A new report from Dragos confirms what many in the energy sector had suspected: the December 2025 cyberattack on Poland’s power grid was a deliberate test of the system’s vulnerabilities.
There were no blackouts. Electricity flowed, heating remained stable, and grid operations continued. But that surface-level stability is what makes the incident significant. Instead of trying to cause disruption, the attackers appeared to be mapping weak points in Poland’s increasingly decentralized energy system—including solar farms, wind installations, and cogeneration plants. Analysts at Dragos and CERT Polska attribute the intrusion to the group known as Electrum, which was responsible for cyberattacks on Ukraine’s grid in 2015 and 2016.
This time, they didn’t bring systems down. They demonstrated they could gain access.
Decentralized Energy Becomes a Target
Electrum’s earlier operations relied on direct disruption, including breaching control centers, seizing substations, and cutting power. Those attacks targeted centralized infrastructure, where a few core facilities managed most of the country’s electricity.
That model no longer applies. Power is now generated across thousands of distributed energy resources (DERs), ranging from small wind farms to residential rooftop solar. These assets are critical to the clean energy transition but often rely on off-the-shelf software, basic hardware, and internet-based connections. Many are owned and operated by third parties with varying levels of cybersecurity maturity.
Attackers who compromise one DER site can often use similar methods to breach others.
DERs also introduce challenges for defenders. The distributed nature of the grid creates technical complexity and gaps in oversight. While defenders must monitor a broad, fragmented environment, attackers need only find a single vulnerable point of entry.
“The attack on the Polish Electric System shows that adversaries understand the evolution of the power networks and that they are willing to attack any part of the power grid, not just the assets that have typically been seen as high criticality,” said Phil Tonkin, Field CTO at Dragos.
In Poland, the attackers reportedly focused on the systems that tie DERs into the grid: remote terminal units, communications links, and operational technology used to monitor and control distributed assets. These components don’t typically draw public attention, but they are essential for operators to maintain awareness of grid conditions.
During the incident, utilities temporarily lost visibility across portions of the DER network. While overall control of the grid remained intact, the loss of situational awareness raised operational risks. Investigators later found anomalies—such as unexpected resets, gaps in system logs, and abnormal behavior—but not enough evidence to fully determine what was accessed or intended. That uncertainty complicates response efforts. If it’s unclear what was affected, it’s difficult to ensure systems are secure.
A Shift in Tactics
The intrusion lacked the technical sophistication of previous attacks by Electrum. Analysts observed scanning errors and incomplete scripting, signs the operation may have been executed quickly. But the underlying objective appeared to be testing access and assessing the limits of detection and response.
Instead of using customized malware, the attackers relied on widely available tools to infiltrate multiple sites. They appeared to be mapping vulnerabilities across a broad swath of infrastructure without triggering defensive systems.
The timing of the operation added another layer of risk. It occurred in December, during peak energy demand in Europe. Even a partial disruption under such conditions could have posed serious public safety concerns.
The incident also highlighted a growing challenge for modern grids: reduced system inertia. Traditional grids are stabilized by large spinning generators that resist frequency fluctuations. DERs, in contrast, contribute little inertia. If enough DERs disconnect at once, grid frequency can shift, potentially triggering automated protection systems and causing further instability.
In this case, approximately 1.2 gigawatts of distributed generation were affected. Under normal operating conditions, the grid absorbed the disturbance. But under different circumstances—such as equipment failures, extreme weather, or peak demand—the same disruption could have led to cascading problems.
Gaps in Oversight
Many of the targeted assets fell outside the scope of standard cybersecurity regulations. In several jurisdictions, DERs under a certain capacity threshold are not subject to mandatory logging, reporting, or cybersecurity controls.
That regulatory structure made sense when DERs represented a small portion of the grid. Today, they account for a significant share of total generation and are deeply integrated into grid operations.
While regulations may still treat them as peripheral, attackers view DERs as integral components of the grid. A coordinated compromise of dozens of DER sites can have network-wide effects.
In the Polish incident, the threat did not come from a large-scale failure but from the lack of centralized awareness and response. Small compromises went undetected or unaddressed across multiple operators and regions. The attackers didn’t target the infrastructure itself. Instead, they tested how the lack of centralized oversight could be used to their advantage.
“There is still a dangerous misconception that operational technology (OT) environments are safe because they are ‘air-gapped’ or isolated from the internet and internal IT networks,” said Louis Eichenbaum, Federal CTO at ColorTokens. “That isolation rarely exists. These systems are connected, often indirectly, and they will continue to be breached.”
Responding to a New Threat Model
Securing distributed energy systems will require updated strategies. DERs can no longer be viewed as isolated assets. Each must be treated as a potential target within a broader security framework.
The first step is improving visibility. Many DER operators continue to use conventional IT monitoring tools that are not designed for operational technology environments. Utilities need OT-specific tools that can recognize industrial protocols, detect unusual control behaviors, and capture detailed telemetry before evidence is lost.
Incident response also needs to adapt. A breach involving DERs may affect equipment across multiple jurisdictions and operators. Shutting down affected systems is not always an option; doing so may destabilize the grid. Response plans must be tailored to the unique constraints of distributed infrastructure.
Effective response depends on preparation. Cybersecurity must be integrated from the outset—starting with procurement and configuration, and extending through long-term operations.
Strategic Implications
The Poland attack reflects a broader evolution in grid cyberwarfare. Rather than aiming to knock systems offline, attackers are testing how to destabilize the grid by disrupting its balance and coordination.
The shift toward distributed energy has outpaced the development of appropriate cybersecurity standards. Many DERs were designed with sustainability in mind—not resilience against nation-state actors.
The December 2025 incident did not cause blackouts. But it exposed a path by which future attacks might.
