{ "id": "0eefc63d-cd9d-43a2-a3c7-05de0719b442", "created_at": "2026-04-29T02:21:12.549566Z", "updated_at": "2026-04-29T08:22:34.992447Z", "deleted_at": null, "sha1_hash": "fea90aad4754995611b7cdd7ea8110a4a7472ab2", "title": "", "llm_title": "", "authors": "", "file_creation_date": "2026-01-29T08:53:19Z", "file_modification_date": "2026-01-29T08:53:20Z", "file_size": 2042495, "plain_text": "ELECTRUM: Cyber Attack on\r\nPoland’s Electric System 2025\r\nINTELLIGENCE BRIEF\n\n2 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nExecutive Summary\r\nWhy We’re Publishing\r\nThis Report\r\nOn December 29, 2025, a coordinated cyberattack targeted multiple sites across the Polish\r\npower grid, specifically those connected to distributed energy generation. The attack affected\r\ncommunication and control systems at combined heat and power (CHP) facilities and systems\r\nmanaging the dispatch of renewable energy systems from wind and solar sites. While the attack\r\ndid not result in power outages, adversaries gained access to operational technology systems\r\ncritical to grid operations and disabled key equipment beyond repair at the site. Due to the lack\r\nof electric outages, asset operators and the broader community may be mistaken to think this\r\nis not overly concerning. However, what was demonstrated, especially for other countries who\r\ncurrently or will depend more on DERs, should be very alarming\r\nThis is the first major cyber attack targeting distributed energy resources (DERs), the smaller\r\nwind, solar, and CHP facilities being added to grids worldwide. Unlike the centralized systems\r\nimpacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are\r\nmore numerous, require extensive remote connectivity, and often receive less cybersecurity\r\ninvestment. This attack demonstrates they are now a valid target for sophisticated adversaries.\r\nThis report provides technical analysis of the attack, context on Poland’s energy system\r\ntransformation, and defensive recommendations for power system operators managing similar\r\ninfrastructure.\r\nDragos is involved in an incident response at one of the numerous incidents across the Polish\r\nsystem that are part of this attack. None of the details of this report contain sensitive incident\r\nresponse or client information. However, through these efforts, Dragos confirms the seriousness\r\nof the attack and assesses with moderate confidence that the threat group ELECTRUM is\r\nresponsible.\r\nDragos is publishing this to amplify CERT Polska’s efforts by adding operational technology\r\n(OT)-specific context and defensive recommendations for the electric sector. Dragos wants to\r\nthank CERT Polska for their tireless effort across their community in the face of an irresponsible\r\nattack.\r\nWe are releasing this analysis for three primary reasons:\r\n• To provide the electric system operator community with technical insights into the first\r\nmajor coordinated attack on distributed energy resources, including specific defensive\r\nrecommendations.\r\n• To educate the broader community on how distributed generation infrastructure differs\r\nfrom traditional systems and why this attack represents a strategic shift in adversary\r\ntargeting.\r\n• To support CERT Polska’s ongoing work by validating the cyber attack from an\r\nindependent OT security perspective.\n\n3 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nPoland Incident Overview On January 14, 2026, Poland’s Prime Minister Donald Tusk briefed government leaders on a\r\ncyber attack that occurred on December 29, 2025. The briefing, along with subsequent ones,\r\ndetailed how the attack had been carried out, that it had been thwarted, and that the system\r\nhad never been at risk. Tusk acknowledged the need for great protection for IT and OT, with\r\noperational technology specifically highlighted, especially considering the implementation of\r\na new act to improve national resilience, a direct consequence of European directives on this\r\nmatter.\r\nThis represents the first major coordinated attack targeting distributed energy resources at\r\nscale. While Dragos has responded to cybersecurity incidents at individual renewable and\r\ndistributed generation facilities in the past, those incidents involved single sites or opportunistic\r\ncompromises. The Poland attack is significant because of the coordinated nature of the attacks\r\nacross numerous sites simultaneously and the demonstrated intent of a sophisticated adversary\r\nto systematically target this infrastructure. Through our incident response work, Dragos can\r\nconfirm the seriousness of the attack and assess with moderate confidence that the threat\r\ngroup ELECTRUM is responsible.\r\nDragos knows from public statements that the attack targeted systems that facilitate\r\ncommunication and control between grid operators and DER assets – specifically, combined\r\nheat and power (CHP) facilities and systems that manage dispatch of renewable energy from\r\nwind and solar sites. This doesn’t mean the communications links were taken down; rather,\r\nthe assets that facilitate that telemetry and the devices that enable network connectivity were\r\ntargeted.