detection becomes crucial, but also the ability to maintain the operation of services and quickly return to normality.

The authors of this year’s CERT Orange Polska report often refer to the relatively new concept of cyber resilience.

In his speech during the conference, Piotr Jaworski recalled a massive cyber attack on the operator’s network in Portugal in 2022, which caused chaos for several hours and took several days to remove its effects. At the same time, he noted that not only a malicious cyber attack, but also extreme weather phenomena, human errors or blackouts can lead to serious disruptions. He also recalled that in 2017, Orange launched the Network Resilience program, which examined every element of the network, looking for its weak points. Since then, the company has introduced over 100 different types of solutions, which have significantly reduced the number of critical failures.

Security is no longer solely the domain of IT departments. It becomes an element of a broader system in which network architecture, operating procedures, cooperation between institutions and – equally important – awareness of users, both private individuals and company employees, are equally important.

Cyber ​​resilience means a change of perspective: from thinking about full control over threats to building the ability to act despite these threats. This approach at Orange can be seen in the emphasis on redundancy, emergency scenarios and testing of infrastructure in simulated crises. In practice, the idea is that even in the event of a serious incident – whether a DDoS attack or a power failure – key services remain available and users experience their effects as little as possible.

---

Author: Paweł Stalewski