Ravie LakshmananJan 28, 2026Critical Infrastructure / Risk Intelligence
The “coordinated” cyber assault focusing on a number of websites throughout the Polish energy grid has been attributed with medium confidence to a Russian state-sponsored hacking crew often called ELECTRUM.
Operational know-how (OT) cybersecurity firm Dragos, in a brand new intelligence transient printed Tuesday, described the late December 2025 exercise as the primary main cyber assault focusing on distributed vitality sources (DERs).
“The assault affected communication and management techniques at mixed warmth and energy (CHP) amenities and techniques managing the dispatch of renewable vitality techniques from wind and photo voltaic websites,” Dragos stated. “Whereas the assault didn’t end in energy outages, adversaries gained entry to operational know-how techniques important to grid operations and disabled key tools past restore on the website.”
It is price stating that ELECTRUM and KAMACITE share overlaps with a cluster known as Sandworm (aka APT44 and Seashell Blizzard). KAMACITE focuses on establishing and sustaining preliminary entry to focused organizations utilizing spear-phishing, stolen credentials, and exploitation of uncovered companies.
Past preliminary entry, the risk actor performs reconnaissance and persistence actions over prolonged intervals of time as a part of efforts to burrow deep into goal OT environments and hold a low profile, signaling a cautious preparatory section that precedes actions executed by ELECTRUM focusing on the economic management techniques.
“Following entry enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling inside operational networks, and performs ICS-specific actions that manipulate management techniques or disrupt bodily processes,” Dragos stated. “These actions have included each guide interactions with operator interfaces and the deployment of purpose-built ICS malware, relying on the operational necessities and aims.”
Put in another way, the 2 clusters have clear separation of roles and obligations, enabling flexibility in execution and facilitating sustained OT-focused intrusions when circumstances are beneficial. As just lately as July 2025, KAMACITE is alleged to have engaged in scanning exercise towards industrial gadgets situated within the U.S.
Though no follow-on OT disruptions have been publicly reported to this point, this highlights an operational mannequin that isn’t geographically constrained and facilitates early-stage entry identification and positioning.
“KAMACITE’s access-oriented operations create the circumstances underneath which OT influence turns into doable, whereas ELECTRUM applies execution tradecraft when timing, entry, and danger tolerance align,” it defined. “This division of labor permits flexibility in execution and permits OT influence to stay an choice, even when it isn’t instantly exercised. This extends danger past discrete incidents and into extended intervals of latent publicity.”
Dragos stated the Poland assault focused techniques that facilitate communication and management between grid operators and DER property, together with property that allow community connectivity, permitting the adversary to efficiently disrupt operations at about 30 distributed era websites.
The risk actors are assessed to have breached Distant Terminal Models (RTUs) and communication infrastructure on the affected websites utilizing uncovered community gadgets and exploited vulnerabilities as preliminary entry vectors. The findings point out that the attackers possess a deep understanding {of electrical} grid infrastructure, permitting them to disable communications tools, together with some OT gadgets.
That stated, the total scope of the malicious actions undertaken by ELECTRUM is unknown, with Dragos noting that it is unclear if the risk actor tried to situation operational instructions to this tools or centered solely on disabling communications.
The Poland assault can also be assessed to be extra opportunistic and rushed than a exactly deliberate operation, permitting the hackers to reap the benefits of the unauthorized entry to inflict as a lot harm as doable by wiping Home windows-based gadgets to impede restoration, resetting configurations, or trying to completely brick tools. Nearly all of the tools is focused at grid security and stability monitoring, per Dragos.
“This incident demonstrates that adversaries with OT-specific capabilities are actively focusing on techniques that monitor and management distributed era,” it added. “The disabling of sure OT or industrial management system (ICS) tools past restore on the website moved what may have been seen as a pre-positioning try by the adversary into an assault.”
