Full Report
The "coordinated" cyber attack targeting multiple sites across the Polish power grid has been attributed with medium confidence to a Russian state-sponsored hacking crew known as ELECTRUM. Operational technology (OT) cybersecurity company Dragos, in a new intelligence brief published Tuesday, described the late December 2025 activity as the first major cyber attack targeting distributed energy
Analysis Summary
# Incident Report: Coordinated Cyber Attack on Polish Power Grid (Dec 2025)
## Executive Summary
A coordinated cyber attack struck multiple sites across the Polish power grid in late December 2025, attributed with medium confidence to the Russian state-sponsored group ELECTRUM. The attack specifically targeted distributed energy resources (DERs), affecting communication and control systems at CHP facilities and renewable energy dispatch systems. While no widespread power outages occurred, adversaries successfully disabled key Operational Technology (OT) equipment beyond repair at affected sites.
## Incident Details
- **Discovery Date:** Not explicitly stated, but intelligence brief published Tuesday (Jan 2026).
- **Incident Date:** Late December 2025
- **Affected Organization:** Multiple sites across the Polish power grid (Combined Heat and Power (CHP) facilities and renewable energy dispatch systems/DERs).
- **Sector:** Energy/Critical Infrastructure (Power Grid)
- **Geography:** Poland
## Timeline of Events
### Initial Access
- **Date/Time:** Preceding the execution phase in Late December 2025. (Note: Access enablement operations by associated actor KAMACITE suggested scanning activity as early as July 2025).
- **Vector:** Exposed network devices and exploited vulnerabilities.
- **Details:** Attackers breached Remote Terminal Units (RTUs) and communication infrastructure, utilizing both readily exposed network devices and exploited vulnerabilities.
### Lateral Movement
- **How attackers moved through network:** The overall operation involves KAMACITE establishing deep access (persistence, reconnaissance) before ELECTRUM conducts operations bridging IT and OT environments. Attackers gained access into OT systems critical to grid operations.
- **Details:** A division of labor suggests KAMACITE prepares the environment, allowing ELECTRUM to deploy tooling within operational networks.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Attackers disabled key equipment beyond repair at the site(s). The full scope is unknown, but they successfully disrupted operations at approximately 30 distributed generation sites by disabling communications equipment, including some OT devices. It is unknown if they issued operational commands.
### Detection & Response
- **How it was discovered:** Activity analyzed and reported by OT cybersecurity company Dragos via an intelligence brief published in January 2026.
- **Response actions taken:** Not detailed in the provided text, beyond the external analysis by Dragos.
## Attack Methodology
- **Initial Access:** Exposed network devices; Exploitation of exposed services (implied for KAMACITE preparation phase); Spear-phishing and stolen credentials (KAMACITE tradecraft for initial access).
- **Persistence:** Extended periods of reconnaissance and persistence activities performed prior to execution phase (KAMACITE phase).
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Keeping a low profile during the preparatory (KAMACITE) phase.
- **Credential Access:** Utilizing stolen credentials (KAMACITE tradecraft).
- **Discovery:** Extensive reconnaissance activities performed over time to burrow deep into OT environments.
- **Lateral Movement:** Bridging IT and OT environments; deploying tooling within operational networks.
- **Collection:** Gaining access to RTUs and communication infrastructure.
- **Exfiltration:** Not explicitly stated if data was exfiltrated, focus was on disruption.
- **Impact:** Deploying purpose-built ICS malware or manual interaction with operator interfaces to manipulate control systems; disabling communications equipment and destroying OT devices beyond repair.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Scope unknown; focus was on operational disruption.
- **Operational:** Disruption of operations at about 30 distributed generation sites; key OT equipment disabled beyond repair. The attack targeted communication and control systems critical for DER dispatch.
- **Reputational:** Not specified.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (No specific IOCs provided).
- **File indicators:** Purpose-built ICS malware deployed (Type unknown).
- **Behavioral indicators:** Coordinated attack bridging IT/OT environments; disruption of DER communication/control systems.
## Response Actions
- **Containment measures:** Not detailed in the article.
- **Eradication steps:** Not detailed in the article.
- **Recovery actions:** Not detailed in the article, though physical equipment was disabled beyond repair requiring replacement.
## Lessons Learned
- **Key takeaways:** The threat actor (ELECTRUM/KAMACITE alignment) employs a flexible division of labor where one cluster (KAMACITE) prepares long-term access, allowing the execution cluster (ELECTRUM) to strike when conditions are favorable, extending risk beyond immediate incidents into prolonged latent exposure.
- **What could have been done better:** This attack was the first major cyber attack targeting DERs, highlighting a potential blind spot in securing distributed energy infrastructure.
## Recommendations
- Harden and monitor exposed network devices used for OT connectivity (RTUs, communication infrastructure).
- Implement rigorous segmentation between IT and OT environments to restrict the bridging capabilities used by ELECTRUM.
- Enhance monitoring for early-stage access activities (like those performed by KAMACITE) in IT environments that precede OT impact.