Russian State-Sponsored Hackers Target Polish Power Grid in First Major DER Cyberattack
In late December 2025, a coordinated cyberattack struck multiple sites across Poland’s power grid, marking the first major assault on distributed energy resources (DERs). Cybersecurity firm Dragos attributed the incident with medium confidence to ELECTRUM, a Russian state-sponsored hacking group linked to the broader Sandworm (APT44/Seashell Blizzard) threat cluster.
The attack disrupted communication and control systems at combined heat and power (CHP) facilities and renewable energy dispatch systems, including wind and solar sites. While no power outages occurred, adversaries compromised operational technology (OT) systems critical to grid operations, permanently disabling key equipment. The breach targeted Remote Terminal Units (RTUs) and communication infrastructure, exploiting exposed network devices and vulnerabilities to gain access.
Dragos highlighted a division of labor between ELECTRUM and its sister group, KAMACITE, which specializes in initial access via spear-phishing, credential theft, and exposed service exploitation. KAMACITE conducts prolonged reconnaissance and persistence, while ELECTRUM executes OT-specific actions ranging from manual interface manipulation to deploying ICS malware when conditions align. Recent activity in July 2025 saw KAMACITE scanning U.S. industrial devices, underscoring a geographically unbound operational model.
The Poland attack, though assessed as opportunistic and rushed, inflicted significant damage by wiping Windows-based devices, resetting configurations, and permanently bricking equipment primarily targeting grid safety and stability monitoring systems. While the full scope of malicious actions remains unclear, the incident confirms that OT-capable adversaries are actively targeting distributed generation systems, shifting from pre-positioning to direct, destructive attacks. The breach exposed vulnerabilities in DER infrastructure, demonstrating how unauthorized access can escalate into irreversible physical disruption.
Source: https://thehackernews.com/2026/01/russian-electrum-tied-to-december-2025.html
Polish Energy Partners cybersecurity rating report: https://www.rankiteo.com/company/polish-energy-partners
"id": "POL1769632981",
"linkid": "polish-energy-partners",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'industry': 'Energy/Utilities',
'location': 'Poland',
'name': 'Polish Power Grid',
'type': 'Critical Infrastructure'}],
'attack_vector': ['Exposed network devices',
'Vulnerability exploitation',
'Spear-phishing',
'Credential theft'],
'date_detected': '2025-12',
'description': 'In late December 2025, a coordinated cyberattack struck '
'multiple sites across Poland’s power grid, marking the first '
'major assault on distributed energy resources (DERs). The '
'attack disrupted communication and control systems at '
'combined heat and power (CHP) facilities and renewable energy '
'dispatch systems, including wind and solar sites. While no '
'power outages occurred, adversaries compromised operational '
'technology (OT) systems critical to grid operations, '
'permanently disabling key equipment. The breach targeted '
'Remote Terminal Units (RTUs) and communication '
'infrastructure, exploiting exposed network devices and '
'vulnerabilities to gain access.',
'impact': {'operational_impact': 'Permanent disabling of key equipment, '
'disruption of grid safety and stability '
'monitoring systems',
'systems_affected': ['Combined heat and power (CHP) facilities',
'Renewable energy dispatch systems (wind and '
'solar)',
'Remote Terminal Units (RTUs)',
'Communication infrastructure']},
'initial_access_broker': {'entry_point': ['Spear-phishing',
'Credential theft',
'Exposed services'],
'high_value_targets': 'Operational technology (OT) '
'systems, Remote Terminal '
'Units (RTUs)',
'reconnaissance_period': 'Prolonged (details '
'unspecified)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident confirms that OT-capable adversaries are '
'actively targeting distributed generation systems, '
'shifting from pre-positioning to direct, destructive '
'attacks. The breach exposed vulnerabilities in DER '
'infrastructure, demonstrating how unauthorized access can '
'escalate into irreversible physical disruption.',
'motivation': 'State-sponsored disruption, operational technology targeting',
'post_incident_analysis': {'root_causes': ['Exposed network devices',
'Vulnerabilities in OT systems',
'Division of labor between threat '
'actors (ELECTRUM and KAMACITE)']},
'references': [{'source': 'Dragos'}],
'response': {'third_party_assistance': 'Dragos (cybersecurity firm)'},
'threat_actor': ['ELECTRUM', 'KAMACITE (APT44/Seashell Blizzard)'],
'title': 'Russian State-Sponsored Hackers Target Polish Power Grid in First '
'Major DER Cyberattack',
'type': 'Cyberattack on Critical Infrastructure',
'vulnerability_exploited': 'Exposed network devices and vulnerabilities in OT '
'systems'}