A coordinated cyber operation that struck multiple nodes of Poland’s power grid in late December 2025 has been attributed, with medium confidence, to ELECTRUM, a Russian state‑sponsored threat group. In an intelligence brief released Tuesday, OT security firm Dragos characterized the incident as the first major cyberattack aimed at distributed energy resources (DERs). According to the firm, the intrusion targeted communications and control layers at combined heat and power (CHP) plants as well as systems that dispatch wind and solar generation. While the campaign did not cause blackouts, the intruders reached critical OT systems and rendered key onsite equipment irreparable.
Dragos notes that ELECTRUM and KAMACITE overlap with the cluster commonly known as Sandworm (APT44 / Seashell Blizzard). Within this ecosystem, KAMACITE typically establishes and maintains initial access leveraging spear‑phishing, stolen credentials, and exploitation of exposed services then conducts long‑term reconnaissance and persistence to burrow into OT environments quietly. ELECTRUM then follows with operations that bridge IT and OT, deploying tooling inside operational networks and executing ICS‑specific actions to manipulate controls or disrupt physical processes. Depending on objectives, those actions may involve hands‑on manipulation via operator interfaces or purpose‑built ICS malware.
This division of labor provides flexibility and endurance, enabling sustained, OT‑focused intrusions when conditions are favorable. Dragos highlights that as recently as July 2025, KAMACITE was scanning industrial devices in the United States, underscoring an operational model that isn’t bound by geography and prioritizes early access and positioning.
In Poland, the adversaries focused on systems that broker communications and control between grid operators and DER assets, including network connectivity components. The operation disrupted around 30 distributed generation sites. Initial access is assessed to have involved exposed network devices and known vulnerabilities, allowing the actors to compromise Remote Terminal Units (RTUs) and related communications infrastructure. Dragos assesses the attackers demonstrated a deep understanding of grid operations, enabling them to disable communications equipment, including some OT devices.
The full extent of ELECTRUM’s actions remains unclear it is not yet known whether they attempted to issue operational commands or limited themselves to breaking communications. Dragos also assesses the Polish operation as more opportunistic and hurried than meticulously staged. Once inside, the actors wiped Windows machines to slow recovery, reset configurations, and in some cases attempted to permanently brick equipment, much of it tied to grid safety and stability monitoring.
Dragos concludes that the incident demonstrates active targeting of systems that monitor and control distributed generation by adversaries with OT‑specific capabilities. By permanently disabling certain OT/ICS devices, the activity crossed the line from pre‑positioning to an outright attack.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
