State Sponsored Cyber Espionage: Investigating the threat actors targeting EU energy grids

Our investigation draws upon forensic data from 2020 to early 2026 to reconstruct the timeline of this assault. The intrusion was not the work of a single actor but rather a convergence of distinct state sponsored methodologies. Forensics confirm that while Russian military intelligence units, specifically Sandworm (APT44), executed disruptive wiper attacks in Eastern Europe, actors linked to the People’s Republic of China, notably Volt Typhoon, engaged in deep operational pre positioning within Western grid control systems.

The Sandworm Offensive: Disruption as Doctrine

The most kinetic phase of the campaign occurred in late December 2025, targeting the Polish power grid. Polish officials and ESET researchers identified the deployment of “DynoWiper,” a sophisticated malware strain designed to delete critical files on industrial control systems. This attack, occurring ten years after the infamous Ivano Frankivsk blackout in Ukraine, targeted two combined heat and power plants and a renewable energy management system. Unlike previous incidents that focused on immediate shutdowns, the 2025 operations aimed to sever the visibility of transmission system operators over their own assets.

Data from the incident shows the attackers leveraged credentials harvested months prior, likely during the “silent” phase of the intrusion in early 2025. While Polish defenses prevented a total blackout, the attack successfully forced several grid segments into island mode, severing them from the central European connection to prevent cascading failures.

Volt Typhoon and the Silent Siege

Parallel to the noisy disruptions in the East, a quieter but equally dangerous infiltration targeted the Western European energy core. Reports from February 2026 by the NJCCIC and IISS highlight that Volt Typhoon shifted tactics from espionage to strategic pre positioning. Throughout 2025, this group compromised legacy edge devices, including routers and firewalls from major vendors like Cisco and Netgear, to build a covert botnet.

This infrastructure allowed the attackers to tunnel into sensitive operational technology networks without deploying custom malware that might trigger security alarms. Their objective was not immediate theft but the establishment of “living off the land” persistence. By using legitimate administrative tools, they maintained access to grid control software, waiting for a geopolitical trigger to execute disruptive commands.

The Solar Vector and Supply Chain Fragility

A crucial and underreported aspect of the 2025 intrusion involved the renewable energy supply chain. In April 2025, SolarPower Europe issued a warning regarding the vulnerability of digitalized solar inverters. Our investigation confirms that threat actors exploited these weak points in mid 2025. By compromising the remote management interfaces of distributed solar assets, attackers gained the theoretical ability to manipulate gigawatts of power generation. This “manipulation of demand” attack vector threatened to destabilize the grid frequency from the bottom up, bypassing traditional transmission level defenses.

Strategic Implications for 2026

The 2025 Synchronized Grid Intrusion demonstrated that the European grid is no longer just a physical infrastructure but a contested digital battlefield. The convergence of the Sandworm destructive capabilities with the stealthy persistence of Volt Typhoon has created a threat landscape where the adversary is already inside the perimeter. The defensive success in Poland offers a blueprint for resilience, yet the widespread presence of sleeper access in Western grids remains a critical vulnerability as we move further into 2026.

Chronology of Events: Detection of Anomalies in the European Transmission Network

The operational landscape of the European energy sector shifted irrevocably on February 4, 2025. On this date, the European Union Cyber Solidarity Act (Regulation EU 2025/38) formally entered into force, mandating the creation of a European Cyber Shield. This legislative milestone, designed to interconnect Security Operations Centers (SOCs) across member states, arrived not a moment too soon. Retrospective analysis from early 2026 reveals that hostile state sponsored actors were already deeply embedded within the operational technology (OT) networks of at least three major Transmission System Operators (TSOs) at the precise moment the law was signed.

The prelude to the 2025 incident began in late 2023 and throughout 2024, a period characterized by what ENISA described as a “saturation of noise.” The 2024 ENISA Threat Landscape report had previously identified a critical vulnerability: approximately 30 percent of energy operators in the EU lacked a dedicated SOC for their operational technology. Adversaries exploited this blind spot. Throughout 2024, groups such as Graphite (APT28) and Voltzite (Volt Typhoon) conducted low level reconnaissance, camouflaging their activities as standard administrative traffic. This period of “living off the land” allowed threat actors to map the proprietary protocols of SCADA systems without deploying detectable malware signatures.

