Cyberattack on Poland’s power grid hit around 30 facilities, new report says

A coordinated cyberattack that targeted Poland’s power grid in late December compromised control and communications systems at around 30 facilities linked to distributed energy generation, according to new findings from cybersecurity firm Dragos.

Polish officials had previously said the incident — attributed by researchers to the Russian hacking group Sandworm — was thwarted before it caused a power outage, cutting electricity to as many as half a million residents.

In a report published on Tuesday, Dragos said that while Poland’s electricity transmission system — the backbone of the grid — was not affected and power supplies remained uninterrupted, the attackers had a measurable impact. 

“While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site,” researchers said.

The attack specifically affected communication and control systems at combined heat and power facilities, as well as systems managing the dispatch of renewable energy from wind and solar sites. While a loss of communications does not automatically shut down power equipment, it prevents operators from remotely monitoring or controlling systems.

“What remains unclear is whether the hackers attempted to issue operational commands to this equipment or focused solely on disabling communications,” the researchers said.

Taking control of the systems compromised in this attack requires capabilities “beyond simply understanding their technical flaws,” Dragos added, noting that such attacks demand detailed knowledge of how the systems are implemented.

Unlike previous grid attacks that focused on centralized infrastructure, distributed energy systems are more numerous, rely heavily on remote connectivity and often receive less cybersecurity investment. “This attack demonstrates they are now a valid target for sophisticated adversaries,” the researchers said.

Dragos’ findings add detail to earlier reporting by cybersecurity firm ESET, which said last week that Sandworm used data-wiping malware known as DynoWiper. Dragos also attributed the attack to Sandworm with moderate confidence.

Sandworm, which Western governments and researchers link to Russia’s military intelligence agency, has been active since at least 2013 and is responsible for some of Russia’s most high-profile destructive cyberattacks, including past operations against power grids in Ukraine.