The “coordinated” cyber assault focusing on a number of websites throughout the Polish energy grid has been attributed with medium confidence to a Russian state-sponsored hacking crew often called ELECTRUM.
Operational expertise (OT) cybersecurity firm Dragos, in a brand new intelligence transient revealed Tuesday, described the late December 2025 exercise as the primary main cyber assault focusing on distributed power assets (DERs).
“The assault affected communication and management methods at mixed warmth and energy (CHP) services and methods managing the dispatch of renewable power methods from wind and photo voltaic websites,” Dragos stated. “Whereas the assault didn’t lead to energy outages, adversaries gained entry to operational expertise methods crucial to grid operations and disabled key tools past restore on the web site.”
It is price declaring that ELECTRUM and KAMACITE share overlaps with a cluster known as Sandworm (aka APT44 and Seashell Blizzard). KAMACITE focuses on establishing and sustaining preliminary entry to focused organizations utilizing spear-phishing, stolen credentials, and exploitation of uncovered companies.
Past preliminary entry, the risk actor performs reconnaissance and persistence actions over prolonged intervals of time as a part of efforts to burrow deep into goal OT environments and maintain a low profile, signaling a cautious preparatory part that precedes actions executed by ELECTRUM focusing on the economic management methods.
“Following entry enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling inside operational networks, and performs ICS-specific actions that manipulate management methods or disrupt bodily processes,” Dragos stated. “These actions have included each handbook interactions with operator interfaces and the deployment of purpose-built ICS malware, relying on the operational necessities and targets.”
Put in a different way, the 2 clusters have clear separation of roles and tasks, enabling flexibility in execution and facilitating sustained OT-focused intrusions when situations are beneficial. As lately as July 2025, KAMACITE is claimed to have engaged in scanning exercise towards industrial units situated within the U.S.
Though no follow-on OT disruptions have been publicly reported up to now, this highlights an operational mannequin that isn’t geographically constrained and facilitates early-stage entry identification and positioning.
“KAMACITE’s access-oriented operations create the situations underneath which OT influence turns into potential, whereas ELECTRUM applies execution tradecraft when timing, entry, and danger tolerance align,” it defined. “This division of labor allows flexibility in execution and permits OT influence to stay an possibility, even when it isn’t instantly exercised. This extends danger past discrete incidents and into extended intervals of latent publicity.”
Dragos stated the Poland assault focused methods that facilitate communication and management between grid operators and DER belongings, together with belongings that allow community connectivity, permitting the adversary to efficiently disrupt operations at about 30 distributed technology websites.
The risk actors are assessed to have breached Distant Terminal Items (RTUs) and communication infrastructure on the affected websites utilizing uncovered community units and exploited vulnerabilities as preliminary entry vectors. The findings point out that the attackers possess a deep understanding {of electrical} grid infrastructure, permitting them to disable communications tools, together with some OT units.
That stated, the complete scope of the malicious actions undertaken by ELECTRUM is unknown, with Dragos noting that it is unclear if the risk actor tried to problem operational instructions to this tools or centered solely on disabling communications.
The Poland assault can be assessed to be extra opportunistic and rushed than a exactly deliberate operation, permitting the hackers to make the most of the unauthorized entry to inflict as a lot injury as potential by wiping Home windows-based units to impede restoration, resetting configurations, or trying to completely brick tools. Nearly all of the tools is focused at grid security and stability monitoring, per Dragos.
“This incident demonstrates that adversaries with OT-specific capabilities are actively focusing on methods that monitor and management distributed technology,” it added. “The disabling of sure OT or industrial management system (ICS) tools past restore on the web site moved what might have been seen as a pre-positioning try by the adversary into an assault.”