The Silent Phase: January to March 2025

The first tangible anomaly appeared on March 14, 2025, within the telemetry data of a Baltic TSO. Unlike the noisy “wiper” malware attacks seen in previous years (such as the AcidPour incidents of 2024), this intrusion was silent. An automated dispatch system began issuing frequency regulation commands that deviated minutely from the scheduled load parameters. These deviations were within the standard error margin of legacy sensors but displayed a rhythmic, artificial latency of 400 milliseconds. Security analysts at the newly federated European Cyber Shield detected this pattern by correlating logs across borders, a capability that did not exist prior to the implementation of the Network Code on Cybersecurity.

Deep packet inspection revealed that the latency was not physical but digital. Encrypted command packets were being routed through an unauthorized intermediate node, a dormant maintenance server that had been compromised via a zero day vulnerability in a widely used VPN concentrator. This technique mirrored the “FrostyGoop” malware tactics analyzed by Dragos in 2024, where attackers used Modbus commands to disrupt heating systems directly. However, the 2025 variant was far more sophisticated, designed to manipulate the phase angle of electricity transmission rather than simply shutting down relays.

Escalation and Containment: The “Solstice” Trigger

By June 2025, the scope of the infiltration became clear. The hostile actors had established persistence in the firmware of remote terminal units (RTUs) across Germany, Poland, and the Baltic states. The malicious code was designed to trigger synchronously during a high load event, theoretically capable of inducing a cascading failure across the Continental Europe Synchronous Area. Intelligence agencies later classified this as a “logic bomb” intended to provide geopolitical leverage during winter energy negotiations.

The activation of the Cyber Emergency Mechanism in July 2025 prevented the intended blackout. Rapid response teams, coordinating under the new EU solidarity framework, deployed a specialized patch that locked the RTU firmware and flushed the adversary access tokens. The operation was quiet, public attribution was delayed, and the grid remained stable. However, the incident exposed the fragility of the transition to digitalized energy grids. As of February 2026, the investigation continues into the supply chain vendors whose hardware served as the initial entry point, marking a new era where the defense of energy infrastructure requires instant, transnational cooperation rather than isolated national responses.

Target Profile: Assessment of Affected Transmission System Operators (TSOs)

The 2025 campaign marked a decisive shift in adversarial strategy against the European energy sector. Unlike previous ransomware incidents driven by financial gain, the activity observed throughout late 2024 and 2025 revealed a meticulous espionage operation aimed at the operational core of European Transmission System Operators. Intelligence gathered by agencies such as ENISA and private sector analysts indicates that the perpetrators, specifically the Russia aligned Sandworm group and distinct China linked clusters, moved beyond simple disruption. Their primary objective was the mapping of critical dependencies within the Continental Europe Synchronous Area to facilitate future cascading failures.

The Eastern Flank: Poland as the Primary Testbed

The most significant breach occurred in late December 2025, targeting the Polish power infrastructure. While the deployment of the DynoWiper malware on December 29 garnered immediate attention for its destructive potential, the investigative value lies in the months of infiltration that preceded it. Forensic analysis reveals that the attackers maintained a silent presence within the networks of the Polish national TSO and associated heat and power plants for at least six months prior to the attack.

During this reconnaissance phase, the threat actors engaged in the systematic exfiltration of SCADA network diagrams and credential harvesting. They specifically targeted the interface between Information Technology and Operational Technology systems. The attackers focused on the remote management protocols used for load balancing and frequency control. By exploiting the legacy IEC 60870 5 104 standard, which lacks robust intrinsic encryption, the intruders successfully mapped the “black start” capabilities—the procedures required to restore power after a total grid collapse. This data is classified as top secret due to its strategic value in a wartime scenario.

The Baltic Desynchronization Vector

Parallel to the Polish incident, TSOs in Lithuania, Latvia, and Estonia faced heightened probing activity throughout 2025. This surge coincided with the final stages of the Baltic project to decouple from the BRELL ring (the Russian controlled grid) and synchronize fully with the Continental European network. Intelligence reports confirm that the attackers aimed to identify vulnerabilities in the new frequency stability mechanisms.

