The security incident affecting Poland's energy sector late last year demonstrated the resilience of the country's power grid, but it also established a new precedent: it was the first large-scale campaign specifically targeting decentralized energy resources (DERs), such as wind turbines and solar farms.
On December 29 and 30, 2025, unauthorized activity was detected across more than 30 renewable energy farms, a private manufacturing company, and a combined heat and power plant. While Polish Prime Minister Donald Tusk confirmed that the attempt to disrupt power delivery was unsuccessful, the event was identified as one of the most significant security challenges the nation has faced in recent years.
CERT Polska published a detailed technical report on the incident on January 30, noting that the destructive measures coincided with a period of severe weather and low temperatures. The activity was designed to degrade systems, though grid stability was maintained.
Attribution analysis by CERT Polska indicates that the infrastructure used in the campaign overlaps significantly with a Russia-aligned threat cluster tracked as Berserk Bear. Other researchers have associated the activity with the actor known as Sandworm.
Industrial security firm Dragos released its "Year in Review OT/ICS Cybersecurity Report" regarding the incident. Their assessment suggests with moderate confidence that the tradecraft aligns with the Electrum threat group, which shares overlaps with Sandworm.
Threat Activity: Electrum and Kamacite
Dragos research indicates that the Electrum group has operated in conjunction with another cluster, tracked as Kamacite, to affect industrial environments. In this operational model, Kamacite typically secures initial access and persistence, while Electrum executes follow-on actions, including the deployment of destructive capabilities.
"Electrum remains one of the most aggressive and capable OT/ICS-adjacent threat actors in the world," Dragos stated. The firm notes that even when targeting IT infrastructure, Electrum's malware often impacts organizations providing critical operational services, obscuring the boundary between IT and OT. Kamacite’s reconnaissance and access development enable these operations, which can lead to service outages and data loss.
Robert Lee, CEO and co-founder of Dragos, noted that his firm assisted in the incident response. He emphasized the significance of the targeting choice: this event marks the first major coordinated effort against DERs. As renewable sources like wind and solar comprise a larger share of global energy portfolios, their security becomes increasingly critical to grid stability.
"If 25% of your electric system is wind farms and somebody goes after them, it can be really impactful to you," Lee observed. "This is the first time ever that there was an attack coordinated across a bunch of these different DER sites."
Despite the scale of the targeting, Lee confirmed there was no evidence that the threat actors achieved full control over the DERs or attempted to mis-operate the machinery. The power supply remained uninterrupted. Lee suggested that Poland's energy mix, which relies less heavily on DERs than some other nations, contributed to the grid's resilience.
"If this same style of attack happened in the US or Australia or certain parts of Europe such as the Nordics where they're very much more DER heavy, it would have been potentially catastrophic for the system," Lee said.
Regarding attribution, Lee acknowledged the variance in nomenclature—Sandworm, Electrum, Berserk Bear—noting that different research teams use varying confidence levels and datasets, though they broadly point toward similar origins.
Strengthening OT Defenses
This incident serves as a case study for the vulnerabilities inherent in modern energy grids. On February 10, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert discussing the security gaps in the Operational Technology (OT) sector revealed by the event.
CISA and CERT Polska identified that the threat actors gained initial access through vulnerable Internet-facing edge devices before deploying wiper malware that targeted remote terminal units (RTUs).
"The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices," CISA reported. "While the affected renewable energy systems continued production, the system operator could not control or monitor them according to their intended design."
To protect against similar vectors, CISA advises OT operators to prioritize the following mitigations:
Firmware Verification: Apply updates that support firmware verification to prevent corruption of field devices.
Credential Management: Immediately replace default passwords on edge devices and enforce requirements for integrators and suppliers to do the same. The agency noted that the threat actors utilized default credentials to pivot from edge devices to HMIs and RTUs.
Incident Response Planning: Develop plans that explicitly address operations during a loss of integrity in field devices, control logic, or command pathways. This includes establishing clear decision authority and conducting tabletop exercises.
Dragos also recommended ensuring defensible architecture through strict authorization practices, network segmentation between IT and OT, secure remote access governance, and comprehensive ICS network visibility.