A “coordinated” cyberattack targeting multiple sites in the Polish power grid has been attributed to a Russian state-sponsored hacking team known as ELECTRUM.
Operational technology (OT) cybersecurity company Dragos described the activity in late December 2025 as the first major cyberattack targeting distributed energy resources (DERs) in a new intelligence report published on Tuesday.
“The attack affected communications and control systems at combined heat and power (CHP) facilities and systems that manage the dispatch of renewable energy systems from wind and solar sites,” Dragos said. “Although the attack did not result in power outages, the adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond on-site repair.”
It’s worth pointing out that ELECTRUM and KAMACITE share overlap with a cluster called Sandworm (aka APT44 and Seashell Blizzard). KAMACITE focuses on establishing and maintaining initial access to targeted organizations using spear-phishing, stolen credentials, and exploits of exposed services.
Beyond initial access, the threat actor executes reconnaissance and persistence activities over an extended period of time as part of efforts to penetrate deeply into the target OT environment and keep a low profile, indicating a careful preparation phase that precedes actions executed by ELECTRUM targeting industrial control systems.
“After access enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploy tooling within operational networks, and perform ICS-specific actions that manipulate control systems or disrupt physical processes,” Dragos said. “These actions include both manual interactions with operator interfaces and deployment of purpose-built ICS malware, depending on operational requirements and objectives.”
Put differently, there is a clear separation of roles and responsibilities in both groups, which enables flexibility in execution and facilitates continued OT-focused intervention when conditions are favorable. As recently as July 2025, KAMACITE is said to have engaged in scanning activity against industrial equipment located in the US.
Although no follow-on OT disruptions have been publicly reported to date, it highlights an operational model that is not geographically constrained and facilitates early-stage access identification and positioning.
“KAMACITE’s access-oriented operations create the conditions under which OT impact becomes possible, while ELECTRUM applies execution tradecraft when timing, access and risk tolerance are aligned,” it explained. “This division of labor enables flexibility in execution and allows the OT effect to remain an option even if it is not immediately exercised. This extends the risk beyond isolated events and into latent risk over longer periods of time.”
Dragos said the Poland attacks targeted systems that facilitate communication and control between grid operators and DER assets, including assets enabling network connectivity, which allowed an adversary to successfully disrupt operations at approximately 30 distributed generation sites.
It has been assessed that threat actors have breached remote terminal units (RTUs) and communications infrastructure at affected sites using exposed network devices and exploited vulnerabilities as initial access vectors. The findings indicate that the attackers have a deep understanding of the electrical grid infrastructure, allowing them to disable communication devices, including some OT devices.
That said, the full scope of the malicious actions taken by ELECTRUM is unknown, Dragos said, adding that it is unclear whether the threat actor attempted to issue operational commands to this device or simply focused on disabling communications.
It has also been speculated that the Poland attack was more opportunistic and hasty than a precisely planned operation, allowing hackers to take advantage of unauthorized access to cause as much damage as possible by wiping out Windows-based devices to hinder recovery, reset configurations, or attempt to permanently brick devices. According to Dragos, most of the tools are targeted at grid security and stability monitoring.
“This incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation,” it said. “Disabling some OT or industrial control system (ICS) equipment beyond repair at the site could have been viewed by the adversary as an attempt to pre-condition an attack.”
