Dragos attributes coordinated cyber attack on Polish power grid to Russian state-sponsored ELECTRUM group, marking first major attack targeting distributed energy resources.
Russian state-sponsored hacking group ELECTRUM has been linked to a coordinated cyber attack on Poland's power grid that occurred in late December 2025, marking the first major incident targeting distributed energy resources (DERs), according to cybersecurity firm Dragos.
The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing renewable energy dispatch from wind and solar sites across Poland. While the incident did not cause power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at multiple sites.
Understanding the ELECTRUM and KAMACITE Threat Clusters
Dragos describes ELECTRUM as part of a broader Russian cyber operation that shares overlaps with the Sandworm cluster (also known as APT44 and Seashell Blizzard). The operation employs a division of labor between two distinct but complementary threat clusters:
KAMACITE focuses on establishing and maintaining initial access to targeted organizations through:
- Spear-phishing campaigns
- Stolen credentials
- Exploitation of exposed services
This cluster performs reconnaissance and persistence activities over extended periods, carefully burrowing deep into target OT environments while maintaining a low profile. This preparatory phase creates the conditions necessary for subsequent operations.
ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling within operational networks and performing ICS-specific actions that manipulate control systems or disrupt physical processes. Their tactics include:
- Manual interactions with operator interfaces
- Deployment of purpose-built ICS malware
- Actions tailored to operational requirements and objectives
"KAMACITE's access-oriented operations create the conditions under which OT impact becomes possible, while ELECTRUM applies execution tradecraft when timing, access, and risk tolerance align," Dragos explained. "This division of labor enables flexibility in execution and allows OT impact to remain an option, even when it is not immediately exercised."
The Poland Attack: Methodology and Impact
The December 2025 attack specifically targeted systems that facilitate communication and control between grid operators and DER assets. The threat actors successfully disrupted operations at approximately 30 distributed generation sites by:
- Breaching Remote Terminal Units (RTUs) and communication infrastructure
- Exploiting exposed network devices and vulnerabilities as initial access vectors
- Disabling communications equipment, including some OT devices
- Wiping Windows-based devices to impede recovery
- Resetting configurations and attempting to permanently brick equipment
The attackers demonstrated deep understanding of electrical grid infrastructure, allowing them to target equipment critical for grid safety and stability monitoring. Dragos noted that the full scope of malicious actions remains unclear, including whether the threat actor attempted to issue operational commands or focused solely on disabling communications.
Opportunistic Nature and Broader Implications
Unlike precisely planned operations, Dragos assessed the Poland attack as more opportunistic and rushed. The hackers leveraged unauthorized access to inflict maximum damage by wiping devices and attempting permanent equipment destruction. This approach transformed what could have been seen as pre-positioning into an active attack.
Recent intelligence suggests KAMACITE has been conducting scanning activity against industrial devices in the United States as recently as July 2025. While no follow-on OT disruptions have been publicly reported, this activity demonstrates that the operational model is not geographically constrained and facilitates early-stage access identification and positioning.
"This incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation," Dragos stated. "The disabling of certain OT or industrial control system (ICS) equipment beyond repair at the site moved what could have been seen as a pre-positioning attempt by the adversary into an attack."
Technical Analysis and Attack Vectors
The attack methodology reveals several key technical insights:
- Initial Access: Exploitation of exposed network devices and vulnerabilities
- Persistence: Extended reconnaissance and low-profile operations within OT environments
- Impact: Disabling of communications infrastructure and permanent damage to OT equipment
- Recovery Prevention: Wiping of Windows-based devices and configuration resets
The majority of targeted equipment monitors grid safety and stability, highlighting the attackers' understanding of critical infrastructure dependencies and their willingness to cause lasting damage rather than simply demonstrating capability.
Industry Response and Mitigation
This attack underscores the evolving threat landscape facing critical infrastructure operators, particularly those managing distributed energy resources. The combination of initial access specialists (KAMACITE) and execution-focused operators (ELECTRUM) creates a persistent threat that can maintain long-term presence while waiting for optimal conditions to execute disruptive operations.
Organizations managing OT environments should consider:
- Enhanced monitoring of exposed network devices and services
- Implementation of network segmentation between IT and OT environments
- Regular security assessments of DER management systems
- Incident response planning specific to OT disruption scenarios
- Continuous monitoring for signs of persistent access attempts
The Poland incident serves as a wake-up call for the energy sector, demonstrating that Russian state-sponsored actors possess both the capability and willingness to target critical infrastructure with potentially lasting consequences. The attack's focus on DERs also signals an evolution in targeting priorities, as renewable energy integration becomes increasingly central to grid operations worldwide.
As Dragos noted, this division of labor between access and execution roles enables sustained OT-focused intrusions when conditions are favorable, extending risk beyond discrete incidents into prolonged periods of latent exposure. The energy sector must adapt its defensive posture accordingly, recognizing that the threat extends beyond immediate attacks to include extended preparation phases that may go undetected for months or years.
Comments
Please log in or register to join the discussion