A coordinated cyberattack targeting multiple sites across Poland’s power grid has been attributed with medium confidence to a Russian state-sponsored hacking group known as Electrum, according to a new intelligence report from operational technology cybersecurity firm Dragos.
The activity, detected in late December 2025, marks the first major cyberattack aimed at distributed energy resources (DERs), Dragos said. The attackers breached communication and control systems at combined heat and power facilities, as well as platforms used to manage renewable energy dispatch from wind and solar sites. While the incident did not trigger power outages, the hackers accessed critical operational technology (OT) systems and disabled some equipment beyond repair.
Dragos assessed that Electrum works closely with another threat cluster, tracked as Kamacite, which focuses on gaining and maintaining initial access to target networks through spear-phishing, stolen credentials, and exploitation of exposed services. Both groups overlap with the Sandworm threat cluster, also tracked as APT44 or Seashell Blizzard. Kamacite is believed to establish long-term access, allowing Electrum to carry out disruptive attacks against industrial control systems.
According to the report, the attackers compromised remote terminal units and communications infrastructure at roughly 30 distributed generation sites, exploiting exposed network devices and known vulnerabilities. The operation appeared more rushed and opportunistic than carefully planned, with attackers wiping Windows-based systems, resetting configurations, and attempting to permanently damage grid-related equipment used for safety and stability monitoring.
Earlier this week, Slovak cybersecurity firm ESET attributed the attack on Polish energy grid to the Russian threat actor Sandstorm. The company said that attackers deployed a previously undocumented data-destroying malware, dubbed ‘DynoWiper,’ but didn’t provide any additional details.