Attack on the Polish electricity network reveals the fragility of distributed energy

At the end of December, an orchestrated attack was detected on Poland's electricity infrastructure, which, while not leaving widespread electricity cuts, left a mark on dozens of decentralized generation facilities. According to the first public reports, at least a dozen sites were affected, including cogeneration plants (CHP) and office systems for wind and solar parks; however, the specialized firm Drago estimates that the actual number of sites involved could be close to 30. The sum of the committed capacity was around 1.2 GW, approximately 5% of the national energy supply, a sufficient number to cause operational problems if the attack had different scope or synchronization.

The investigators who have analysed the incident agree at a key point: the absence of mass blackouts does not reduce the gravity of the event. What happened was an attack directed at operational technology components (OT) and network control teams that, in several cases, were irreversibly damaged and left their configuration out of use. In addition, Windows equipment was deleted by wipers and remote communication with numerous units was interrupted. Losing visibility and remote control in many units spread across the territory is, in itself, an alarm signal on the fragility of decentralized energy systems.

Dragos attributes the operation with moderate confidence to a Russian actor he calls Electrum, a group that shares characteristics with the well-known Sandworm threat (also referred to in reports like APT44) but which, according to analysts, constitutes a group with its own features and campaigns. The malware repertoire associated with these operations includes destructive drafts and tools aimed at interrupting communications and corrupt control devices; examples mentioned by different response teams are families such as DynoWiper, Caddywiper and Industroyer2, which have been observed in incidents against critical infrastructure in the region. For more technical details on Drago's research, see your report: Drago - report on Electrum and the Polish electricity sector, and for reading about threats and attacks with wipers you can visit the coverage and analysis of ESET on your research portal: WeLiveSecurity (ESET).

From the operational point of view, the attackers focused on points facing the network and border equipment: remote terminal units (RTU), edge devices, office-involved equipment and Windows machines at distributed generation sites. The repetition of techniques and the selection of similar configurations in several facilities indicate that the authors were well aware of how these assets are deployed and managed. In many locations, they managed to disable communications equipment, which disconnected monitoring and remote control capacity; however, local generation continued to operate autonomously in most cases, avoiding immediate blackouts.

Even so, the risks arising from these intrusions go beyond a possible punctual cut. By interfering with the flow of information and the position that occupy units distributed in the load balance, an attacker could cause frequency deviations in the electrical system. These oscillations, if they reached certain thresholds and combined with failures in other parts of the network, trigger cascade effects that the energy community itself knows can be catastrophic. The analysts have recalled recent precedents in which frequency variations contributed to regional collapses, and therefore underline the danger of seemingly "small" targets when they act in a coordinated manner.

The research has also shown recurring problems that facilitated intrusion: equipment exposed to the Internet without appropriate protections, default or malhardened configurations, lack of effective segmentation between corporate networks and OT, and lack of reliable copies of critical device configuration. These factors are not new, but in combination with destructive tools and targeted planning they turn decentralized facilities into very vulnerable targets.

From a practical perspective, the lesson is clear: contemporary energy networks, increasingly distributed by the growth of renewable and modular units, require adapted cyberprotection that includes precise asset inventories, secure copies of configurations, robust segmentation, access management and continuous monitoring that includes both OT and IT telemetry. Agencies and agencies working in this area, such as the United States Agency for Infrastructure and Cybersecurity, offer guides and resources on good practice for industrial control systems ( CISA - ICS), and in Europe the Union Agency for Cybersecurity publishes specific recommendations for the energy sector ( ENISA).

There is also a geopolitical dimension: when such attacks occur at times and conditions that can affect the civilian population - for example, in winter - the potential impact transcends the technical and enters the field of national and humanitarian security. This is why research not only seeks to remedy systems, but also to understand motivations, tactics and chains of commitments to prevent new campaigns.

In short, the Polish episode is an uncomfortable reminder: the transition to greener and more distributed networks brings environmental and resilience benefits, but it also exposes new risk vectors if cybersecurity measures are not incorporated from design. Protecting electricity from the future requires both technological investment and changes in operational management and greater cooperation between operators, manufacturers and authorities.