\r\nThrough a combination of exposed network devices and exploited vulnerabilities, adversaries\r\ncompromised Remote Terminal Units (RTUs) and communication infrastructure at the affected\r\nsites. This equipment sits behind defenses that inevitably contain vulnerabilities, whether\r\nthrough misconfigurations, unpatched systems, or exploitable services. Once past those\r\ndefenses, adversaries encountered RTUs and communications infrastructure that were not\r\ndesigned to withstand sophisticated cyber threats.\r\nTaking over these devices requires capabilities beyond simply understanding their technical\r\nflaws. It requires knowledge of their specific implementation. The adversaries demonstrated\r\nthis by successfully compromising RTUs at multiple sites, suggesting they had mapped common\r\nconfigurations and operational patterns to exploit systematically.\r\nThe Polish government’s response appropriately emphasized that the transmission systems, the\r\nbackbone of the electric grid, were not compromised. However, the adversaries did gain access\r\nto operational technology systems with direct connections to generation assets. While these\r\nsystems are not transmission infrastructure, they are important operational systems that could\r\nenable a significant impact.\r\nIn electricity systems, the loss of communications typically does not cause immediate\r\nequipment shutdown. When a device loses connectivity, it generally continues operating. It\r\nsimply cannot be monitored or controlled remotely. This is why the power remained on, which is\r\nthe primary measure of operational impact for electric grids.\r\nWhat remains unclear is whether ELECTRUM attempted to issue operational commands to this\r\nequipment or focused solely on disabling communications. Due to limited logging of network\r\ncommunications and OT commands at the affected sites, Dragos cannot definitively determine\n\n4 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nthe full scope of the adversary’s actions. We can confirm that they successfully disabled\r\ncommunications equipment, including some OT devices.\r\nFor power system operators managing similar distributed energy infrastructure, this incident\r\ndemonstrates that adversaries with OT-specific capabilities are actively targeting systems\r\nthat monitor and control distributed generation. This attack did not result in power loss but\r\nthe access achieved represents the type of foothold that could enable operational impacts,\r\nparticularly when similar access is achieved across larger numbers of sites simultaneously or if\r\nadversaries develop deeper knowledge of specific site configurations. The disabling of certain\r\nOT or industrial control system (ICS) equipment beyond repair at the site moved what could have\r\nbeen seen as a pre-positioning attempt by the adversary into an attack.\r\nBackground\r\nPoland’s Energy Systems Previous attacks on electrical infrastructure targeted centralized systems or individual\r\nsubstations. The 2015 Ukraine attacks focused on distribution control centers that manage\r\nenergy flow across regions. The 2016 attack targeted a transmission substation using\r\nCRASHOVERRIDE malware. In both cases, adversaries sought to disrupt large, centralized\r\ncontrol points that manage significant portions of the grid.\r\nPoland, like much of the world, is transforming its energy system from large, carbon-intensive\r\ngeneration to a mix of smaller renewable facilities embedded throughout the grid. This transition\r\nbrings well-documented operational challenges. The 2025 collapse of the Iberian power grid\r\ndemonstrated how quickly grid stability can be affected. Not just by the loss of large generation\r\nfacilities, but by frequency fluctuations from distributed sources.\r\nFigure 1\r\nElectricity Consumption\r\nin Poland in 20251\n\n5 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nGrid vulnerability to disruptions depends heavily on the generation mix and system inertia.\r\nPoland generates over 50 percent of its energy from coal or lignite-fired power plants, providing\r\nsignificant inertia that helps stabilize grid frequency. Wind and solar make up approximately 25\r\npercent of capacity. Grids with higher renewable penetration and less inertia, common in regions\r\naggressively pursuing decarbonization, may be more susceptible to the cascading effects of\r\ncoordinated DER disruption. Defenders in these regions should consider Poland a warning: as\r\nyour DER portfolio grows, so does the attack surface.\r\nTraditional large generation facilities are built with substantial physical security: fenced\r\nperimeters, on-site staff, and centralized operations. Cybersecurity investments can be\r\nintegrated into these facilities as a small component of overall construction and operating costs.