Chaos in the Energy Sector: Cyberattack Hits 30 Polish Facilities

An orchestrated assault on Poland’s electricity grid in late December specifically targeted numerous distributed energy resource (DER) locations throughout the nation, including combined heat and power (CHP) facilities as well as wind and solar dispatch systems.

Despite successfully infiltrating operational technology (OT) systems and causing irreparable damage to “critical equipment,” the attackers were unable to disrupt the power supply, amounting to 1.2 GW or 5% of Poland’s total energy output.

Publicly available information confirms at least 12 impacted sites, but experts at Dragos, a cybersecurity firm specializing in critical industrial infrastructure (OT) and control systems (ICS), estimate the actual number to be around 30.

Vulnerabilities and Configuration Issues

Experts at Dragos recently disclosed further details about the cyber assault, emphasizing that the absence of power disruptions should not diminish the severity of the incident but instead serve as a stark reminder of the susceptibility of decentralized energy systems.

“An attack on an electrical grid at any time is reckless, but orchestrating it during the harsh winter months could prove fatal for the civilian population reliant on it,” according to the Dragos report.

“It is concerning that those targeting these systems deliberately choose moments that maximize the impact on civilians.”

With moderate confidence, Dragos attributes the attack to a Russian threat group known as Electrum, distinct from but overlapping with Sandworm (APT44). ESET recently linked APT44 to unsuccessful destructive attempts on Poland’s power grid using the DynoWiper malware.

Electrum has also been associated with other destructive attacks on Ukrainian networks, employing wipers such as Caddywiper and Industroyer2, indicating an expansion of their operations to additional countries.

Electrum’s targets included vulnerable systems responsible for dispatch and grid communication, remote terminal units (RTUs), network edge devices, monitoring and control systems, as well as Windows-based machines at DER sites.

Sophisticated Attackers

Following an incident response at one of the affected facilities, Dragos observed that the attackers possessed extensive knowledge of the deployment and operation of these devices, consistently compromising similar RTU and edge-device configurations across multiple sites.

Electrum successfully disabled communication equipment at various sites, resulting in a loss of remote monitoring and control capabilities, although power generation remained unaffected.

Several OT/ICS devices were disabled, with their configurations irreparably corrupted, while Windows systems at the sites were wiped clean.

Even if the attacks had disrupted the power supply, the narrow targeting scope would not have been sufficient to trigger a nationwide blackout in Poland.

However, such actions could have led to significant destabilization of the system frequency, potentially causing cascading failures similar to the 2025 Iberian grid collapse, as noted by the researchers.