""The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems from wind and solar sites," Dragos said. "While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site.""
""It's worth pointing out that ELECTRUM and KAMACITE share overlaps with a cluster referred to as Sandworm (aka APT44 and Seashell Blizzard). KAMACITE focuses on establishing and maintaining initial access to targeted organizations using spear-phishing, stolen credentials, and exploitation of exposed services. Beyond initial access, the threat actor performs reconnaissance and persistence activities over extended periods of time as part of efforts to burrow deep into target OT environments and keep a low profile, signaling a careful preparatory phase that precedes actions executed by ELECTRUM targeting the industrial control systems.""
""Following access enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling within operational networks, and performs ICS-specific actions that manipulate control systems or disrupt physical processes," Dragos said. "These actions have included both manual interactions with operator interfaces and the deployment of purpose-built ICS malware, depending on the operational requirements and objectives.""
Dragos attributed a late-December 2025 coordinated cyber attack on multiple Polish power grid sites to ELECTRUM with medium confidence and described it as the first major attack targeting distributed energy resources (DERs). The attack affected communication and control systems at combined heat and power facilities and systems managing dispatch of wind and solar generation. The operation did not cause outages but provided adversaries access to critical OT systems and resulted in irreparable equipment damage. ELECTRUM and KAMACITE overlap with Sandworm; KAMACITE focuses on initial access via spear-phishing, stolen credentials, and exposed-service exploitation, then performs long-term reconnaissance and persistence. ELECTRUM bridges IT and OT, deploying tooling, conducting manual operator interactions, and using purpose-built ICS malware to manipulate control systems or disrupt physical processes.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]