\r\nDERs operate under different constraints:\r\n• Hundreds of small sites instead of dozens of large facilities\r\n• Built with tight financial margins where every cost matters\r\n• Often developed by companies building to sell rather than operate long-term\r\n• Fixed-scope agreements that may not prioritize security features\r\nThese facilities require extensive remote connectivity for multiple purposes: operations, energy\r\ntrading, maintenance, and vendor support. Service level agreements often mandate vendor\r\naccess. Meeting these connectivity requirements with low-cost commodity solutions across\r\nnumerous sites creates a larger, less manageable attack surface than traditional infrastructure.\r\nBeyond remote access, many operators have limited visibility into what occurs within the\r\nnetworks themselves, meaning the east-west traffic between devices and systems. This makes\r\ndetecting adversary lateral movement or malicious commands significantly more difficult than\r\nmonitoring traffic entering and leaving the network.\r\nHistorical Context\r\n2015 Attack: Regional\r\nDistribution Substations\r\n10 Years of Practice An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter\r\nis potentially lethal to the civilian population dependent on it. It is unfortunate that those who\r\nattack these systems appear to deliberately choose timing that maximizes impact on civilian\r\npopulations.\r\nOn December 23, 2015, a coordinated attack on three distribution network operators in Ukraine\r\nmarked the first publicly confirmed cyber attack to cause power outages. Adversaries defeated\r\nmultiple layers of IT defenses to create broad impact across more than 60 substations serving\r\nhundreds of thousands of customers. While their techniques were not particularly advanced,\r\ntheir planning and understanding of how the system would respond allowed them to layer their\r\neffects by blinding network operators, preventing remote restoration of communications, and\r\nremoving customers’ ability to contact utilities to report outages.\n\n6 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nOn December 17, 2016, the same adversary returned with a more sophisticated approach. This\r\ntime they targeted a transmission substation using CRASHOVERRIDE2/Industroyer, purpose-built\r\nmalware designed to communicate directly with OT/ICS protocols. CRASHOVERRIDE used 4 ICS\r\nspecific protocols, IEC 104 - a protocol for power system monitoring and control over TCP/\r\nIP networks, IEC-101 (IEC-104’s serial equivalent), IEC 61850 (standard for communication in\r\nelectrical substations), and OLE for Process Control Data Access (OPC DA), a set of standards\r\nand specifications for industrial automation data exchange. It also deployed a wiper module\r\nto impede recovery, deleting configuration and related files to hamper restoration on infected\r\nSCADA systems. While the attack affected a single substation, it still impacted hundreds of\r\nthousands of customers on a day when energy is life-critical. The deployment of OT protocol-specific malware represented a significant escalation, moving from manual operator interaction\r\nto automated execution.\r\nDragos worked extensively on these investigations and attributed the 2015 and 2016 attacks\r\nto ELECTRUM with high confidence. ELECTRUM is tracked elsewhere in the industry as\r\nsynonymous with the threat actor Sandworm, though Dragos notes that not all Sandworm\r\nactivity is ELECTRUM or vice versa. This group has demonstrated a deep understanding\r\nof electrical grid equipment and operations, proficiency with industrial protocols used in\r\npower systems, and the ability to develop custom malware and wiper tools for both IT and OT\r\nenvironments. ELECTRUM’s operations demonstrate a working knowledge of control workflows,\r\nsubstation operations, and the operational dependencies within electrical systems. This\r\nknowledge enables them to achieve real-world physical effects. Since 2016, ELECTRUM has\r\ncontinued to develop capabilities targeting electrical infrastructure.\r\nPost-2016 ELECTRUM\r\nOperations\r\nAfter 2016, ELECTRUM and its enabling counterpart, KAMACITE, conducted reconnaissance\r\nacross European infrastructure, expanding their understanding of potential targets. From 2016\r\nthrough 2022, they were observed enumerating systems and mapping networks across Europe,\r\ndemonstrating sustained interest in critical infrastructure beyond Ukraine,\r\nWhen Russia’s invasion of Ukraine began in February 2022, ELECTRUM’s capabilities were\r\nimmediately evident. Within hours of the invasion, they deployed destructive malware against\r\nthe KA-SAT satellite network (operated by Viasat), disrupting communications for tens\r\nof thousands of terminals across Europe. This attack affected not only Ukrainian military\r\ncommunications but also civilian infrastructure, including wind turbines in Germany that relied\r\non the satellite network for remote monitoring and control.