The massive cyberattack that nearly knocked out Poland’s power grid in late December has been attributed to a Russian state-sponsored hacking collective known as Electrum.
-
A late-December cyberattack that nearly caused a major blackout in Poland has been attributed to Electrum, a Russian state-linked hacking group associated with Sandworm and past power grid attacks in Ukraine.
-
The operation marked the first known large-scale cyberattack focused on distributed energy resources, compromising operational technology at combined heat and power plants and renewable energy management systems without causing outages.
-
Polish authorities warn the threat remains severe, noting hundreds of thousands could have lost heating, and are moving forward with stricter cybersecurity regulations and new tools to protect critical energy infrastructure.
On December 29th and 30th, cyberattacks targeted Poland’s energy infrastructure, including two combined heat and power plants and the system that manages renewable energy sources, including wind turbines and photovoltaic farms.
At the time, Polish Prime Minister Donald Tusk said that Russian intelligence services were responsible for the attack, which brought the nation close to a blackout but was ultimately repelled.
Now, in a new intelligence brief, the industrial cybersecurity company Dragos said the coordinated intrusion can be attributed to the Electrum threat group, which is also linked to the 2015 and 2016 attacks on Ukraine’s power grid.
According to Dragos researchers, the late December 2025 incident was the first major cyberattack targeting distributed energy resources at a time when smaller wind, solar, and combined heat and power (CHP) assets are increasingly being integrated into power grids worldwide.
“The attack affected communication and control systems at CHP facilities and systems managing the dispatch of renewable energy systems from wind and solar sites,” Dragos said.
“While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site.”
Dragos researchers explain that even though no power outages occurred, Electrum gained access to operational technology systems with control capabilities. It remains unclear whether the hackers attempted to issue operational commands to the hijacked equipment or focused solely on disabling communications.
Electrum is tracked by other security firms as synonymous with the infamous Sandworm threat actor.
Polish Prime Minister Donald Tusk said in mid-January that had the December cyberattack been successful, 500,000 people would have been left without heating in the middle of winter.
Sandworm is a cyber espionage group that has a history of specializing in destructive attacks and campaigns targeting Internet of Things (IoT) devices. According to the US government and Google Mandiant, it is a unit of the Russian military intelligence agency, GRU.
The group has been most notably linked to disruptive attacks targeting the power grid in Ukraine, the VPNFilter attacks against routers, and the AcidRain campaign against Viasat satellite modems.
However, Dragos notes that the two are not fully interchangeable and that not all Sandworm activity can be attributed to Electrum, or vice versa.
Still, Electrum “demonstrates deep understanding of electrical grid equipment and operations, strong proficiency in the industrial protocols used in power systems, and the ability to develop custom malware and wiper tools across IT and OT environments.”
Polish Prime Minister Donald Tusk said in mid-January that had the December cyberattack been successful, 500,000 people would have been left without heating in the middle of winter.
The threat is going nowhere, so Poland said it was preparing additional security measures, including more stringent requirements for risk management, IT, and operational technology system protection, and incident response. A new bill is also underway to help equip Polish institutions with tools to protect the grid.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked