On January 14, 2026, Poland’s Prime Minister Donald Tusk briefed government leaders on a sophisticated cyber attack that occurred on December 29, 2025, targeting operational technology systems at multiple sites across Poland’s electrical grid. The attack targeted distributed energy resources,including wind farms, solar installations, and combined heat and power facilities.
The Polish government’s response demonstrated both transparency and confidence in its defensive measures. Prime Minister Tusk stated that the attack had been thwarted and that the system was never at risk, while acknowledging the need for enhanced IT and OT protection as part of Poland’s implementation of new national resilience measures.
CERT Polska has been leading the investigation and response efforts for this incident. Their work in identifying,containing, and analyzing this threat has been essential to understanding the scope and nature of the attack.
Dragos is involved in an incident response related to this attack and is publishing this analysis to amplify CERT Polska’s efforts by providing additional technical context from an OT perspective. Through our incident response work, Dragos can confirm the seriousness of the attack and assess with moderate confidence that the threat group ELECTRUM is responsible.
This representsthe first major coordinated attack targeting distributed energy resources at scale. While Dragos has responded to cybersecurity incidents at individual renewable and distributed generation facilities in the past, those incidents involved single sites or opportunistic compromises. The Poland attack is significant because of the coordinated nature of the attacks across numerous sites simultaneously and the demonstrated intent of a sophisticated adversary to systematically target this infrastructure.
For more complete details on this attack, please download our Intelligence Brief: ELECTRUM: Cyber Attack on Poland’s Electric System 2025.
ELECTRUM, which exhibits technical and operational overlaps with Sandworm, has been responsible for multiple attacks on electrical infrastructure since 2015. The group has demonstrated understanding of electrical grid operations,proficiency with industrial protocols, and the capability to develop both ICS-specific malware and destructive wiper tools. Notable attacks primarily targeted centralized electrical infrastructure - distribution control centers in Ukraine in 2015 and a transmission substation in 2016.
The Poland attack demonstrates a different approach: targeting the distributed edge of the grid through remote terminal units (RTUs) and the communications systems that manage numerous smaller generation sites.
This shift matters because distributed energy resources are being added to grids globally as part of the energy transition. These systems present different security challenges than traditional infrastructure:
- More numerous sites to secure across wider geographic areas
- Built with tighter cost margins, often limiting cybersecurity investment
- Extensive remote connectivity requirements for operations and maintenance
- Many sites fall below regulatory thresholds designed for larger facilities
- Standardized configurations across multiple sites can enable repeatable attacks
The Poland attack exploited these characteristics. Adversaries compromised network infrastructure and RTUs by leveraging common connectivity patterns and repeated vulnerabilities across sites.
The attack targeted communication between grid operators and distributed generation facilities. Adversaries gained access to systems that provide visibility and, in some cases, operational control capabilities for connected generation assets.
The compromised systems included Remote Terminal Units (RTUs) that manage site operations, network devices that facilitate telemetry and control, and communications infrastructure connecting sites to control centers.
While the attack did not achieve the coordinated operational impact seen in previous ELECTRUM operations, it demonstrated the adversary’s ability to access OT systems at scale across distributed infrastructure. The nature of the access achieved represents the type of foothold that could enable operational impacts if attackers develop deeper knowledge of specific site configurations or achieve similar access across larger numbers of sites simultaneously.
The Poland attack demonstrates that adversaries are adapting their tactics to target the distributed energy infrastructure being deployed as part of the global energy transition. Organizations managing these assets require OT-native visibility, threat detection, and defensive capabilities designed for distributed operational environments.
Read the full intelligence brief for detailed technical analysis, historical context, and defensive recommendations
