Skip to Content

Coordinated Cyberattack on Poland’s Power Grid Disrupts DER Sites

A detailed look at the late‑December coordinated cyberattack on Poland’s power grid that targeted distributed energy resources, the methods used by the Electrum group, and the broader implications for OT security and emerging AI tools.
28 January 2026 by
TechStora Editorial Board

Overview of the Attack

In late December, a coordinated cyber operation struck multiple distributed energy resource (DER) sites across Poland, including combined heat and power (CHP) facilities and wind‑ and solar‑dispatch systems. Public reports confirm at least 12 affected sites, while Dragos researchers estimate the number to be around 30.

Affected Infrastructure

The compromised assets spanned several critical components:

  • Remote Terminal Units (RTUs) and network edge devices
  • Monitoring and control systems
  • Windows‑based machines used for site management
  • Dispatch and grid‑facing communication platforms

Threat Actor – Electrum

Dragos attributes the campaign, with moderate confidence, to a Russian‑linked threat actor known as Electrum. Although overlapping with the Sandworm (APT44) group, Electrum is identified as a distinct activity cluster.

Attack Techniques

Electrum demonstrated deep knowledge of OT environments, repeatedly compromising similar RTU and edge‑device configurations across sites. Key tactics included:

  • Disabling communications equipment, cutting off remote monitoring and control while allowing generation to continue
  • Corrupting OT/ICS device configurations beyond recovery
  • Wiping Windows systems to erase forensic evidence

Impact and Recovery

While power generation remained uninterrupted, the loss of remote monitoring hampered operational visibility. Some OT devices were rendered inoperable, requiring replacement or extensive re‑configuration. The incident highlights the vulnerability of DER sites that rely on exposed, legacy communication protocols.

Implications for Future OT Security

The attack underscores the need for:

  • Hardening of RTUs and edge devices against unauthorized access
  • Segmentation of OT networks from corporate IT
  • Continuous monitoring for anomalous command‑and‑control traffic
  • Regular patching and firmware updates for legacy equipment

Securing Emerging AI Tools

As the Model Context Protocol (MCP) becomes the standard for connecting large language models to tools and data, security teams must extend the same rigor to AI‑driven workflows. Redefining permissions for agentic AI and adopting solutions such as Token Security can help protect both traditional OT environments and the next generation of AI‑enabled operations.