\r\nThroughout 2022 and beyond, ELECTRUM developed and deployed numerous custom\r\ncapabilities:\r\n• CaddyWiper – Deployed against Ukrainian organizations in March 2022, designed to\r\nrender systems inoperable by irreversibly destroying data\r\n• Industroyer2 – A refined version of their 2016 CRASHOVERRIDE malware, discovered in\r\nApril 2022 before it could be used to disrupt electrical operations in Ukraine\r\n• Living-off-the-land scripts – Custom PowerShell and batch scripts targeting automation\r\nsystems, designed to avoid detection while achieving operational effects\r\nThese operations demonstrated ELECTRUM’s ability to sustain multiple lines of effort:\r\ndeveloping ICS-specific capabilities, creating destructive malware to complicate recovery, and\r\nadapting their tactics based on the operational environment.\r\n2016 Attack:\r\nTransmission\r\nSubstations\r\nThreat Group: ELECTRUM\n\n7 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nMore recently, their operations have begun to widen beyond Ukraine, acting directly and through\r\nhacktivist personas, affecting exposed infrastructure across multiple sectors. The systems have\r\nnot always been as large as the previous operations, but they have demonstrated a pattern of\r\nexploiting vulnerable environments to maintain operational tempo and generate psychological\r\neffects.\r\nFor a comprehensive analysis of ELECTRUM’s decade-long campaign targeting critical\r\ninfrastructure, including detailed technical analysis of the 2015 and 2016 Ukraine power\r\ngrid attacks and the development of purpose-built ICS malware such as CRASHOVERRIDE\r\nand Industroyer2, read Dragos’s full ELECTRUM threat intelligence report: ELECTRUM and\r\nKAMACITE: Ten Years of Adversary Tradecraft in ICS Operations.\r\n3\r\nTargeted Systems Electrical networks were not originally designed for distributed renewable energy systems.\r\nThese new energy sources have been overlayed onto existing infrastructure. Network operators\r\nwork to facilitate new connections, but demand exceeds the rate at which sites can be added.\r\nThis creates pressure to implement solutions quickly, sometimes with compromises that can be\r\nmanaged through visibility and control.\r\nRTUs standardize how distributed sites interface with control centers, enabling operators\r\nto manage large numbers of remote facilities from a single SCADA system. Within these\r\ninstallations are systems often specified by manufacturers or chosen by system integrators,\r\nleading to significant variations in implementation. The technology may be similar across sites,\r\nbut configurations and applications differ.\r\nThis combination of standardization and variation likely explains both what adversaries achieved\r\nand what they failed to accomplish.\r\nIf the RTUs are common and interface similarly with external networks, compromising them\r\nbecomes repeatable. Even with a variety of vendors, a handful of methods could have a\r\nFigure 2\r\nTypical Renewable\r\nEnergy Infrastructure\n\n8 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nwidespread impact. Similarly, if sites share common connectivity infrastructure – the same\r\nfirewalls with identical vulnerabilities or configurations – adversaries can systematically identify\r\nand attack RTUs.\r\nHowever, operational control is a different matter. While many of these RTUs have control\r\ncapabilities, tools like CRASHOVERRIDE or Industroyer2 cannot simply be deployed.\r\nCRASHOVERRIDE manipulated four different protocols to achieve the basic function of opening\r\na circuit breaker. Industroyer2 replicated standardized commands between SCADA systems and\r\nsubstation RTUs. The RTUs in distributed energy systems lack this standardization, and each\r\nrequires unique commands tailored to its specific configuration.\r\nThe December 2025 attack on Poland’s distributed energy infrastructure represents both\r\ncontinuity and evolution. The attack shares technical similarities with previous ELECTRUM\r\noperations, including the use of wipers and targeting of communication infrastructure. However,\r\nit demonstrates a shift in targeting strategy.\r\nPrevious attacks focused on centralized control systems managing large portions of the grid –\r\ndistribution control centers in 2015, a transmission substation in 2016. The Poland attack instead\r\ntargeted the distributed edge of the grid: the RTUs and communication systems managing\r\ndozens of smaller generation sites. This shift reflects the changing nature of electric grids, as\r\ncountries like Poland add more distributed renewable generation.\r\nWhen compared with the 2015 attack in Ukraine, it shows similar technical tactics, techniques,\r\nand procedures, such as wiping Windows devices and damaging exposed serial terminal\r\nservers, but lacks the coordinated sequencing that maximized impact in that operation.\r\nThe Poland attack also resembles the 2016 deployment of CRASHOVERRIDE, which contained\r\nsoftware flaws, or bugs, suggesting rushed deployment without adequate testing. The\r\nadversaries demonstrated an understanding of the equipment but achieved limited impact.