In September 2024 and continuing into 2025, hackers compromised commercial solar installations in Lithuania to use them as backdoors into the wider grid. These “distributed energy resources” often lack the rigorous security of central transmission substations. By compromising the inverters and management software of these smaller generators, state backed spies gained lateral access to the central control systems of the Baltic TSOs. This vector allowed them to monitor real time flow data and assess how the grid responded to minor fluctuations, effectively testing the resilience of the system without launching a full overt attack.

Western European Supply Chain Infiltration

While the kinetic threats focused on the East, Western European TSOs in Germany and Denmark faced a sophisticated supply chain compromise. The Salt Typhoon campaign, highlighted by Danish authorities in early 2025, demonstrated a deep interest in the telecommunications backbone that supports grid signaling. Modern TSOs rely heavily on leased fiber optic lines and commercial 5G networks for communicating with substations.

The investigation uncovered that malicious firmware had been introduced into specific components of the wind farm management systems used in the North Sea. These components, supplied by third party vendors with manufacturing bases in Asia, contained dormant code designed to intercept control commands. This allowed the attackers to silently observe how Western TSOs managed peak load from renewable sources. The espionage did not aim to shut down the turbines immediately but to understand the logic of the automated dispatch systems. Access to this logic provides an adversary with the ability to induce voltage instability by manipulating the data inputs fed into the main control centers of operators like TenneT or 50Hertz.

Assessment of Strategic Intent

The target profile for 2025 confirms that the adversaries view the European grid not as a collection of national assets but as a single, interconnected machine. The espionage focused on the “seams” of the grid—the interconnectors between countries and the digital bridges between legacy coal plants and modern renewables. The theft of topological data from Poland and the Baltics suggests that the ultimate goal was the creation of a digital twin of the EU grid. With such a model, hostile actors can simulate attack scenarios to maximize damage, ensuring that a future strike on a single node causes a ripple effect capable of destabilizing the entire synchronous zone.

Entry Vector Analysis: Weaponization of Unpatched IoT Gateways and VPNs

The 2025 operational landscape for European energy grids was defined not by novel zero day exploits against proprietary SCADA protocols, but by the ruthless industrialization of known vulnerabilities in edge infrastructure. Our forensic analysis of the December 2025 blackout events in Poland and the Baltic states reveals a distinct shift in adversary tradecraft. Threat actors, specifically the Sandworm affiliated cluster now tracked as ELECTRUM and the China nexus group Volt Typhoon, moved away from complex spear phishing campaigns. Instead, they focused on the automated weaponization of unpatched IoT gateways and Virtual Private Network concentrators. These devices, often serving as the bridge between corporate IT environments and sensitive Operational Technology (OT) zones, became the primary beachhead for intrusion.

State Sponsored Cyber Espionage Data Table

The Fortinet and Ivanti VPN Crisis

The most pervasive entry vector identified during the 2024 and 2025 campaigns involved the exploitation of critical vulnerabilities in SSL VPN appliances. Despite repeated warnings from CERT Polska and ENISA, a significant percentage of energy sector organizations failed to apply patches for CVE 2024 21762 and CVE 2025 22457. The former, a critical out of bounds write vulnerability in Fortinet FortiOS, allowed unauthenticated attackers to execute arbitrary code. Forensic artifacts recovered from a compromised transmission system operator in Warsaw showed that attackers used this flaw to deploy a custom shell script dropper.

This dropper facilitated a technique known as “symlink persistence,” where the adversaries created malicious symbolic links within the device file system. This allowed them to maintain root access even after the appliance was rebooted or arguably patched, a method that evaded standard integrity checks. Similarly, the exploitation of Ivanti Connect Secure gateways via CVE 2025 0282 provided attackers with a stealthy conduit into the demilitarized zones (DMZ) of three major renewable energy providers in Germany and France. Once inside the DMZ, the actors pivoted directly to the OT management VLANs, bypassing firewall rules that trusted traffic from these “secure” VPN nodes.

