The recent attack on Poland’s power grid, believed to have been conducted by Russian threat actors, targeted communication and control systems across roughly 30 sites and in some cases resulted in permanent industrial control system (ICS) damage, according to industrial cybersecurity firm Dragos.
In a report published this week, the security firm, which has been involved in responding to the incident, described it as the first major operation specifically targeting distributed energy resources (DER).
The attackers gained access to operational technology (OT) systems at combined heat and power (CHP) plants and renewable energy dispatch centers for wind and solar facilities, primarily targeting grid safety and stability monitoring systems rather than active power generation.
Unlike the attacks targeting Ukraine’s grid in 2015 and 2016, the incident did not result in electrical outages. However, the attackers’ activities resulted in some equipment at the affected sites being bricked.
ESET last week attributed the attack to Sandworm, a Russian state-sponsored threat group, reporting that the attackers had deployed wiper malware on compromised systems.
Dragos has linked the attack — with moderate confidence — to a group it tracks as Electrum, which it describes as related to, but not always the same as, Sandworm.
According to Dragos’s technical analysis, the hackers systematically compromised communication infrastructure and remote terminal units (RTUs), devices that interface between physical equipment at distributed sites and control systems.
“Taking over these devices requires capabilities beyond simply understanding their technical flaws,” Dragos explained. “It requires knowledge of their specific implementation. The adversaries demonstrated this by successfully compromising RTUs at approximately 30 sites, suggesting they had mapped common configurations and operational patterns to exploit systematically.”
Dragos found that some ICS devices were irreparably damaged during the attack. Phil Tonkin, Field CTO at Dragos, told SecurityWeek that a process has been developed to repair hacked RTUs, but some devices were “sufficiently damaged that there was no way to restore them in the field”.
ICS devices bricked
“We can’t confirm the specific function of the devices at this time, but can confirm that the mix of OT devices we describe in report were affected in ways which disrupted their operation, some of which were bricked,” Tonkin explained.
The absence of power outages appears to result from the inherent design of electricity systems. When communication infrastructure is lost, most industrial devices continue to operate in their last known state, allowing the power to stay on even when remote monitoring and control are disabled.
While the attack on Poland’s power grid bears similarities to the operations aimed at Ukraine a decade ago, Dragos noted that the recent attack lacked the coordinated sequencing seen in the Ukraine blackouts.
The new attack appears rushed and opportunistic, and it’s unclear whether the hackers attempted to issue malicious operational commands to trigger an outage or if they were satisfied with disrupting communications and damaging hardware, the security firm said.
The company pointed out that Electrum does possess the skills to cause more damage, but conducting an attack requires a significant amount of time, including for developing custom payloads for each of the targeted sites.
It appears that the compressed timeline from reconnaissance to final execution left little room for the preparation required to launch a more disruptive assault.
“Dragos assesses with moderate confidence that opportunism was a key factor in the attack. Rather than executing a precisely planned operation with specific outcomes, Electrum exploited whatever opportunities their access provided: wiping Windows-based devices, resetting configurations, or attempting to permanently damage (or brick) equipment,” Dragos noted, adding, “It appears the operation was rushed, but Dragos cannot make an assessment as to why.”
Related: New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
Related: Access System Flaws Enabled Hackers to Unlock Doors at Major European Firms