\r\nDragos assesses with low confidence that this was due to incomplete preparation rather than a\r\nlack of capability.\r\nELECTRUM possesses the skills to develop these site-specific commands, but doing so requires\r\ntime, testing, and detailed knowledge of each location’s configuration. The attack timeline, from\r\nidentifying vulnerable infrastructure through planning to execution, may not have allowed for this\r\nlevel of preparation.\r\nDragos assesses with moderate confidence that opportunism was a key factor in the attack.\r\nRather than executing a precisely planned operation with specific outcomes, ELECTRUM\r\nexploited whatever opportunities their access provided: wiping Windows-based devices,\r\nresetting configurations, or attempting to permanently damage (or brick) equipment. Each\r\nlocation required different manual actions rather than a single automated tool. The attack is\r\nmore opportunistic than the 2015 or 2016 operations. It appears the operation was rushed, but\r\nDragos cannot make an assessment as to why.\r\nA majority of the equipment targeted in the attack sat outside the direct DER control process –\r\nsystems related to grid safety and stability monitoring rather than active generation control but\r\nhave the potential to despatch or curtail outputs. These systems were likely exposed on the\r\nComparing the 2025\r\nAttack to Previous\r\nOperations\n\n9 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nsame networks that adversaries had accessed. These are not classified as “protection systems”\r\nthat maintain safe equipment operation, but they provide monitoring functions that support grid\r\nstability. The probability of these systems being needed during the brief attack window was\r\nlow, suggesting that the attacks were intended to disrupt whatever was accessible rather than\r\nachieve specific operational outcomes.\r\nFrom the direct evidence we have seen and public statements we know that at least 12 sites\r\nwere affected and it is likely at least double this. A scenario where adversaries achieved full\r\noperational control could have looked significantly different.\r\nA typical onshore wind farm or CHP facility produces 50-100Mw of energy. Assuming all of\r\nthese were operating at capacity, they would have been producing around 1.2 GW of energy at\r\nthe time of the attack. On January 17, 2026, Poland set a consumption record, reaching 30 GW.\r\nWhile 1.2 GW represents only 5 percent of the total supply, the sudden simultaneous loss of\r\nthis amount of generation would have had a noticeable impact on the system frequency. Such\r\nfrequency deviations have caused cascading failures in other electrical systems, including the\r\n2025 Iberian grid collapse.\r\nIn all major blackouts of the last decade, frequency has been a critical factor. System operators\r\nuse a stable frequency to measure the balance between supply and demand. Protection systems\r\nautomatically shed less critical loads from the system as frequency drops, matching reduced\r\ngeneration with decreased consumption. Other systems monitor the rate of change of frequency\r\n(ROCOF) to isolate network sections exhibiting sudden instability. This balance has proven\r\nparticularly difficult in low-inertia systems with high renewable penetration.\r\nThis attack was unlikely to cause a nationwide blackout in Poland under current conditions.\r\nStrong AC interconnection with neighboring countries and spinning thermal generation\r\nwould have allowed the system to absorb the disruption, though localized outages could have\r\noccurred. However, as Poland and other countries reduce spinning reserves during the energy\r\ntransition, this style of attack could cause more severe consequences. In regions where high\r\nrenewable penetration and limited thermal backup are already the reality, a coordinated attack\r\ndisabling 1.2 GW of distributed generation could trigger cascading failures leading to widespread\r\noutages.\r\nSmaller DER assets are rarely subject to legislation mandating cybersecurity protections.\r\nUnder the first iteration of the European NIS directive, the UK set the threshold for inclusion at\r\n2 GW. In the United States, a generation facility must typically exceed 1500Mw to be classified\r\n“medium” as part of the Bulk Electric System (BES). Every site affected in the Poland attack\r\nfalls significantly below these thresholds, yet their coordinated compromise demonstrates the\r\nsystemic risk that distributed assets can pose when attacked at scale.\r\nPotential Implications\r\nfor OT/ICS\n\n10 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nElectric system asset owners and operators can defend their systems by applying the SANS ICS\r\n5 Critical Controls.4 Each control addresses specific aspects of OT cybersecurity readiness and\r\nresilience and is directly applicable to defending against the access enablement, OT positioning,\r\nand execution techniques observed in ELECTRUM operations described in this report.