Late last year, the Electrum threat group executed a highly coordinated cyber attack across Poland’s energy grid.
The hackers – thought to be linked to the Sandworm group, which itself is linked to the GRU, Russia’s military intelligence service – targeted communication and control systems connected to distributed energy generation, and while the attack did not cause any outages, it did damage key equipment “beyond repair”.
“This is the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP facilities being added to grids worldwide,” operational technology security firm Dragos said in a recently published breakdown of the attack.
“Unlike the centralised systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less cyber security investment. This attack demonstrates they are now a valid target for sophisticated adversaries.”
Poland, basically, was lucky. More than half of its grid is based on coal and lignite, which provides considerable backup inertia to offset the renewables in its energy mix, which make up only 25 per cent of total power generation. However, countries with a different mix of power generation may be far more susceptible to widespread blackouts in the wake of a similar attack.
So, if Poland is the best-case scenario for this form of cyber attack, what does the worst-case scenario look like, and what does that mean for Australian energy operators?
The Australian situation
“Australia is increasing the share of DER in energy generation year on year by investing further in renewable energy and decommissioning coal-fired power plants,” Josh Hanrahan, principal adversary hunter at Dragos, told Cyber Daily.
“With the National Electricity Market (NEM) reaching 51 per cent of quarterly NEM energy needs in Q4 2025, up from Q3 2025’s 46 per cent, Australia is in a different position to Poland in our energy mix, with just over half of energy generation coming from renewable sources.”
By comparison, Poland’s energy mix trends towards thermal generation, with 69 per cent of its grid powered by burning coal or lignite.
“In Australia, our renewable energy mix is higher; therefore, if a similar attack happened here, the situation might look different,” Hanrahan said.
“As renewable energy increases in the energy mix in the coming years, the ability to fall back on coal power and potentially avoid a lack of reserve event decreases.”
Electrum’s tactics should also ring alarm bells, as the hackers gained access to Poland’s DER generation sites via edge devices such as firewalls. Hanrahan said such devices are often built at pace and with a standard configuration across multiple sites.
“This is not a unique problem set to Poland, but a global one. Effectively, the reuse of configuration across multiple DER sites enables an adversary to scale their intrusion significantly,” Hanrahan said.
What made Electrum’s attack so effective – even if it didn’t cause any outages – was the group’s knowledge of how OT systems actually work, rather than, as Hanrahan pointed out, relying upon sophisticated “bespoke ICS-capable malware”.
The threat actor knew what to hit and how to hit it.
“This attack was not a capability unique to Electrum specifically and could be mimicked by other threat groups with OT system knowledge and a victimology that more closely aligns with Australia and the Asia-Pacific in general,” Hanrahan said.
The takeaway
According to Hanrahan, any nation that relies upon DER systems should be paying close attention to Electrum’s activity.
“Those countries with 50 per cent or more renewables in their energy mix (such as Australia) need to pay close attention to how this attack was coordinated and carried out, as when the energy mix for renewables increases year on year, and thermal energy resources aren’t available, the ability to avoid a loss of reserve becomes difficult,” Hanrahan said.
“Because this attack did not rely on Electrum’s bespoke tooling and instead drew on extensive OT and energy system expertise, Australia should recognise that other threat groups that possess comparable deep OT knowledge and routinely leverage network-edge devices for initial access could pose a similar risk.”
You can read Dragos’ full analysis of the 2025 Poland energy grid here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.