Russian ELECTRUM Group Implicated in December 2025 Cyberattack on Polish Power Grid
In late December 2025, a coordinated cyberattack targeted multiple sites within Poland’s power grid. Cybersecurity firm Dragos has attributed this incident, with medium confidence, to the Russian state-sponsored hacking group known as ELECTRUM. This event marks the first significant cyber assault on distributed energy resources (DERs), highlighting a new frontier in cyber threats to critical infrastructure.
Attack Overview
The cyberattack impacted communication and control systems at combined heat and power (CHP) facilities, as well as systems managing the dispatch of renewable energy from wind and solar sites. Although the attack did not lead to power outages, adversaries gained access to operational technology (OT) systems crucial for grid operations and disabled key equipment beyond repair.
ELECTRUM and KAMACITE: A Coordinated Effort
ELECTRUM operates in conjunction with another Russian state-sponsored group, KAMACITE. Both are linked to the broader Sandworm cluster, also known as APT44 and Seashell Blizzard. KAMACITE specializes in establishing and maintaining initial access to targeted organizations through spear-phishing, stolen credentials, and exploiting exposed services. Once access is secured, KAMACITE conducts reconnaissance and persistence activities, preparing the ground for ELECTRUM’s operations.
ELECTRUM focuses on bridging IT and OT environments, deploying tools within operational networks, and executing actions that manipulate control systems or disrupt physical processes. These actions range from manual interactions with operator interfaces to deploying specialized ICS malware, depending on operational requirements and objectives.
This division of labor between KAMACITE and ELECTRUM allows for flexible execution and sustained OT-focused intrusions when conditions are favorable. As recently as July 2025, KAMACITE engaged in scanning activities against industrial devices in the U.S., indicating a global operational model that facilitates early-stage access identification and positioning.
Details of the Polish Power Grid Attack
The December 2025 attack targeted systems facilitating communication and control between grid operators and DER assets, including those enabling network connectivity. The adversaries successfully disrupted operations at approximately 30 distributed generation sites.
The attackers are believed to have breached Remote Terminal Units (RTUs) and communication infrastructure at the affected sites by exploiting exposed network devices and vulnerabilities as initial access vectors. The findings suggest that the attackers possess a deep understanding of electrical grid infrastructure, enabling them to disable communications equipment, including some OT devices.
The full scope of ELECTRUM’s malicious actions remains unknown. It is unclear whether the threat actor attempted to issue operational commands to the equipment or focused solely on disabling communications.
Implications and Observations
The attack on Poland’s power grid appears to have been more opportunistic and rushed than a precisely planned operation. The hackers took advantage of unauthorized access to inflict as much damage as possible by wiping Windows-based devices to impede recovery, resetting configurations, or attempting to permanently disable equipment. The majority of the targeted equipment was related to grid safety and stability monitoring.
This incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation. The disabling of certain OT or industrial control system (ICS) equipment beyond repair at the site escalated what could have been seen as a pre-positioning attempt into a full-fledged attack.
Conclusion
The December 2025 cyberattack on Poland’s power grid underscores the evolving nature of cyber threats to critical infrastructure. The collaboration between groups like KAMACITE and ELECTRUM highlights the sophisticated and coordinated efforts by state-sponsored actors to infiltrate and disrupt essential services. This incident serves as a stark reminder of the need for robust cybersecurity measures and vigilance in protecting critical infrastructure from emerging cyber threats.
