ELECTRUM (Sandworm / APT44) – Russia-Linked Cyberattack on Poland’s Power Grid

Published: January 30, 2026

The late December 2025 cyberattack on Poland’s power grid represents a notable escalation in state-sponsored cyber operations targeting critical energy infrastructure within a NATO-aligned country. On January 28, 2026, industrial cybersecurity firm Dragos, alongside other security researchers, publicly attributed the operation with medium confidence to ELECTRUM, a Russia-linked threat cluster associated with the notorious Sandworm (APT44) group.

The incident did not result in a nationwide blackout; however, it exposed systemic weaknesses in distributed energy resource (DER) environments and demonstrated how advanced threat actors can position themselves for future disruptive or destructive operations.

APT Profile: Sandworm (APT44) and the ELECTRUM Cluster

Sandworm, also tracked as APT44, is a Russian state-sponsored advanced persistent threat actor widely linked to Russia’s military intelligence agency (GRU Unit 74455). The group has a long history of conducting cyber operations aligned with geopolitical objectives, including espionage, sabotage, and psychological operations.

The ELECTRUM designation refers to a Sandworm-aligned activity cluster that specializes in targeting energy-sector operational technology (OT) environments. While ELECTRUM shares tooling, infrastructure patterns, and strategic alignment with Sandworm, it is distinguished by its focus on electric grid communications and distributed generation systems.

Attack Overview: December 2025 Poland Energy Incident

The attack occurred in late December 2025 and impacted approximately 30 distributed energy resource sites across Poland. These sites included combined heat and power (CHP) facilities, as well as wind and solar generation systems connected to regional grid operators.

Key Characteristics of the Attack

  • The operation targeted distributed energy resources rather than a single centralized transmission control center.
  • Multiple geographically dispersed sites were accessed through compromised communications infrastructure.
  • Several operational technology devices were rendered inoperable or damaged beyond recovery.
  • No large-scale power outage occurred, but remote visibility and control were significantly degraded.

This marks one of the first publicly documented cyber operations to systematically target DER infrastructure at scale, signaling a shift in adversary focus toward grid-edge systems.

Operational Technology and ICS Compromise

Analysis indicates that attackers gained access to operational technology components, including remote terminal units (RTUs), industrial gateways, and communications devices used to manage energy generation and grid synchronization.

Rather than issuing immediate disruptive commands, the attackers appear to have focused on compromising communications pathways, degrading operator visibility, and positioning themselves within OT environments. This approach aligns with long-term reconnaissance and pre-positioning tactics rather than immediate sabotage.

Tactics, Techniques, and Procedures

Living-Off-the-Land Tradecraft

ELECTRUM relied heavily on living-off-the-land techniques, abusing legitimate system utilities and native OT management functions to avoid detection. This reduced the malware footprint and complicated forensic attribution during live response efforts.

OT-Specific Targeting

  • Exploitation of exposed or poorly segmented OT network interfaces.
  • Abuse of standardized configurations across DER deployments to scale access efficiently.
  • Compromise of monitoring and telemetry channels to suppress operator awareness.

Destructive Capability: DynoWiper

Separate technical investigations identified the use of a destructive malware component referred to as DynoWiper. The wiper irreversibly destroyed system data on affected devices, rendering some OT hardware unusable.

While DynoWiper was not deployed to cause immediate grid-wide disruption, its presence is consistent with Sandworm’s historical use of wipers in Ukraine and elsewhere, signaling credible destructive intent.

Strategic and Geopolitical Implications

Poland’s role as a NATO member and its strategic position in Eastern Europe make its energy infrastructure a high-value target. The timing of the attack—during winter conditions and heightened regional tensions—suggests deliberate strategic signaling.

By targeting DER infrastructure, the attackers demonstrated how future operations could degrade grid stability, complicate emergency response, and exert pressure without triggering immediate kinetic escalation.

Defensive Lessons for Critical Infrastructure Operators

Strengthen IT–OT Segmentation

Operators should enforce strict separation between IT and OT networks, with controlled and monitored data flows across trust boundaries.

Enhance OT Visibility

Deploy OT-aware intrusion detection and anomaly monitoring to identify unusual command sequences, configuration changes, or loss of telemetry.

Prepare for Destructive Scenarios

  • Maintain offline backups of critical OT configurations.
  • Test recovery procedures for bricked or destroyed field devices.
  • Conduct tabletop exercises simulating loss of communications and control.

Threat Intelligence Integration

Incorporate intelligence on Sandworm, ELECTRUM, and related Russian state-linked actors into continuous threat hunting and risk assessments.

The December 2025 cyberattack on Poland’s distributed energy infrastructure, attributed to the Russia-linked ELECTRUM cluster associated with Sandworm (APT44), highlights a dangerous evolution in state-sponsored cyber operations.

Although the attack stopped short of causing a blackout, it demonstrated how advanced adversaries can infiltrate grid-edge systems, degrade operational control, and lay the groundwork for future disruptive or destructive actions. As distributed energy resources become increasingly central to modern power grids, securing OT environments must be treated as a national security priority.

Comments

Post a Comment

Popular posts from this blog

Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement . "Mac and Linux hosts are not impacted. This is not a security incident or cyber attack." The company, which acknowledged "reports of [ Blue Screens of Death ] on Windows hosts," further said it has identified the issue and a fix has been deployed for its Falcon Sensor product, urging customers to refer to the support portal for the latest updates. For systems that have been already impacted by the problem, the mitigation instructions are listed below - Boot Windows in Safe Mode or Windows Recovery Environment Navigate to the C:\Windows\System32\drivers\CrowdStrike directory Find the file nam...
Read more

Western Intelligence Warns: Spyware Threats Targeting Taiwan and Tibet

Recent alerts from Western intelligence agencies have spotlighted a sophisticated spyware campaign that is targeting rights advocates in Taiwan and Tibet. The campaign, likely linked to state-sponsored actors from China, is believed to be designed to surveil and suppress dissidents, contributing to ongoing cyber conflicts in the region. This comprehensive analysis examines the nature of the spyware threat, its technical and geopolitical implications, and the necessary defensive measures for mitigating these risks. Overview of the Threat In recent intelligence briefings, Western security agencies have issued warnings about the use of advanced spyware designed to infiltrate devices belonging to Taiwanese and Tibetan rights advocates. The primary goal of these operations appears to be the covert surveillance and suppression of dissident voices, aiming to monitor political activities and gather sensitive intelligence. Sophisticated Spywa...
Read more

Stealthy BITSLOTH Backdoor Exploits Windows BITS for Covert Communication

A newly discovered Windows backdoor, dubbed BITSLOTH, is making waves in the cybersecurity community for its cunning exploitation of the Background Intelligent Transfer Service (BITS) to facilitate stealthy communication. This advanced threat poses significant risks to organizations and individuals alike, highlighting the ever-evolving tactics of cybercriminals. Overview of BITSLOTH BITSLOTH leverages the legitimate Windows service BITS, which is typically used for background file transfers and updates, to establish a covert communication channel. Key features of this backdoor include: Stealthy Operations: By using BITS, BITSLOTH can blend in with normal network traffic, making it difficult for traditional security measures to detect its presence. Persistent Backdoor: Once installed, BITSLOTH creates a persistent backdoor that allows attackers to maintain long-term access to compromised systems. Data Exfiltration: The backdoor is capable of exfiltrating sensitive data from the targe...
Read more