Written by Sean Lyngaas

Polish security services on Thursday suggested the Russian government could be behind a cyberattack against an elite Polish military academy and an ensuing effort to undermine U.S.-Polish relations.

Stanislaw Zaryn, a spokesman for the Minister-Special Services Coordinator, which oversees Polish security agencies, announced that hackers had breached the website of Poland’s War Studies University. The attack was followed by a disinformation campaign, Zaryn said, in which attackers posted a letter where the head of the university purportedly described the U.S. troop presence in Poland as an “American occupation.” The fake letter was picked up by at least three Polish websites, one with a history of pushing disinformation, Polish officials said.

Poland’s government did not conclusively blame the Russian government for the information operation. However, Zaryn said the effort, apparently meant to sow discord between the U.S. and a key ally in Central Europe, would be “congruent with disinformation activities carried out by the Russian Federation against Poland.”

“Poland’s special services are investigating the matter,” Zaryn added.

He did not respond to a request for comment on what technical information Polish officials used in attributing the activity to Russia. Agence France-Presse journalists in Poland first determined the letter was inauthentic. The hack of the academy website reportedly occurred on Wednesday. It was not clear why the allegation was made in such a short period of time.

Neither the Russian Embassy in Washington, D.C., nor Russia’s Ministry of Foreign Affairs responded to requests for comment on the allegations. The Russian government has consistently denied engaging in such efforts.

The allegation from the Polish government comes the same month that independent researchers reported that suspected Russian operatives had forged a number of diplomatic letters masquerading as legitimate documents from officials including U.S. Secretary of State Mike Pompeo and Estonian officials. Last year, the Atlantic Council’s Digital Forensic Research Lab suggested that Russian agents had posed as U.S. Sen. Marco Rubio, a Florida Republican, as part of what they described as operation Secondary Infektion.

Thomas Rid, a professor at Johns Hopkins University’s School of Advanced International Studies, said that he had no first-hand knowledge of the incident but that “at first glance, this is straight out of the century-old Russian active measures playbook.”

“Forging letters and impersonating military or political leaders are old-school tools here,” added Rid, the author of a book on information operations. “One perennial goal of such measures: exacerbating existing tensions between allies.”

There are about 4,500 U.S. troops that rotate in and out of Poland as part of U.S. security assistance to that country, with another 1,000 more reportedly on the way. Poland is also a member of the North Atlantic Treaty Organization, a defense bloc that Russia sees as encroaching on its sphere of influence in Eastern Europe.

In a statement, a spokesman for U.S. European Command, which oversees U.S. troops in Poland, said the command was aware of the incident.

“We condemn any cyberattack against an ally or partner,” said the spokesman, Lt. Cmdr. Joseph Hontz. “Such attacks allow the U.S. and its allies to gain valuable insight into adversaries’ tactics, techniques, and procedures, plans, capabilities and tools. This further enables the U.S. and its allies to prevent future network intrusions and cyberattacks against our nations’ critical infrastructure and key resources.”

A NATO official referred questions to Poland’s defense ministry. “We are vigilant for ongoing disinformation campaigns,” the official said, adding that “NATO works closely with allies and partners to identify, expose, and counter disinformation.”

Lukasz Olejnik, an independent cybersecurity researcher and consultant, said the hacking and information operation appeared to be coordinated and organized.

“While it’s clear that the tactic is consistent with that applied with another places in the region in previous years, we don’t know who’s behind it or why this has happened now,” Olejnik said. “The event appears to be treated rather seriously by authorities, given how quickly it was debunked.”

The U.S. and its European allies in October blamed the Russian government for cyberattacks on thousands of websites in the Eurasian country of Georgia. Moscow denied involvement in those attacks.

UPDATE: This story was updated on 04/28/20 with a statement from U.S. European command.