Key Takeaways
- A coordinated cyber attack on the Polish power grid has been attributed to the Russian state-sponsored hacking group ELECTRUM with medium confidence.
- The attack targeted distributed energy resources (DERs) and affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems.
- The attack did not result in power outages, but the adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair.
- The attack is believed to be the work of ELECTRUM, which is known to work in conjunction with another group called KAMACITE to gain initial access to targeted organizations and perform reconnaissance and persistence activities.
- The incident highlights the risk of OT-focused intrusions and the importance of securing critical infrastructure against cyber threats.
Introduction to the Attack
The Polish power grid was recently targeted in a coordinated cyber attack, which has been attributed to the Russian state-sponsored hacking group ELECTRUM with medium confidence. According to a new intelligence brief published by operational technology (OT) cybersecurity company Dragos, the attack occurred in late December 2025 and targeted distributed energy resources (DERs). The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems from wind and solar sites. While the attack did not result in power outages, the adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site.
The Role of ELECTRUM and KAMACITE
ELECTRUM is known to work in conjunction with another group called KAMACITE to gain initial access to targeted organizations and perform reconnaissance and persistence activities. KAMACITE focuses on establishing and maintaining initial access to targeted organizations using spear-phishing, stolen credentials, and exploitation of exposed services. Once access is gained, the threat actor performs reconnaissance and persistence activities over extended periods of time as part of efforts to burrow deep into target OT environments and keep a low profile. This careful preparatory phase precedes actions executed by ELECTRUM, which targets the industrial control systems. The two groups have clear separation of roles and responsibilities, enabling flexibility in execution and facilitating sustained OT-focused intrusions when conditions are favorable.
The Attack on the Polish Power Grid
The attack on the Polish power grid targeted systems that facilitate communication and control between grid operators and DER assets, including assets that enable network connectivity. The adversary successfully disrupted operations at about 30 distributed generation sites by breaching Remote Terminal Units (RTUs) and communication infrastructure at the affected sites using exposed network devices and exploited vulnerabilities as initial access vectors. The findings indicate that the attackers possess a deep understanding of electrical grid infrastructure, allowing them to disable communications equipment, including some OT devices. However, the full scope of the malicious actions undertaken by ELECTRUM is unknown, with Dragos noting that it’s unclear if the threat actor attempted to issue operational commands to this equipment or focused solely on disabling communications.
The Nature of the Attack
The Poland attack is assessed to be more opportunistic and rushed than a precisely planned operation, allowing the hackers to take advantage of the unauthorized access to inflict as much damage as possible. The attackers wiped Windows-based devices to impede recovery, reset configurations, or attempted to permanently brick equipment. The majority of the equipment targeted was focused on grid safety and stability monitoring, per Dragos. This incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation. The disabling of certain OT or industrial control system (ICS) equipment beyond repair at the site moved what could have been seen as a pre-positioning attempt by the adversary into an attack.
Conclusion and Implications
The attack on the Polish power grid highlights the risk of OT-focused intrusions and the importance of securing critical infrastructure against cyber threats. The incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation, and that the division of labor between ELECTRUM and KAMACITE enables flexibility in execution and allows OT impact to remain an option, even when it is not immediately exercised. This extends risk beyond discrete incidents and into prolonged periods of latent exposure. As such, it is essential for organizations to prioritize the security of their OT systems and to be aware of the potential risks and threats posed by state-sponsored hacking groups like ELECTRUM and KAMACITE.
