A “coordinated” cyber attack targeting multiple sites across Poland’s electricity grid is believed with medium confidence to be the work of a Russian state-backed hacking group known as ELECTRUM.
Operational technology (OT) cybersecurity firm Dragos said in a new intelligence brief released Tuesday that the late December 2025 activity was the first major cyber attack targeting distributed energy resources (DER).
“This attack affected the communication and control systems of combined heat and power (CHP) facilities, as well as the systems that manage the transmission of electricity from wind and solar power plants to renewable energy systems,” Dragos said. “While this attack did not cause a power outage, the attackers gained access to operational technical systems critical to the operation of the power grid and disabled critical equipment beyond repair in the field.”
It’s worth pointing out that the ELECTRUM and KAMACITE shares overlap with a cluster called Sandworm (also known as APT44 and Seashell Blizzard). KAMACITE focuses on establishing and maintaining initial access to targeted organizations using spear phishing, credential theft, and exploitation of exposed services.
Beyond initial access, attackers conduct reconnaissance and persistence activities over extended periods of time as part of their efforts to penetrate deeper into the target’s OT environment and remain unobtrusive. This represents a careful preliminary step prior to any actions taken by ELECTRUM that target industrial control systems.
“Following access enablement, ELECTRUM performs operations that bridge the IT and OT environments, deploying tools within the operational network and performing ICS-specific actions such as manipulating control systems or disrupting physical processes,” said Dragos. “These measures include both manual interaction with operator interfaces and the deployment of specialized ICS malware, depending on operational requirements and objectives.”
In other words, the two clusters have clear separation of roles and responsibilities, allowing for flexible execution and facilitating continued OT-centric penetration when conditions are favorable. As of July 2025, KAMACITE was allegedly engaged in scanning operations against industrial devices located in the United States.
Although no subsequent OT failures have been publicly reported to date, this highlights an operational model that is geographically agnostic and facilitates initial access identification and location.
“KAMACITE’s access-oriented operations create conditions that enable OT influence, while ELECTRUM applies execution tradecraft when timing, access, and risk tolerance align.” “This division of labor allows for flexible execution and allows for OT impact to remain an option even if not immediately implemented. This extends risk beyond individual incidents to potential exposure over time.”
Dragos said the Polish attack targeted systems that facilitate communication and control between grid operators and DER assets, including assets that enable network connectivity, and the attackers succeeded in disrupting the operations of around 30 distributed power plants.
Threat actors are assessed to have used exposed network devices to compromise remote terminal units (RTUs) and communications infrastructure at affected sites, exploiting the vulnerability as an initial access vector. The findings demonstrate that attackers have a deep understanding of power grid infrastructure and are able to disable communications equipment, including some OT devices.
However, the full extent of the malicious activity carried out by ELECTRUM is unknown, Dragos said, and it is unclear whether the threat actors were attempting to issue operational commands to the device or were solely focused on disabling communications.
The Polish attack has also been described as more opportunistic and hasty than a carefully planned operation, allowing hackers to use unauthorized access to wipe Windows-based devices to prevent recovery, reset configurations, or attempt to permanently brick equipment, allowing hackers to cause as much damage as possible. According to Dragos, the majority of the equipment is aimed at monitoring the safety and stability of the power grid.
“This incident shows that attackers with OT-specific capabilities are actively targeting systems that monitor and control distributed generation,” it added. “With certain OT or industrial control system (ICS) equipment irreparably disabled in the field, what could have been considered a proactive positioning attempt by an adversary turned into an attack.”
Source link
