TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE ICS/OT SECURITY ENDPOINT SECURITY CYBERATTACKS & DATA BREACHES NEWS Poland Energy Survives Attack on Wind, Solar Infrastructure Russia-aligned groups are probable culprits behind the wiper attacks against renewable energy farms, a manufacturer, and a heating and power plant. Alexander Culafi,Senior News Writer, Dark Reading February 17, 2026 5 Min Read SOURCE: PAUL GLENDELL VIA ALAMY STOCK PHOTO The attack on Poland's energy sector late last year might have failed, but it's also the first large-scale attack against decentralized energy resources (DERs) like wind turbines and solar farms. On Dec. 29 and 30, 2025, attackers targeted Poland with wiper attacks against more than 30 renewable energy farms, a private manufacturing sector company, and a combined heat and power plant. Polish Prime Minister Donald Tusk said the attack failed, but it was reportedly one of the most aggressive cyberattacks of its kind the country had seen in years. CERT Polka published a report dedicated to the attack on Jan. 30 in which the Polish security response team compared the attack to arson. The attacks were destructive by nature and "occurred during a period when Poland was struggling with low temperatures and snowstorms just before the New Year." Tusk pointed to Russia as the likely party responsible last month, and CERT Polka said elements of the attack have a high degree of overlap with a Russia-aligned threat cluster tracked as Berserk Bear (other reports have tied the activity to infamous Russian actor Sandworm). Related:North Korea's UNC1069 Hammers Crypto Firms With AI Today, industrial security vendor Dragos published its 9th annual "Year in Review OT/ICS Cybersecurity Report," tracking threat activity clusters seen in the operational technology (OT) space in 2025. The vendor assessed with moderate confidence that the activity reflects tradecraft and objectives in line with the Electrum threat group, which overlaps with Sandworm. Electrum, Kamicite, and the Attack on Polish Energy Dragos said that over the past year, Electrum has worked alongside another threat actor, tracked as Kamicite, to conduct destructive attacks against Ukrainian ISPs and persistent scanning of industrial devices in the US. Kamicite gained initial access and persistence against organizations, and Electrum executed follow-on activity. Dragos has tracked Kamicite activities against the European ICS/OT supply chain since late 2024. "Electrum remains one of the most aggressive and capable OT/ICS-adjacent threat actors in the world," Dragos said. "Even when targeting IT infrastructure, Electrum's destructive malware often affects organizations that provide critical operational services, telecommunications, logistics, and infrastructure support, blurring the traditional boundary between IT and OT. Kamacite's continuous reconnaissance and access development directly enable Electrum's destructive operations. These activities are neither theoretical nor preparatory, they are part of active campaigns culminating in real-world outages, data destruction, and coordinated destabilization campaigns." Related:Asia Fumbles With Throttling Back Telnet Traffic in Region Robert Lee, CEO and co-founder of Dragos, said in a press call that Dragos was involved in the incident response process behind the attack, though nothing in the report reflects the incident response process for legal reasons. Lee said last year's attack was significant because it was the first major attack against decentralized energy resources (DERs), a designation that often refers to wind turbines, solar farms, and the like. DERs make up an increasing part of the energy sector. "If 25% of your electric system is wind farms and somebody goes after them, it can be really impactful to you," Lee says. "This is the first time ever that there was an attack coordinated across a bunch of these different DER sites." Lee added that there was no evidence adversary had full control of the DERs and that it didn't appear there was any attempt to mis-operate these resources. As for why the power didn't go out, he says it remains an "internal debate" why Electrum didn't go further. Lee also described how Poland was to some degree fortunate, because DERs make up a smaller portion of its energy portfolio than some other countries. Related:In Bypassing MFA, ZeroDayRAT Is 'Textbook Stalkerware' "If this same style of attack happened in the US or Australia or certain parts of Europe such the Nordics where they're very much more DER heavy, it would have been potentially catastrophic for the system," Lee says. "There are certain parts of the United States, as an example, that if they had done the same style of attack, it could have caused cascading failures on the electric system." Lee also acknowledged the various references to threat activity clusters and entities, be it Russia, Sandworm, Electrum, or Berserk Bear. As he explains, vendors and researchers handle attribution and threat cluster definitions differently, hence there are multiple attributions from different sources and varying confidence levels that broadly point in similar directions. Shore Up Your OT Defenses The attack highlighted the ongoing threat of attack faced by the energy sector. The Cybersecurity and Infrastructure Security Agency (CISA) published a security alert Feb. 10 warning how security gaps in the OT sector could have serious consequences. Though primarily reiterating CERT Polka's report, CISA highlighted that threat actors gained initial access through vulnerable Internet-facing edge devices before deploying wipers that damaged remote terminal units (RTUs). "The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices," CISA said. "While the affected renewable energy systems continued production, the system operator could not control or monitor them according to their intended design." As a result of this incident, CISA advised OT operators to prioritize updates that allow firmware verification and to immediately change default passwords on things like edge devices, and require integrators and OT suppliers to do the same. "Threat actors leveraged default credentials, a vulnerability not limited to specific vendors, to pivot onto the HMI and RTUs," the agency said. In its report, Dragos made multiple recommendations to OT operators. Electrum's deliberate targeting of operational assets in a destructive context reinforced the need for an incident response plan to "explicitly address how organizations will operate when the integrity of field devices, control logic, or command pathways cannot be assumed," such as through establishing decision authority and conducting tabletop exercises. Organizations should also ensure architecture is defensible through methods like strict authorization practices, OT/IT segmentation, strict vendor access governance, secure remote access, and ICS network visibility and monitoring. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models Healthcare Security: Protecting Patient Data and Clinical Operations Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk More Webinars You May Also Like THREAT INTELLIGENCE Israel Enters 'Stage 3' of Cyber Wars With Iran Proxies by Nate Nelson, Contributing Writer APR 03, 2025 THREAT INTELLIGENCE Stealthy Linux 'Auto-color' Backdoor Infests US Institutions by Elizabeth Montalbano, Contributing Writer FEB 26, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson, Contributing Writer FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan, Contributing Writer FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson, Contributing Writer FEB 12, 2026 5 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST Healthcare S