\r\nELECTRUM compromised distributed generation sites and deployed wiper malware to impede\r\nrecovery. This creates a fundamentally different incident response challenge than traditional\r\nattacks on centralized infrastructure. When communications to multiple remote sites are lost\r\nsimultaneously, operators must be prepared to dispatch personnel for manual restoration while\r\nassuming that remote access infrastructure and backup systems may be compromised.\r\nIncident response plans for DER environments must address how to prioritize restoration when\r\ndozens of sites lose connectivity at once, how to perform forensics when wipers have destroyed\r\nevidence on Windows systems and potentially corrupted RTU configurations, and how to detect\r\nwhether adversaries achieved operational control or only communications disruption when\r\nlogging may be incomplete. Organizations should prepare incident response procedures and\r\nconsolidate information about remote sites in case network-based distribution fails during\r\nan attack. Additionally, in a table top exercise (TTX) of the incident response plan it should\r\nbe determined what questions are going to need to be answered and what data needs to be\r\ncollected ahead of the attack to make sure the data is available in the incident. Unlike IT incident\r\nresponse much of the data critical to OT incident response and root cause analysis is transient\r\nnetwork data and OT commands. This type of data is covered in Critical Control 3. In this\r\nincident, data was not collected and thus unavailable.\r\nAdversaries succeeded by exploiting common configurations across multiple sites. Once they\r\nunderstood how to compromise edge devices at one location, they could repeat the attack at\r\nscale. This demonstrates why treating each DER site as an independent security zone is critical.\r\nIf a wind farm’s firewall is compromised, that breach should not provide access to solar sites,\r\nCHP facilities, or the broader DER portfolio of assets.\r\nELECTRUM specifically targeted edge systems, such as firewalls, at generation sites. These\r\ndevices require hardening, monitoring, and the elimination of default credentials. Because\r\nDER sites are built rapidly with cost constraints, standardized configurations are common. This\r\nbecomes a force multiplier for adversaries. Introduce variation in security controls across sites,\r\nsegment individual sites from each other, and ensure that vendor remote access to one site\r\ncannot be leveraged to reach others.\r\nRTUs and communications infrastructure were compromised without triggering detection at\r\nmany sites. For distributed generation operators, this means adversaries were moving through\r\nnetworks, accessing devices, and potentially issuing commands without visibility systems\r\nrecording their actions. When the operation was discovered, limited logging meant incident\r\nresponders would have difficulty determining whether operational commands were attempted or\r\nonly communications were disrupted.\r\nFive Critical Controls for\r\nOT/ICS Cybersecurity\r\n01. OT/ICS\r\nIncident Response\r\n02. Defensible\r\nArchitecture\r\n03. OT/ICS Network\r\nVisibility \u0026\r\nMonitoring\n\n11 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nDistributed energy networks require continuous, OT-native visibility. Organizations should\r\nmaintain a comprehensive view of all OT assets, such as RTUs, control systems, engineering\r\nworkstations, historians, and IT/OT boundary devices, along with the protocols and paths they\r\nuse. Network monitoring must interpret ICS protocols such as IEC-104, DNP3, and Modbus to\r\ndetect anomalous control commands, unexpected sources of protocol traffic, and deviations\r\nfrom normal operational behavior. It is also critical to understand the known tactics, techniques,\r\nand procedures (TTPs) of adversaries such as ELECTRUM to be able to distinguish those quickly\r\nand add critical context for defenders.\r\nCritical detection capabilities for DER operators include monitoring communications between\r\ncontrol centers and every remote RTU, identifying patterns indicating multiple sites being\r\naccess in sequence, tracking configuration changes on RTUs and edge devices, and alerting\r\nwhen multiple sites lose communications simultaneously. Without logged network traffic and OT\r\ncommands prior to an attack, post-incident analysis cannot determine attack scope, techniques\r\nused, or whether equipment was manipulated.\r\nAlerts should provide clear context: who initiated an action, which asset was affected, and what\r\ncontrol function was invoked. This level of visibility is essential for detecting adversaries who\r\nmisuse legitimate OT functionality rather than deploying obvious malware.