Industrial cybersecurity firm Dragos disclosed in a research report published Tuesday that a coordinated cyberattack late December on roughly 30 distributed energy sites across Poland’s electric system marks a significant escalation in threats to modern power grids, as adversaries begin targeting wind, solar, and combined heat and power (CHP) assets that are increasingly central to grid operations. While the disruption did not impact the overall electric system, the coordinated intrusion, which Dragos attributed to the Electrum threat group linked to the 2015 and 2016 Ukraine power grid attacks, underscores how the rapid expansion of DER (distributed energy resources) is widening the attack surface, introducing new risks to operational resilience and exposing vulnerabilities in the monitoring and control systems that underpin decentralized energy infrastructure worldwide.
Marking ‘opportunism’ as a key factor in the attack, Dragos described the incident as the first major cyberattack to directly target distributed energy resources, smaller wind, solar, and CHP assets increasingly being integrated into power grids worldwide. Marking a strategic shift from previous attacks on centralized control systems to targeting the distributed edge of the grid, the attack resulted in loss of view, loss of control, and DoS (denial-of-service) conditions at affected sites. While no power outages occurred, adversaries gained access to OT (operational technology) systems with control capabilities.
In its intelligence report titled ‘ELECTRUM: Cyber Attack on Poland’s Electric System 2025,’ Dragos highlighted that ELECTRUM possesses the skills to develop these site-specific commands, but doing so requires time, testing, and detailed knowledge of each location’s configuration. The attack timeline, from identifying vulnerable infrastructure through planning to execution, may not have allowed for this level of preparation.”
It stated that what remains unclear is whether Electrum attempted to issue operational commands to this equipment or focused solely on disabling communications. “Due to the limited logging of network communications and OT commands at the affected sites, Dragos cannot definitively determine the full scope of the adversary’s actions. We can confirm that they successfully disabled communications equipment, including some OT devices.”
CERT Polska has been leading the investigation and response. Dragos was involved in an incident response and published the report to amplify their efforts with additional OT-specific technical analysis.
“Through a combination of exposed network devices and exploited vulnerabilities, adversaries compromised Remote Terminal Units (RTUs) and communication infrastructure at the affected sites,” Dragos detailed in the report. “This equipment sits behind defenses that inevitably contain vulnerabilities, whether through misconfigurations, unpatched systems, or exploitable services. Once past those defenses, adversaries encountered RTUs and communications infrastructure that were not designed to withstand sophisticated cyber threats. Taking over these devices requires capabilities beyond simply understanding their technical flaws. It requires knowledge of their specific implementation.”
The adversaries demonstrated this by compromising RTUs at approximately 30 sites, suggesting they had mapped common configurations and operational patterns to exploit systematically.
Dragos mentioned that the Polish government’s response appropriately emphasized that the transmission systems, the backbone of the electric grid, were not compromised. “However, the adversaries did gain access to operational technology systems with direct connections to generation assets. While these systems are not transmission infrastructure, they are important operational systems that could enable a significant impact. In electricity systems, the loss of communications typically does not cause immediate equipment shutdown. When a device loses connectivity, it generally continues operating. It simply cannot be monitored or controlled remotely. This is why the power remained on, which is the primary measure of operational impact for electric grids.”
For power system operators managing distributed energy infrastructure, the incident underscores that adversaries with OT-specific capabilities are actively targeting systems used to monitor and control distributed generation. While the attack did not cause power loss, the level of access achieved, combined with the disabling of certain OT and ICS (industrial control system) equipment beyond repair, demonstrates how such footholds could translate into real operational impacts if replicated at scale or paired with deeper knowledge of site configurations.
On background, Dragos mentioned that Electrum is tracked by other security firms as synonymous with the Sandworm threat actor, although Dragos notes that the two are not fully interchangeable and that not all Sandworm activity can be attributed to Electrum, or vice versa. The group demonstrates deep understanding of electrical grid equipment and operations, strong proficiency in the industrial protocols used in power systems, and the ability to develop custom malware and wiper tools across IT and OT environments. Electrum’s activity reflects a detailed grasp of control workflows, substation operations, and the operational dependencies within electrical systems, enabling the group to produce real-world physical effects. Since 2016, Electrum has continued to expand capabilities specifically aimed at electrical infrastructure.
It also detailed that the coordinated cyberattack on Ukraine’s power grid in December 2015 became the first publicly confirmed incident to cause power outages, as attackers compromised three distribution operators and disrupted more than 60 substations serving hundreds of thousands of customers through careful planning and a deep understanding of grid operations rather than technically sophisticated tools. The 2015 Ukraine attacks focused on distribution control centers that manage energy flow across regions.
By December 2016, the same adversary escalated its tactics by deploying purpose-built CRASHOVERRIDE, also known as Industroyer, malware to target a Ukrainian transmission substation, using multiple OT and ICS protocols to automate attacks on grid equipment. Although the incident was limited to a single substation, the use of protocol-specific malware and a wiper component to impede recovery marked a major escalation in capability and disrupted power for hundreds of thousands of customers during a critical period. In both cases, adversaries sought to disrupt large, centralized control points that manage significant portions of the grid.
Dragos observed that the December 2025 attack on Poland’s distributed energy infrastructure represents both continuity and evolution. “The attack shares technical similarities with previous Electrum operations, including the use of wipers and targeting of communication infrastructure. However, it demonstrates a shift in targeting strategy. Previous attacks focused on centralized control systems managing large portions of the grid – distribution control centers in 2015, a transmission substation in 2016.”
It said that the Poland attack instead targeted the distributed edge of the grid, as the RTUs and communication systems managed dozens of smaller generation sites. This shift reflects the changing nature of electric grids, as countries like Poland add more distributed renewable generation.
“Rather than executing a precisely planned operation with specific outcomes, ELECTRUM exploited whatever opportunities their access provided: wiping Windows-based devices, resetting configurations, or attempting to permanently damage (or brick) equipment,” Dragos reported. “Each location required different manual actions rather than a single automated tool. The attack is more opportunistic than the 2015 or 2016 operations. It appears the operation was rushed, but Dragos cannot make an assessment as to why.”
It added that a majority of the equipment targeted in the attack sat outside the direct DER control process – systems related to grid safety and stability monitoring, rather than active generation control, but have the potential to dispatch or curtail outputs. “These systems were likely exposed on the same networks that adversaries had accessed. These are not classified as ‘protection systems’ that maintain safe equipment operation, but they provide monitoring functions that support grid stability. The probability of these systems being needed during the brief attack window was low, suggesting that the attacks were intended to disrupt whatever was accessible rather than achieve specific operational outcomes.”
Identifying potential OT/ICS implications, Dragos said that the attack disrupted operations at roughly 30 sites without affecting Poland’s overall electric system, but warned that the outcome could have been far more severe if adversaries had gained full operational control. The affected wind and combined heat and power facilities could have collectively produced about 1.5 gigawatts of electricity, and a sudden, simultaneous loss of that generation would have caused noticeable frequency instability, a factor linked to cascading failures and major blackouts in recent years.
Under current conditions, Dragos assessed that a nationwide blackout in Poland was unlikely due to strong interconnections with neighboring grids and available thermal generation, although localized outages were possible. However, the firm warned that as countries reduce spinning reserves and increase renewable penetration, similar attacks could have much more serious consequences, particularly in low-inertia systems where frequency control is already challenging.
Dragos also highlighted that most distributed energy resources fall below regulatory thresholds that mandate cybersecurity protections, noting that all of the affected sites in Poland were outside existing requirements. The incident demonstrates how coordinated attacks on smaller, individually insignificant assets can pose systemic risks when targeted at scale.
