Cybersecurity firm Dragos has blamed Electrum, a threat group linked to Russia’s intelligence service, for a Dec. 29 cyberattack against Poland’s power grid that it said could be a preview of future attempts to compromise critical infrastructure.

The attack occurred Dec. 29 and 30, according to a government statement published Jan. 15, and targeted a system for managing renewable energy sources as well as two combined heat and power plants. Polish Prime Minister Donald Tusk said that “at no point was critical infrastructure threatened,” and no outages occurred as a result of the attack. However, he said, the incident showed Poland’s energy system “requires further strengthening.”

In a report published Jan. 27, Dragos said it was called in by CERT Polska, Poland’s cyber incident response team, to analyze “one of the numerous incidents across the Polish system that are part of this attack.” The firm called the event “the first major coordinated attack targeting distributed energy resources at scale” and said it can “assess with moderate confidence that … Electrum is responsible.”

Electrum is associated with Unit 74455 of Russia’s Main Directorate of the General Staff of the Armed Forces (also known as GRU). Analysts have also dubbed the unit Sandworm and Voodoo Bear, though these may be separate groups within the unit. Unit 74455 is believed to have carried out attacks around the world, including against the Ukrainian grid in 2015 and 2017. (See Six Russians Charged for Ukraine Cyberattacks.)

In its 2024 Year in Review report, Dragos called Electrum one of three active threat groups capable of reaching Stage 2 of SANS Institute’s ICS Kill Chain, meaning “a capability that can meaningfully attack” a target’s industrial control systems. (See Dragos: Attacks on ICS Increased in 2024.)

The December cyberattack targeted systems managing communication and control between grid operators and DERs, meaning both CHP facilities and systems for dispatching renewable energy, Dragos wrote. Through these tactics, the attackers were able to “gain access to operational technology systems with direct connections to generation assets.”

“Taking over these devices requires capabilities beyond simply understanding their technical flaws. It requires knowledge of their specific implementation,” the firm wrote. “The adversaries demonstrated this by successfully compromising [remote terminal units] at multiple sites, suggesting they had mapped common configurations and operational patterns to exploit systematically.”

Although communication was lost, the default behavior of the affected devices was to remain on; this is why no outage occurred. Dragos wrote that because of limited logging of network communications and commands at the affected sites, investigators have not determined whether Electrum tried to issue operational commands to the generation assets.

The firm warned that the Poland attack could indicate a change in adversaries’ tactics to target DER monitoring and control systems. Attackers gained a “foothold that could enable operational impacts, particularly when similar access is achieved across larger numbers of sites simultaneously or if adversaries develop deeper knowledge of specific site configurations.”

Historically, cyberattacks against power grids have required targeting substations or centralized systems, Dragos wrote, citing the Ukraine grid attacks in 2015 and 2016, which involved “large, centralized control points that manage significant portions of the grid.” The global shift from large generation facilities to smaller distributed facilities has opened new attack vectors, leading the firm to warn that “as your DER portfolio grows, so does the attack surface.”

Grid operators don’t just have more points of vulnerability to worry about with DERs; renewable generation facilities also lack the inertia that traditional thermal plants provide, which helps stabilize grid frequency. More than 50% of Poland’s generation fleet is coal-fired plants, Dragos observed, with wind and solar accounting for about 25% of capacity.

The firm suggested the relatively high amount of inertial generation, coupled with strong AC interconnections to neighboring countries, made the attack “unlikely to cause a nationwide blackout in Poland.” But this built-in stability is not guaranteed, the firm warned, particularly in countries pursuing aggressive decarbonization strategies.

Dragos wrote that the Poland attack “represents both continuity and evolution.” Continuity comes from the technical similarities with previous Electrum operations, including the choice of targets and the malware used. The evolution is represented by the change to target “the distributed edge of the grid,” meaning communication systems that enable the compromise of “dozens of smaller generation sites.”

Based on the attackers’ behavior, the firm judged the incident to have been opportunistic rather than “precisely planned … with specific outcomes.” Dragos wrote that Electrum seems to have “exploited whatever opportunities their access provided.” This indicates that the attackers were rushed, but the firm could not determine why.

From direct evidence and public statements, Dragos is certain of at least 12 sites that were affected, and the firm believes the actual total may be at least twice this number, representing as much as 1.2 GW if they had been operating at full capacity. Poland reported record electric consumption of 30 GW on Jan. 17, meaning that if the affected sites had gone down simultaneously and without warning, it could have had a “noticeable impact on the system frequency [of the kind that] have caused cascading failures in other electrical systems.”

The firm recommended that generation owners and operators defend their systems using the SANS Five ICS Cybersecurity Critical Controls:

• • Operational technology/ICS incident response: Organizations must have a plan to prioritize restoring connectivity across dozens of sites at once, performing forensics on corrupted systems and detecting the level of control that attackers achieved.
  • Defensible architecture: Companies should work to prevent adversaries using common weaknesses to easily compromise multiple sites at once.
  • OT/ICS network visibility and monitoring: Distributed generation operators must ensure they have constant visibility into their systems and the ability to detect abnormal activity.
  • Secure remote access: Organizations must ensure remote access is protected through multifactor authentication, automatically expiring logins and other security measures.
  • Risk-based vulnerability management: Companies should be aware of vulnerabilities in distributed generation assets and enable rapid patching across all remote sites.