Dragos has released a detailed threat intelligence report providing the first in-depth operational technology (OT) security analysis of the 29 December cyberattack on Poland’s electric sector, offering new insights beyond previous government statements and public malware research.
The report examines one of approximately 30 compromised sites affected during the incident and represents the most comprehensive technical assessment to date of how the attack unfolded at the OT level. While the response was led by the Polish national CERT and involved multiple organisations, Dragos’ analysis adds critical context on the real-world impacts to distributed energy resources (DER) and grid operations.
According to Dragos, the coordinated attack disrupted around 1.5 GW of distributed generation across the affected sites. Poland’s electricity system was able to absorb the impact largely due to its generation mix, which remains dominated by coal and lignite, accounting for more than 50 per cent of supply, with renewables at around 25 per cent. This provided significant system inertia and thermal backup.
The report warns that grids with higher renewable penetration and less inertia may not fare as well. Dragos notes that in regions where renewables account for 40–50 per cent of generation and thermal capacity is more limited, a similar-scale attack could trigger cascading failures and widespread outages. As grids globally increase their reliance on DER and retire conventional generation, the attack surface grows and the potential consequences of disruption increase.
Dragos describes the incident as the first major coordinated attack on DER at scale, confirming that distributed generation assets are now a viable and attractive target for advanced threat actors. The activity is attributed to ELECTRUM, a threat group widely reported as overlapping with Sandworm, with a history of targeting energy infrastructure beyond Ukraine.
The report also reveals several findings not previously disclosed. Dragos highlights a lack of operational visibility at affected sites, noting that insufficient monitoring prevented analysts from determining whether attackers attempted to issue certain operational commands. The analysis indicates the adversary required detailed, site-specific knowledge of implementations rather than simply exploiting generic vulnerabilities.
In some cases, OT equipment was reportedly disabled beyond repair. Dragos assesses with moderate confidence that the operation appeared opportunistic or rushed, suggesting incomplete preparation rather than limited capability.
The report carries broader regulatory and regional implications. In the United States, renewable facilities below the 1.5 GW Bulk Electric System threshold are not subject to mandatory cybersecurity requirements, a category that would have included all of the Polish sites affected. In the UK, the NIS directive threshold of 2 GW similarly excludes most DER facilities. In Germany, Dragos notes that ELECTRUM previously affected wind turbine infrastructure during the 2022 Viasat incident, demonstrating a pattern of targeting renewable energy assets across multiple regions.
Dragos concludes that Poland’s experience should be viewed as a warning for grids worldwide. As renewable penetration increases and traditional generation declines, the same attack pattern could result in far more severe outcomes unless visibility, security controls and regulatory coverage are extended to distributed energy resources.