In today’s bulletin, Charlie discusses the cyber incident on the Polish Grid last December, and gives an insight into the similarities to recent attacks in Ukraine.

I have wanted to research and write about this event for some time, and this week seems ideal. Aside from the attacks on the Ukrainian Grid in 2015 and 2016, this is among the most significant assaults on utilities in Europe, particularly because it was a coordinated, large-scale attack across multiple sites, and it underscores our vulnerabilities to such threats.

I am sure that all of us are very aware of the impact that power failures have on society and ourselves personally. Life quickly comes to a halt, and everything from lights, fridge freezers, the internet, and entertainment comes to a shuddering stop; and that’s just the personal or family impact. The effect on society would be much larger and more widespread. Luckily, in the UK, we haven’t experienced any large-scale, prolonged power cuts, so most of us are unprepared for their impact.

The attack in Poland is a wake-up call to us, highlighting the need to harden our critical infrastructure and we, personally and organisationally, should consider how we would deal with a prolonged power outage. We have seen the impact of a grid collapse in the Iberian Peninsula last year, and that was not deliberate, so a determined adversary with persistent knowledge could have an even larger impact.

These are the key facts and impacts of the attack:

1. The attack took place on the 29th and 30th of December 2025 and was on a series of Polish windfarms, solar farms, and two combined heat and power (CHP) plants which supplies heat to nearly half a million customers in Poland. The attacks occurred during a period of low temperatures in Poland and during the holiday period, shortly before the New Year. [1]
2. Simultaneously, on the 29th December, there was an attack which attempted to disrupt the operations of a manufacturing sector company site using the same tools and techniques as the attacks on the renewable and CHP site.
3. The incident affected both IT and physical industrial equipment (OT) systems, which, according to the Polish Government Energy Sector Incident Report, is rarely observed in publicly reported attacks to date.
4. This attack ties in with a campaign of ‘Zatyazhnoy konflikt’ hybrid warfare, waged by Russia against the West, where there is a series of low-level attacks, sabotage, and aerospace violations, none of which alone is significant to trigger NATO Article 5, but have a series of minor impacts.
5. The attack didn’t impact the stability of the Polish grid or have a major impact on electricity generation, but some grid control equipment was disabled beyond repair.
6. Whereas the attacks on the Ukrainian grid in 2015 and 2016 targeted the central control of the grid, this attack was on the primary part of the grid where renewables were connected. Often, there is pressure from renewable providers on grid owners to connect new facilities, which can lead to hurried installation and a higher risk of misconfiguration and taking shortcuts that could affect security. The attack on the periphery may also indicate that grid control has been strengthened, making it more difficult to attack.
7. The attacks were announced by Poland’s Prime Minister Donald Tusk on the 14th January 2026, but were not felt serious enough to trigger Article 5 of NATO’s charter.
8. The attack impacted the renewables that were on the Grid Collections Point (GCP) which connected the solar farm and wind turbines to the transmission grid. The attack impacted the monitoring and supervisory control of the substation, meaning it could not be monitored by the grid control. It is not known whether the attackers tried to manipulate power flow by sending this command to the GCP, as the controllers were wiped. Sending controls to the grid system is difficult to achieve, as there was a wide variety of different types and manufacturers of the grid control system. Separate control scripts would have to be written for each type to initiate control over them.
9. ‘The objective of the sabotage (of the CHP plant) was the irreversible destruction of data stored on devices within the organisation’s internal network.’. [2] This was a long-term attack which started in March 2025. The attack was intended to involve widespread data destruction. ‘In addition to attempts to destroy data on the workstations belonging to the compromised organisation, the attacker also attempted to directly destroy data on disks attached to servers within the infrastructure.’. [2] Luckily, the CHP attack was thwarted so there was no impact on the delivery of heat to its customers
10. According to the Ministry of Digital Affairs Republic of Poland’s report ‘Energy Sector Incident Report – 29 December’, all the attacks were carried out by the same threat actor. Dragos assess with moderate confidence that the Russian threat group ELECTRUM is responsible. [3] ELECTRUM, which exhibits technical and operational overlaps with Sandworm, has a history of attacks in Ukraine. At the beginning, they attacked the KA-SAT satellite network, disrupting communications across Europe beyond Ukraine, and have conducted other attacks on Ukrainian infrastructure. ESET researchers attributed the attack to the Russia-aligned Sandworm APT with medium confidence, due to a strong overlap with numerous previous Sandworm wiper activity.
11. The attackers covered their tracks by wiping machines or resetting them to factory configurations. They were able to carry out the attacks on some scale due to reuse of passwords across multiple machines and misconfigurations. ‘Through a combination of exposed network devices and exploited vulnerabilities, adversaries compromised Remote Terminal Units (RTUs) and communication infrastructure at the affected sites. This equipment sits behind defences that inevitably contain vulnerabilities, whether through misconfigurations, unpatched systems, or exploitable services. Once past those defences, adversaries encountered RTUs and communications infrastructure that were not designed to withstand sophisticated cyber threats.’. [4]
12. Electrical networks were not originally designed for distributed renewable energy systems. These new energy sources have been overlayed onto existing infrastructure. Network operators work to facilitate new connections, but demand exceeds the rate at which sites can be added. This creates pressure to implement solutions quickly, sometimes with compromises that can be managed through visibility and control.
13. ‘Adversaries succeeded by exploiting common configurations across multiple sites. Once they understood how to compromise edge devices at one location, they could repeat the attack at scale.”. This operation succeeded in gaining repeatable access. When the same firewall model with the same vulnerability or misconfiguration is deployed at multiple generation sites, a single exploit becomes a system-wide compromise.

Although this attack didn’t result in a loss of heat or destabilise the grid, the country that experienced the attack ‘may not be so lucky next time’. Speaking on 3 January 2026, President Trump stated that ‘the lights of Caracas were largely turned off due to a certain expertise that we have,’ with regard to U.S. actions in Venezuela. So far, I cannot find any evidence or technical comment on the attack, so I am unsure whether this is hyperbole or if there has simply been no technical investigation or release of information. Currently, we can observe in Poland and Ukraine that destroying power and heat infrastructure is a war aim by the Russians, as they believe it will wear down civilian morale and lead to capitulation, as power is considered a legitimate infrastructure target. The attacks were not successful this time, but they may be more successful in future assaults.

References

[1] The Chancellery of the Prime Minister (2026) Poland stops cyberattacks on energy infrastructure, Gov.pl, 15 January. (Accessed: 20 February 2026)

[2] CERT Polska (2026) Energy Sector Incident Report – 29 December 2025. Warsaw: CERT Polska (NASK – National Research Institute). (Accessed: 20 February 2026)

[3] Gauthier, D. (2026) Poland Power Grid Attack Targets Distributed Energy Facilities. Dragos Blog, 28 January. (Accessed: 20 February 2026)

[4] Dragos, Inc. (2026) ELECTRUM: Cyber Attack on Poland’s Electric System 2025 (Intelligence brief; updated January 2026). Washington, DC (USA): Dragos, Inc. (Accessed: 20 February 2026)