Cyberattack on Poland's power grid could have turned deadly in winter cold
(2026/01/29)
- Reference: 1769688612
- News link: https://www.theregister.co.uk/2026/01/29/cyberattack_poland_power_grid/
- Source link:
Cybersecurity experts involved in the cleanup of the cyberattacks on Poland's power network say the consequences could have been lethal.
In a [1]report published this week, Dragos said it is working with one of the 30 or so facilities affected by the attacks, allegedly carried out by Russian intelligence.
It called the attacks irresponsible, and if they succeeded in disrupting the country's power grid, it could have led to civilian deaths given the timing.
[2]
"An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it," Dragos said.
[3]
[4]
"It is unfortunate that those who attack these systems appear to deliberately choose timing that maximizes impact on civilian populations."
Dragos, which attributed the attacks to the group it calls Electrum but most others call Sandworm, described the attacks as a world-first for targeting distributed energy sources (DERs), which are smaller sites connected to a country's central power grid.
[5]
The attacks bore similarities with those carried out by Russia a decade ago in Ukraine, where GRU-affiliated Sandworm attackers compromised the country's power grid.
The use of wiper malware, DynoWiper in this case, is [6]consistent with Sandworm's previous attacks on critical infrastructure, but targeting DERs is an evolution in tradecraft.
Dragos said the various compromises in Poland show these DERs, which don't often receive the same levels of cybersecurity investment as centralized facilities, now represent an attractive target for state-sponsored attackers.
[7]
"While Dragos has responded to cybersecurity incidents at individual renewable and distributed generation facilities in the past, those incidents involved single sites or opportunistic compromises," its report read.
"The Poland attack is significant because of the coordinated nature of the attacks across numerous sites simultaneously and the demonstrated intent of a sophisticated adversary to systematically target this infrastructure."
[8]Moscow likely behind wiper attack on Poland's power grid, experts say
[9]AI-powered cyberattack kits are 'just a matter of time,' warns Google exec
[10]London boroughs limping back online months after cyberattack
[11]Warwickshire school to reopen after cyberattack crippled IT
As [12]reported earlier this week , Sandworm's attempts at industrial sabotage did not result in power grid outages. However, Dragos said in some cases the effects of the attacks damaged equipment beyond repair.
Without going into specifics of the incident at the site Dragos was investigating, the report noted that attackers took over remote terminal units (RTUs) and communication infrastructure at multiple sites.
They achieved this through various means, such as targeting internet-exposed devices and those vulnerable to exploits or via misconfigurations, and a strong understanding of how these RTU devices are deployed in the field.
"Taking over these devices requires capabilities beyond simply understanding their technical flaws," Dragos said. "It requires knowledge of their specific implementation.
"The adversaries demonstrated this by successfully compromising RTUs at multiple sites, suggesting they had mapped common configurations and operational patterns to exploit systematically."
Sandworm attackers disabled some communication and operational technology devices during the attacks, but this alone would not cause a power outage. Taking these devices down usually just prevents remote monitoring; in most cases, they continue to operate as normal.
However, incident responders are still working to understand if Sandworm tried to issue commands to the devices they compromised, in an attempt to alter their functionality, or if their goal was to simply disable them. ®
Get our [13]Tech Resources
[1] https://hub.dragos.com/report/electrum-targeting-polands-electric-sector
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2022/05/10/us_eu_russia/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/
[9] https://www.theregister.com/2026/01/23/ai_cyberattack_google_security/
[10] https://www.theregister.com/2026/01/23/landmark_milestone_as_hammersmith_fulham/
[11] https://www.theregister.com/2026/01/19/higham_lane_school_reopens/
[12] https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/
[13] https://whitepapers.theregister.com/
In a [1]report published this week, Dragos said it is working with one of the 30 or so facilities affected by the attacks, allegedly carried out by Russian intelligence.
It called the attacks irresponsible, and if they succeeded in disrupting the country's power grid, it could have led to civilian deaths given the timing.
[2]
"An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it," Dragos said.
[3]
[4]
"It is unfortunate that those who attack these systems appear to deliberately choose timing that maximizes impact on civilian populations."
Dragos, which attributed the attacks to the group it calls Electrum but most others call Sandworm, described the attacks as a world-first for targeting distributed energy sources (DERs), which are smaller sites connected to a country's central power grid.
[5]
The attacks bore similarities with those carried out by Russia a decade ago in Ukraine, where GRU-affiliated Sandworm attackers compromised the country's power grid.
The use of wiper malware, DynoWiper in this case, is [6]consistent with Sandworm's previous attacks on critical infrastructure, but targeting DERs is an evolution in tradecraft.
Dragos said the various compromises in Poland show these DERs, which don't often receive the same levels of cybersecurity investment as centralized facilities, now represent an attractive target for state-sponsored attackers.
[7]
"While Dragos has responded to cybersecurity incidents at individual renewable and distributed generation facilities in the past, those incidents involved single sites or opportunistic compromises," its report read.
"The Poland attack is significant because of the coordinated nature of the attacks across numerous sites simultaneously and the demonstrated intent of a sophisticated adversary to systematically target this infrastructure."
[8]Moscow likely behind wiper attack on Poland's power grid, experts say
[9]AI-powered cyberattack kits are 'just a matter of time,' warns Google exec
[10]London boroughs limping back online months after cyberattack
[11]Warwickshire school to reopen after cyberattack crippled IT
As [12]reported earlier this week , Sandworm's attempts at industrial sabotage did not result in power grid outages. However, Dragos said in some cases the effects of the attacks damaged equipment beyond repair.
Without going into specifics of the incident at the site Dragos was investigating, the report noted that attackers took over remote terminal units (RTUs) and communication infrastructure at multiple sites.
They achieved this through various means, such as targeting internet-exposed devices and those vulnerable to exploits or via misconfigurations, and a strong understanding of how these RTU devices are deployed in the field.
"Taking over these devices requires capabilities beyond simply understanding their technical flaws," Dragos said. "It requires knowledge of their specific implementation.
"The adversaries demonstrated this by successfully compromising RTUs at multiple sites, suggesting they had mapped common configurations and operational patterns to exploit systematically."
Sandworm attackers disabled some communication and operational technology devices during the attacks, but this alone would not cause a power outage. Taking these devices down usually just prevents remote monitoring; in most cases, they continue to operate as normal.
However, incident responders are still working to understand if Sandworm tried to issue commands to the devices they compromised, in an attempt to alter their functionality, or if their goal was to simply disable them. ®
Get our [13]Tech Resources
[1] https://hub.dragos.com/report/electrum-targeting-polands-electric-sector
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2022/05/10/us_eu_russia/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXuSfgAQanmuuJtwtrK5AAAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/
[9] https://www.theregister.com/2026/01/23/ai_cyberattack_google_security/
[10] https://www.theregister.com/2026/01/23/landmark_milestone_as_hammersmith_fulham/
[11] https://www.theregister.com/2026/01/19/higham_lane_school_reopens/
[12] https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/
[13] https://whitepapers.theregister.com/