A Russian state-sponsored hacking group known as ELECTRUM has been identified with medium confidence as the perpetrator of the "coordinated" cyberattack that targeted numerous locations throughout the Polish power grid. The late December 2025 activity was the first significant cyberattack targeting distributed energy resources (DERs), according to a new intelligence brief released on Tuesday by operational technology (OT) cybersecurity firm Dragos. According to Dragos, "the attack affected systems managing the dispatch of renewable energy systems from wind and solar sites as well as communication and control systems at combined heat and power (CHP) facilities."

"Adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site, even though the attack did not result in power outages." Beyond initial access, the threat actor engages in long-term reconnaissance and persistence operations in an attempt to blend in with the target OT environments and maintain a low profile. This indicates a meticulous planning stage that comes before ELECTRUM takes action against the industrial control systems.

"ELECTRUM performs operations that bridge IT and OT environments after access enablement, deploying tooling within operational networks and performing ICS-specific actions that manipulate control systems or disrupt physical processes," Dragos stated.

Depending on the operational needs and goals, these actions have included both the deployment of specially designed ICS malware and manual interactions with operator interfaces." In other words, when conditions are right, the two clusters' distinct roles and responsibilities allow for flexibility in execution and sustained OT-focused intrusions. According to reports, KAMACITE has been scanning American industrial devices as recently as July 2025.

This demonstrates an operational model that is not geographically restricted and enables early-stage access identification and positioning, even though no follow-on OT disruptions have been made public to date. It clarified that "KAMACITE's access-oriented operations create the conditions under which OT impact becomes possible, while ELECTRUM applies execution tradecraft when timing, access, and risk tolerance align."

"This division of labor permits flexibility in execution and keeps OT impact an option even if it isn't used right away. This increases risk over extended periods of latent exposure rather than just isolated incidents. According to Dragos, the Poland attack successfully disrupted operations at roughly 30 distributed generation sites by targeting systems that enable communication and control between grid operators and DER assets, including assets that enable network connectivity.

It is determined that the threat actors used vulnerabilities as initial access vectors and exposed network devices to breach the communication infrastructure and Remote Terminal Units (RTUs) at the impacted sites.

The results show that the attackers have a thorough understanding of electrical grid infrastructure, which enables them to take down some OT devices and other communications equipment. However, Dragos points out that it's unclear whether the threat actor tried to give operational commands to this equipment or concentrated only on blocking communications, making it difficult to determine the entire extent of the malicious actions carried out by ELECTRUM. Additionally, it is determined that the Poland attack was more hasty and opportunistic than a well-planned operation, enabling the hackers to use the unauthorized access to do as much harm as possible by trying to permanently brick equipment, wiping Windows-based devices to prevent recovery, or resetting configurations.

According to Dragos, most of the equipment is intended for grid safety and stability monitoring. "This incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation," the statement continued. "What might have been perceived as an adversary's pre-positioning attempt was transformed into an attack when some OT or industrial control system (ICS) equipment was rendered irreparable at the site.