Sandworm Strikes Poland: ICS Equipment Bricked in Power Grid Attack
Overview
A Russian state-sponsored hacking group known as ELECTRUM breached approximately 30 distributed energy generation sites across Poland’s power grid in late December 2025, disabling industrial control system equipment beyond repair. OT security firm Dragos attributed the attack with medium confidence and described it as the first major cyber operation targeting distributed energy resources (DERs), a category of grid assets that has historically received less security attention than centralized power plants.
Technical Details
The ELECTRUM and KAMACITE Division of Labor
ELECTRUM shares significant overlaps with the cluster tracked as Sandworm (also known as APT44 and Seashell Blizzard by Microsoft). What makes this group particularly effective is its operational partnership with another cluster called KAMACITE, which handles initial access through spear-phishing, credential theft, and exploitation of exposed network services.
KAMACITE performs extended reconnaissance and persistence activities, quietly burrowing into target OT environments over weeks or months. Once conditions are favorable, ELECTRUM steps in to execute ICS-specific actions, deploying purpose-built malware, manipulating control systems, or disrupting physical processes. This clear division of labor between access and execution teams gives the operation flexibility. Even when ELECTRUM doesn’t immediately act, KAMACITE’s presence means the capability to cause OT disruption remains latent.
As recently as July 2025, KAMACITE was observed scanning industrial devices in the United States, demonstrating that this operational model is not geographically constrained to Eastern Europe.
What Happened in Poland
The attackers breached Remote Terminal Units (RTUs) and communications infrastructure at the affected sites using exposed network devices and exploited vulnerabilities as initial access vectors. The targets were systems that facilitate communication and control between grid operators and distributed energy resources, including combined heat and power (CHP) facilities and dispatch systems for wind and solar generation.
The threat actors demonstrated deep understanding of electrical grid infrastructure. They disabled communications equipment, wiped Windows-based devices to impede recovery, reset configurations, and attempted to permanently brick OT equipment. The majority of the targeted equipment handled grid safety and stability monitoring functions.
Dragos assessed the attack as more opportunistic and rushed than a precisely planned operation, suggesting the attackers took advantage of existing access to inflict maximum damage when the opportunity presented itself. It remains unclear whether ELECTRUM attempted to issue operational commands to the compromised equipment or focused solely on disrupting communications.
Connection to DynoWiper
Earlier reporting linked the same incident to a previously undocumented wiper malware dubbed DynoWiper, which was deployed alongside the broader destructive activity. The wiper component aligns with ELECTRUM’s history of deploying ICS-tailored destructive tools, including the malware used in the 2015 and 2016 Ukrainian power grid attacks.
Impact
While the attack did not result in power outages, it crossed a significant threshold. Disabling OT equipment beyond repair at operational sites moves this from the category of “pre-positioning” into an actual attack with physical consequences. Equipment destruction means procurement timelines, supply chain dependencies, and extended outages for monitoring and safety systems.
For enterprises operating distributed generation assets, this incident exposes a blind spot. DERs, including solar installations, wind farms, and CHP facilities, are proliferating rapidly as part of the energy transition, but their cybersecurity posture often lags behind that of traditional centralized generation. Many of these sites use commodity networking equipment and remote access configurations that are easier to compromise than purpose-built SCADA systems in larger facilities.
The attack also underscores a concerning pattern: Sandworm-linked groups continue to refine their ability to cause physical disruption through cyber means. The progression from the 2015 Ukrainian blackout to this operation on a NATO member state’s grid represents a decade of sustained capability development.
For organizations outside the energy sector, the KAMACITE access model is worth paying attention to. The concept of an access team quietly maintaining footholds while a separate execution team waits for the right moment applies well beyond critical infrastructure. Any organization that assumes an intruder will act immediately upon gaining access is underestimating this adversary.
Recommended Actions
-
Audit DER communications infrastructure. Identify all RTUs, gateways, and networking equipment connecting distributed energy assets to central dispatch systems. Verify that firmware is current and that default credentials have been changed.
-
Segment OT networks from IT networks. Ensure that communication paths between grid operations and corporate IT follow strict segmentation with monitored chokepoints. If an attacker compromises one environment, lateral movement to OT should require additional exploitation.
-
Monitor for anomalous access to exposed services. KAMACITE’s initial access relies on exploiting internet-facing devices and stolen credentials. Review VPN configurations, remote access solutions, and any OT management interfaces for unnecessary internet exposure.
-
Develop and test recovery playbooks for bricked equipment. If RTUs or communications equipment are wiped or permanently disabled, your team needs a documented plan that includes spare hardware inventory, vendor support contacts, and procedures for restoring configurations from offline backups.
-
Implement network detection for ICS protocol anomalies. Deploy monitoring that can identify unusual commands, configuration changes, or communication patterns on protocols like Modbus, DNP3, or IEC 61850 that are used in grid environments.
MITRE ATT&CK Mapping
| Technique ID | Technique Name |
|---|---|
| T0800 | Activate Firmware Update Mode |
| T0879 | Damage to Property |
| T0816 | Device Restart/Shutdown |
| T0826 | Loss of Availability |
| T0831 | Manipulation of Control |
| T0851 | Rootkit |
| T1190 | Exploit Public-Facing Application |
| T1078 | Valid Accounts |
| T1059 | Command and Scripting Interpreter |
Timeline
- 2015: ELECTRUM/Sandworm conducts first known cyber attack causing a power outage (Ukraine)
- 2016: Follow-on Ukrainian grid attack using Industroyer malware
- July 2025: KAMACITE observed scanning U.S. industrial devices
- Late December 2025: ELECTRUM breaches ~30 distributed energy sites in Poland
- January 24, 2026: DynoWiper malware details published
- January 28, 2026: Dragos publishes intelligence brief attributing the attack to ELECTRUM
How Codex Can Help
If your organization operates distributed energy resources or critical infrastructure and you want to understand your exposure to threats like ELECTRUM, reach out. Our team can help with:
- OT security assessments to identify gaps in your industrial control system defenses, including network segmentation, remote access configurations, and device hardening
- Incident response planning for ICS/SCADA environments, including tabletop exercises that simulate destructive attacks on operational technology
- Compromise assessments to determine whether threat actors have already established footholds in your OT or IT environments
- Architecture reviews of DER communications infrastructure to ensure proper segmentation between distributed generation assets and central grid operations
We work with energy, manufacturing, and critical infrastructure organizations to reduce risk where it matters most.