\r\nDistributed energy facilities require extensive connectivity for operations, energy trading,\r\nmaintenance, and vendor support, creating a substantial attack surface that was likely exploited\r\nin this case. Unlike centralized power generation, where on-site staff can perform many\r\nfunctions, DER models depend on remote operations. Service level agreements often mandate\r\nvendor access to meet availability commitments. This creates numerous access paths across\r\ndozens of sites, often using commodity VPN solutions to keep costs down.\r\nEvery remote access path to a DER site is a potential entry point. The systematic compromise\r\ndemonstrates that adversaries can exploit these paths to move across a distributed portfolio.\r\nOrganizations must enforce multi-factor authentication across all remote access, maintain\r\ncomprehensive inventories of who has access to which sites, implement time-bound sessions\r\nthat expire after specific maintenance windows, and monitor for access patterns like a single\r\ncredential accessing multiple sites in rapid succession. Treating remote access as an operational\r\nconvenience rather than critical infrastructure is no longer viable for DER operators.\r\n04. Secure Remote\r\nAccess\n\n12 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nThis operation succeeded in gaining repeatable access. When the same firewall model with the\r\nsame vulnerability or misconfiguration is deployed at multiple generation sites, a single exploit\r\nbecomes a system-wide compromise. This is the central vulnerability management challenge\r\nfor distributed generation: standardization that enables operational efficiency also enables\r\nadversary scalability.\r\nPay attention to edge systems at generation sites, such as firewalls and virtual private network\r\n(VPN) appliances, as these sit at the boundary between the internet and OT networks. A\r\ncompromised firewall at a wind farm provides direct access to the RTUs that manage turbines.\r\nOrganizations should maintain an inventory of devices across sites and treat those vulnerabilities\r\nas critical. Where rapid patching across dozens of remote sites is operationally challenging,\r\nimplement compensating controls: enhanced monitoring to detect exploitation attempts,\r\nnetwork segmentation to limit what compromised devices can reach, and access restrictions\r\nthat reduce the attack surface.\r\n05. Risk-based\r\nVulnerability\r\nManagement\r\n1 LowCarbonPower - https://lowcarbonpower.org/region/Poland\r\n2 CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations - https://hub.dragos.com/hubfs/116-Whitepapers/\r\nCrashOverride-whitepaper.pdf\r\n3 ELECTRUM and KAMACITE: Ten Years of Adversary Tradecraft in ICS Operations - https://hub.dragos.com/report/electrum-kamacite-ten-years-of-adversary-tradecraft-in-ics-operations\r\n4 The Five ICS Cybersecurity Critical Controls - https://www.sans.org/white-papers/five-ics-cybersecurity-critical-controls\r\nReferences\n\n13 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nELECTRUM: CYBER ATTACK ON POLAND’S ELECTRIC SYSTEM 2025 UPDATED JANUARY 2026\r\nDragos is the world’s leading OT cybersecurity firm headquartered in Washington DC, USA\r\narea with offices around the world. It provides the most effective OT cybersecurity technology\r\nfor industrial and critical infrastructure to deliver on our global mission: safeguarding\r\ncivilization. The Dragos Platform provides visibility and monitoring of OT environments for\r\nasset identification, vulnerability management, and threat detection with continuous insights\r\ngenerated by the industry’s most experienced OT threat intelligence and services team. Dragos\r\nprotects customers across the range of operational sectors, including electric, oil \u0026 gas, data\r\ncenters, manufacturing, water, transportation, mining, and government.\r\nLearn more: dragos.com\r\nAbout Dragos", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "pdf" ], "references": [ "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf" ], "report_names": [ "dragos-2025-poland-attack-report.pdf" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-29T06:58:56.199012Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "Blue Echidna", "FROZENBARENTS", "UAC-0113", "UAC-0082", "Quedagh", "TEMP.Noble", "TeleBots", "IRIDIUM", "Seashell Blizzard", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "ELECTRUM" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-29T06:58:58.147234Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-29T06:58:57.873095Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-29T06:58:57.491949Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-29T06:58:57.716092Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1777429272, "ts_updated_at": 1777450954, "ts_creation_date": 1769676799, "ts_modification_date": 1769676800, "files": { "pdf": "https://archive.orkl.eu/fea90aad4754995611b7cdd7ea8110a4a7472ab2.pdf", "text": "https://archive.orkl.eu/fea90aad4754995611b7cdd7ea8110a4a7472ab2.txt", "img": "https://archive.orkl.eu/fea90aad4754995611b7cdd7ea8110a4a7472ab2.jpg" } }