Dragos Links Coordinated Polish Power Grid Cyberattack to Russia-Backed ELECTRUM Group

A wave of connected cyber intrusions struck multiple points in Poland’s electricity infrastructure near the end of 2025. Dragos, an industrial control system security firm, assessed with limited certainty that the activity aligns with a Russia-linked group known as ELECTRUM. While attribution is not definitive, the techniques and patterns resemble previous operations tied to the cluster. Investigators also flagged unusual entry routes through third-party maintenance channels, with disruptions occurring amid heightened geopolitical tensions. No major blackouts followed, but systems recorded repeated probing attempts. Response teams moved quickly to isolate affected segments, and attribution was supported by forensic traces left during the breaches. Officials emphasized continued vigilance despite containment. 

At one site, critical hardware was destroyed and left unusable, marking what Dragos described as the first large-scale cyberattack focused on decentralized energy systems such as wind turbines and solar generation connected to the grid. Operational technology used in electricity distribution was accessed without authorization, and systems managing renewable output faced interference even though overall service stayed online. Communication failures also affected combined heat and power facilities. Entry was gained through systems tied to grid stability, with damage remaining localized but irreversible at one location. 

Dragos noted links between ELECTRUM and another group, KAMACITE, with overlaps consistent with the broader Sandworm ecosystem, also tracked as APT44 or Seashell Blizzard. KAMACITE is believed to specialize in initial access, using spear-phishing, stolen credentials, and attacks against exposed public-facing systems. 

After entry, KAMACITE reportedly conducts quiet reconnaissance and persistence in OT environments, creating conditions for later action. Once access is established, ELECTRUM activity is assessed to bridge IT and OT networks, deploying tooling inside operational systems. Actions attributed to ELECTRUM can include manipulating control systems or disrupting physical processes, either through direct operator interface interaction or purpose-built ICS malware depending on objectives. 

Dragos described a division of roles between the clusters that enables long-term access and flexible execution, including delayed disruption. Even without immediate damage, persistent access can create long-term risk. KAMACITE-linked activity also appears geographically unconstrained, with scanning against U.S. industrial systems reported as recently as mid-2025. 

In Poland, attackers targeted systems that connect grid operators with distributed energy resources, disrupting coordination. Roughly three dozen sites experienced operational impact. Investigators said poorly secured network devices and exploited vulnerabilities enabled entry, allowing intruders to reach Remote Terminal Units and move through communications infrastructure. Dragos said the attackers showed strong knowledge of grid systems, successfully disabling communications tools and certain OT components. 

However, the full scope remains unclear, including whether operational commands were issued or whether the focus stayed on communications disruption. Overall, Dragos assessed the incident as more opportunistic than carefully planned, with attackers attempting rapid disruption once inside by wiping Windows systems, resetting configurations, and trying to permanently brick equipment. The hardest-hit devices supported grid safety and stability monitoring. 

Dragos concluded that the damage shows OT intrusions are shifting from preparation into active attacks against systems that manage distributed generation.