A coordinated cyber attack that struck multiple locations across the Polish power grid in late December 2025 has been attributed, with medium confidence, to a Russian state sponsored threat group known as ELECTRUM.
Operational technology security firm Dragos revealed the findings in a newly published intelligence brief, describing the incident as the first large scale cyber attack focused on distributed energy resources (DERs).
According to Dragos, the intrusion targeted communication and control systems at combined heat and power (CHP) facilities, along with infrastructure responsible for dispatching renewable energy generated by wind and solar installations. While the attack did not cause nationwide power outages, it resulted in direct access to critical OT systems and led to the disabling of certain equipment beyond recovery.
Attack Scope and Operational Impact
Dragos stated that attackers compromised systems responsible for coordinating grid operations and DER assets, enabling disruption across approximately 30 distributed generation sites.
The adversaries reportedly gained access to Remote Terminal Units (RTUs) and communication infrastructure by abusing exposed network devices and known vulnerabilities. This activity demonstrates a deep understanding of electrical grid architecture, particularly in how communications and control mechanisms function within OT environments.
Although investigators confirmed damage to communications equipment and some OT devices, the full extent of the attackers’ actions remains unclear. It is currently unknown whether the threat actors attempted to issue operational control commands or focused solely on disabling communication channels.
ELECTRUM and KAMACITE Role Separation
Dragos highlighted notable overlaps between ELECTRUM, KAMACITE, and the broader Sandworm cluster, also tracked as APT44 or Seashell Blizzard.
KAMACITE is assessed to specialize in initial access operations, leveraging spear phishing, stolen credentials, and exploitation of exposed services. Once access is achieved, the group reportedly maintains long term persistence and conducts extensive reconnaissance inside targeted OT environments.
ELECTRUM, on the other hand, is responsible for execution phase operations, bridging IT and OT networks and carrying out actions directly against industrial control systems (ICS).
“Following access enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling within operational networks, and performing ICS specific actions that manipulate control systems or disrupt physical processes,” Dragos explained.
This structured division of labor allows sustained OT focused intrusions and provides flexibility in timing and execution. Notably, KAMACITE was observed as recently as July 2025 conducting scanning activity against industrial devices located in the United States.
Indicators of Opportunistic Execution
While the attack demonstrated OT specific capabilities, Dragos assessed that the Poland incident appeared more opportunistic and rushed than a meticulously planned sabotage campaign.
Threat actors reportedly attempted to maximize damage after gaining access by:
- Wiping Windows based systems to slow recovery
- Resetting device configurations
- Attempting to permanently brick certain equipment
Most of the affected assets were linked to grid safety and stability monitoring, reinforcing concerns about the long term risk to distributed energy infrastructure.
“This incident demonstrates that adversaries with OT specific capabilities are actively targeting systems that monitor and control distributed generation,” Dragos noted. “Disabling OT or ICS equipment beyond repair elevated what may have been a pre positioning effort into a confirmed attack.”
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
