Ders on the lookout for an attack that reveals the vulnerability of the Polish electricity network

At the end of December 2025, a malicious operation was detected, which, while not causing massive supply cuts, left a worrying mark on the evolution of industrial cybersecurity: multiple generation facilities distributed in the Polish electricity network were attacked and, in several cases, some equipment became unusable. According to the analysis published by the company specialist in security OT Dragos, the campaign - qualified with medium confidence - is attributed to a group linked to the Russian State known as ELECTRUM, which would have worked in tandem with a complementary group called KAMACITE to facilitate access and execution in industrial environments ( report by Drago).

What makes this episode unique is the target chosen: distributed energy resources (Ders), such as wind, solar and cogeneration plants (CHP). These assets, increasingly present in modernized and decarbonized networks, not only generate energy; they also depend on communication and control layers that connect them to network operators. The intrusion affected communication and control systems that mediate between the operator and these resources, and in approximately 30 locations the attackers managed to degrade or destroy critical equipment in situ, according to Drago ( broader analysis of tactics).

The modus operandi described combines two well-differentiated phases. KAMACITE has focused on opening doors: scans of exposed devices, speed-phishing, theft of credentials and exploitation of visible services on the Internet to establish initial presence. ELECTRUM, for its part, acts when that presence is already established to move between IT and OT networks, deploy specific tools and sometimes manipulate industrial controllers. This division of tasks allows to maintain a latent exposure window for long periods, with the option of performing destructive attacks when conditions allow- a practice that extends the risk beyond the specific incident.

In technical terms, the attackers would have taken advantage of exposed network devices and vulnerabilities to compromise remote terminal units (RTUs) and communication infrastructure. The damage described included deletion of Windows systems to complicate recovery, reset settings and, in some cases, attempt to leave physically useless equipment. Drago points out that most of the attacked devices were aimed at monitoring the safety and stability of the network, which increases the gravity of the event even if direct operational commands against the plants were not achieved.

While there is no public confirmation that the attackers tried to directly control electrical processes - open or close breakers, for example - the simple fact of being able to interrupt communications and leave out of service surveillance equipment already significantly complicates the management of the network by operators. The episode makes it clear that controlling the telemetry and connectivity of Ders is now a risk vector with real consequences for the resilience of the electrical system.

This case also confirms a trend that specialists have pointed out since previous attacks: opponents with OT capabilities are increasingly interested in distributed energy infrastructure. The lessons of the attack on the Ukrainian network in 2015 are still present in technical literature and operational recommendations ( historical analysis of Drago). But the current difference is that Ders proliferation introduces a multitude of points of direct or indirect connection to the network, which expands the attack surface.

What can the industry get out of this incident? First, that visibility and control over communications between operators and distributed assets should be strengthened; having up-to-date inventory of devices, identifying which services are exposed to the Internet and applying real segmentation between IT and OT environments is no longer a recommendation to become an operational requirement. Secondly, classic measures such as multifactor authentication, the reduction of shared credentials and the hygiene of patches for connected devices remain effective if they are rigorously implemented. In this regard, the guides of bodies such as the US Infrastructure and Cybersecurity Agency. UU are a good starting point for operators who need to prioritize actions ( CISA resources on ICS) and NIST's detailed technical recommendations provide practical frameworks to protect control systems ( NIST SP 800-82).

There is also an organizational dimension: the response to this type of risk requires close coordination between IT security teams and BT managers, recovery plans that consider the repair or replacement of specialized devices and simulation exercises that consider the loss of telemetry from Ders. In addition, the supply chain - firmware, communication devices, OEM services - must be subject to stricter controls to reduce the possibility of back doors or compromised components.

Finally, the absence of blackouts should not be confused with the absence of damage. An attack that does not cause visible cuts can also destroy assets, increase replacement costs, and leave a network at high risk during the infrastructure reposition. The energy industry enters a new phase in which modernization and digitization must go hand in hand with a cybersecurity designed specifically for industrial environments, not adapted from the corporate world IT.

For those who want to deepen, Drago's detailed report on the attack in Poland and his broader report on the activity of ELECTRUM and KAMACITE provide technical details and chronologies that help to understand the scale and sophistication of these operations ( report of the attack, Tradecraft report). Keeping the guard high, investing in specialized detection and strengthening collaboration between operators and authorities will be key to preventing incidents such as this from leading to major interruptions in the future.