Overview
- Poland’s CERT says Russian hackers entered wind, solar and a heat‑and‑power site using default passwords and no multi‑factor authentication, deployed wiper malware, and caused monitoring systems to fail without cutting power.
- Dragos reports roughly 30 distributed energy sites were hit, with compromises of RTUs and grid‑facing communications and some operational technology devices damaged beyond repair, alongside wiped Windows hosts.
- Investigators say the campaign focused on safety and stability monitoring rather than active power generation, and Dragos calls it the first major coordinated operation to target distributed energy resources.
- Dragos attributes the activity with moderate confidence to Electrum and ESET has tied destructive elements to Sandworm, while Poland’s CERT assigns responsibility to Berserk Bear, leaving attribution contested.
- Analysts describe the operation as rushed and opportunistic and say it remains unclear whether the attackers attempted to issue operational commands, with grid design helping keep power on despite disabled remote monitoring.