Executive Summary
In late December 2025, a coordinated cyberattack targeted Poland’s distributed energy resource (DER) sites, including combined heat and power, wind, and solar dispatch facilities. The attackers, identified as the Russian-linked Electrum (overlapping with APT44/Sandworm), exploited misconfigurations and exposed operational technology, corrupting or destroying key OT and Windows systems at nearly 30 sites. While no electrical outages were reported and power generation largely continued, remote monitoring and control capabilities were disabled and some equipment rendered inoperable, exposing critical vulnerabilities in Poland’s decentralized energy grid.
This incident highlights a significant evolution in threat actor tactics toward industrial systems, specifically targeting the backbone of modern hybrid energy infrastructure. Increased focus on OT security, zero-trust segmentation, and resilient operational controls is crucial as sophisticated groups continue probing for weaknesses in vital infrastructure globally.
Why This Matters Now
The attack on Poland’s energy grid demonstrates the growing risk to critical infrastructure from state-sponsored hacking groups. As more countries adopt distributed and renewables-based energy models, adversaries are escalating their use of wipers and disruptive malware to target essential services, making robust OT defenses and incident response planning more urgent than ever.
Attack Path Analysis
Attackers linked to the Electrum group initially exploited exposed and vulnerable network edge devices and operational technology (OT) systems at multiple distributed energy resource sites. After gaining access, they escalated their privileges by manipulating RTU and Windows-based device configurations to obtain deeper system control. They moved laterally across similar configurations and sites, compromising additional RTUs and edge devices. Once established, the attackers maintained command and control by disabling critical communications equipment and leveraging persistent access across sites. Although no significant data exfiltration was reported, the focus was on destructive actions, leading to the deployment of wiper malware and wiping of Windows systems. The attack resulted in the irreversible corruption of OT device configurations and loss of remote monitoring and control, aiming for operational disruption rather than data theft.
Kill Chain Progression
Initial Compromise
Description
Exploitation of exposed or vulnerable OT/IT systems (network edge devices, RTUs, Windows machines) enabled initial unauthorized access.
Related CVEs
CVE-2020-1472
CVSS 5.5An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, allowing them to run a specially crafted application on a device on the network.
Affected Products:
Microsoft Windows Server – 2008 R2, 2012, 2012 R2, 2016, 2019
Exploit Status:
exploited in the wildCVE-2021-27065
CVSS 7.8A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly handle objects in memory.
Affected Products:
Microsoft Exchange Server – 2013, 2016, 2019
Exploit Status:
exploited in the wildCVE-2022-30190
CVSS 7.8A remote code execution vulnerability exists when the Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from a calling application such as Word.
Affected Products:
Microsoft Windows – 7, 8.1, 10, 11, Server 2008, Server 2012, Server 2016, Server 2019, Server 2022
Exploit Status:
exploited in the wildCVE-2023-42793
CVSS 9.8An authentication bypass vulnerability in JetBrains TeamCity allows an unauthenticated attacker to gain administrative control over the server.
Affected Products:
JetBrains TeamCity – < 2023.05.4
Exploit Status:
exploited in the wildCVE-2023-38831
CVSS 7.8A remote code execution vulnerability exists in WinRAR when processing specially crafted archive files.
Affected Products:
RARLAB WinRAR – < 6.23
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
These ATT&CK techniques reflect probable attacker procedures in ICS/OT wiper intrusions, covering initial access, device manipulation, impact, and defense evasion stages per MITRE ATT&CK for ICS and Enterprise. Expandable in future enrichment.
Exploit Public-Facing Application
Module Firmware
Service Stop
Data Destruction
Data Manipulation: Stored Data Manipulation
Modify Controller Tasking
Loss of Safety
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21(2)(c)(d)(h)
PCI DSS 4.0 – Implement Automated Audit Trails for All System Components
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy, Access Controls, Risk Assessment
Control ID: 500.03, 500.07, 500.09
DORA (EU Digital Operational Resilience Act) – ICT Risk Management; Protection and Prevention
Control ID: Art. 8, 10, 11
CISA Zero Trust Maturity Model 2.0 – Device Security and Network Segmentation
Control ID: Device Security & Network Segmentation (Pillar 3 & 4)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Destructive attacks targeting distributed energy resources, wind/solar dispatch systems, and OT infrastructure pose critical threats to energy generation and grid stability operations.
Utilities
Power grid attacks compromising RTUs, network edge devices, and control systems threaten operational continuity, requiring enhanced east-west traffic security and segmentation controls.
Government Administration
Critical infrastructure attacks during winter months demonstrate national security vulnerabilities requiring zero trust segmentation, threat detection, and multicloud visibility across government energy assets.
Industrial Automation
OT/ICS systems face wiper malware threats corrupting device configurations beyond recovery, necessitating encrypted traffic protection and egress security policy enforcement mechanisms.
Sources
- Cyberattack on Polish energy grid impacted around 30 facilitieshttps://www.bleepingcomputer.com/news/security/cyberattack-on-polish-energy-grid-impacted-around-30-facilities/Verified
- Electrum Targeting Poland's Electric Sectorhttp://hub.dragos.com/report/electrum-targeting-polands-electric-sectorVerified
- Sandworm hackers linked to failed wiper attack on Poland’s energy systemshttps://www.bleepingcomputer.com/news/security/sandworm-hackers-linked-to-failed-wiper-attack-on-polands-energy-systems/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident underscores the need for Zero Trust and CNSF measures, as attackers exploited accessible OT/IT edge devices, progressed via privilege escalation, and propagated laterally to disrupt operations. Segmentation, strong identity controls, and egress governance could have detected or hindered unauthorized access, lateral movement, and system-wide damage.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Unauthorized access attempts would have been detected and likely blocked.
Control: Zero Trust Segmentation
Mitigation: Privilege elevation paths would be restricted, reducing attacker ability to gain administrative control.
Control: East-West Traffic Security
Mitigation: Malicious lateral traffic within and between sites would likely be detected and contained.
Control: Multicloud Visibility & Control
Mitigation: Irregular remote access and persistence would be detected; unauthorized channels could be terminated.
Control: Egress Security & Policy Enforcement
Mitigation: Egress controls would have detected and blocked attempts to exfiltrate data or reach out to external C2 endpoints.
Destructive impact may have been reduced if earlier controls constrained the attacker's reach and persistence.
Impact at a Glance
Affected Business Functions
- Energy Generation
- Grid Monitoring
- Remote Control Operations
Estimated downtime: N/A
Estimated loss: N/A
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and least privilege across all OT and IT environments, isolating critical workloads and restricting movement.
- • Apply east-west traffic security to monitor and restrict lateral movement between distributed energy sites and systems.
- • Enforce strong egress controls and policy enforcement to block communication with unauthorized command-and-control infrastructure.
- • Deploy inline IPS and real-time traffic inspection to detect and block known exploit and wiper malware patterns targeting OT/IT assets.
- • Centralize visibility, incident detection, and anomaly response across cloud, hybrid, and on-prem environments to accelerate response and containment.
