Cyberattack on Polish Energy Grid Disrupts Distributed Energy Systems Across Dozens of Facilities

A coordinated cyberattack targeting Poland’s energy infrastructure has disrupted operations across a wide range of distributed energy resource facilities, raising fresh concerns about the resilience of modern power grids. The incident, which unfolded in late December, affected combined heat and power plants, wind farms, and solar dispatch systems connected to the national grid.

Security researchers tracking the incident estimate that around 30 energy facilities were impacted, although only 12 sites have been publicly confirmed so far. The attack did not result in a nationwide blackout, but it caused lasting damage to operational technology environments and exposed weaknesses in how distributed energy assets are protected.

Distributed Energy Systems in the Crosshairs

The attackers focused on distributed energy resources rather than large centralized power stations. These systems play a growing role in balancing electricity supply and demand, especially as renewable energy adoption accelerates across Europe.

Facilities affected by the incident included CHP installations as well as wind and solar assets responsible for real-time dispatch decisions. By disrupting these systems, attackers were able to interfere with monitoring, control, and communications without triggering an immediate loss of power.

Operational Technology Damage Without Blackouts

Investigators reported that attackers wiped Windows-based systems and damaged OT equipment beyond repair at several locations. Despite this, the campaign failed to cause widespread power outages. Around 1.2 gigawatts of capacity, roughly 5 percent of supply, remained online and unaffected.

This outcome highlights a shift in attack objectives. Rather than immediate disruption, the operation appears designed to degrade infrastructure, erode trust in grid stability, and force costly recovery efforts while avoiding a dramatic public response.

Attribution and Tactics

According to industrial cybersecurity firm Dragos, the campaign can be attributed with moderate confidence to Electrum, a Russian-linked threat group known for targeting energy sector environments. The group has previously deployed destructive tools such as DynoWiper, CaddyWiper, and Industroyer2.

The attackers demonstrated a detailed understanding of remote terminal units, edge devices, and grid communications. By disrupting telemetry and remote monitoring, they introduced risks of frequency instability even where electricity generation continued uninterrupted.

Why Distributed Energy Raises the Stakes

Distributed energy systems increase efficiency and resilience, but they also expand the attack surface. Each connected facility introduces new control interfaces, remote access pathways, and integration points with grid operators.

This incident shows how compromising a relatively small number of dispersed assets can have outsized operational consequences. Even without cutting power, attackers can undermine confidence in grid reliability and impose significant recovery costs.

A Warning for Critical Infrastructure Operators

The attack on Poland’s energy grid underscores the growing focus on OT environments by advanced threat actors. As renewable and distributed systems become central to national energy strategies, their security posture becomes inseparable from national resilience.

For operators, the lesson is clear. Visibility into edge devices, stronger segmentation between IT and OT networks, and tighter control over remote access are no longer optional. In an era of geopolitical cyber operations, even partial disruption carries strategic weight.