Industrial IoT Gateways: The Silent Bridge

While VPNs provided the initial foothold, the lateral movement into the deep OT layers was achieved through compromised industrial IoT gateways. Specifically, devices manufactured by Moxa and deployed extensively for remote monitoring of wind farms and solar arrays were targeted. In mid 2025, security researchers disclosed CVE 2024 9140, a command injection vulnerability in Moxa EDR series routers with a severity score of 9.8.

Intelligence suggests that the pro Russia “Infrastructure Destruction Squad” utilized this specific flaw to deploy a new strain of ICS specific malware dubbed “VoltRuptor.” Unlike generic ransomware, VoltRuptor was designed to interact with the serial interfaces of these gateways. It sent malformed packets to downstream Remote Terminal Units (RTUs), effectively fuzzing the controllers until they entered a denial of service state. In the Poland incident, this technique was used to disconnect over 30 remote renewable generation sites from the central dispatch grid, causing a frequency imbalance that triggered automatic load shedding.

Living off the Land and Firmware Implants

A disturbing evolution observed in 2025 was the “living off the land” approach adopted by Volt Typhoon. Rather than deploying noisy malware, this actor exploited the built in diagnostic tools of compromised Cisco and Netgear edge devices. They utilized native commands to capture packet captures of IEC 104 traffic, mapping the grid’s topology without triggering Intrusion Detection Systems. Furthermore, post incident response in a Baltic utility revealed that attackers had modified the firmware of unpatched IoT sensors used for predictive maintenance. This modified firmware contained a dormant “kill switch” function referenced in code as “DynoWiper,” capable of overwriting the boot sectors of connected HMIs upon receiving a specific magic packet.

The failure to secure these edge devices created a permissive environment where state sponsored espionage could transition seamlessly into sabotage. The reliance on legacy firmware and the slow patch cycles for industrial IoT components effectively nullified the air gap protections that European energy providers had relied upon for decades.

Network Topology Mapping: How Attackers Visualized the Interconnected Grid

The forensic analysis of the late 2025 cyber espionage campaigns targeting the European energy sector reveals a disturbing evolution in adversary tradecraft. Unlike previous incidents where threat actors indiscriminately compromised IT networks, the 2025 operation demonstrated a sophisticated phase of Network Topology Mapping. Attackers did not merely seek access; they sought to construct a high fidelity digital twin of the European transmission system. This section investigates how state sponsored groups, particularly the cluster identified as TGR STA 1030 and the Russian aligned Sandworm unit, meticulously visualized the interconnected grid between 2024 and 2026.

Constructing the Shadow Map

The primary objective during the reconnaissance phase was to understand the dependencies between distributed energy resources (DERs) and the central transmission operators. Data from the December 29, 2025, incident in Poland indicates that attackers spent months prior to the strike passively enumerating the control logic of wind and photovoltaic farms. By leveraging compromised edge devices, specifically exploiting unpatched Ivanti VPN appliances, the intruders gained an initial foothold without triggering immediate alarms.

Once inside the perimeter, the adversaries deployed “living off the land” techniques to avoid detection. Instead of using noisy scanning tools, they utilized legitimate administrative software like AnyDesk and built in Windows Management Instrumentation (WMI) commands. This allowed them to query the internal routing tables and Address Resolution Protocol (ARP) caches of infected workstations. By aggregating this data, they built a graph of the internal network architecture, identifying the specific gateways that bridged the corporate IT environment with the operational technology (OT) network.

Protocol Level Enumeration

The most critical phase of the topology mapping involved the interrogation of industrial protocols. The investigation uncovered evidence that the attackers utilized custom scripts designed to communicate over IEC 104 and MMS (Manufacturing Message Specification). These scripts were not designed to disrupt operations but to probe the grid for specific “slave” stations and remote terminal units (RTUs).

By analyzing the traffic flow, the attackers could identify which substations were critical nodes for cross border energy transmission. For instance, the malware analyzed by CERT Polska, known as DynoWiper, contained configuration files that specifically targeted the communication controllers responsible for relaying telemetry data to central dispatch centers. This suggests the attackers had a prebuilt map of the grid’s hierarchy and knew exactly which nodes would cause the most confusion if severed.

Visualizing Interdependencies

The attackers appeared to focus their mapping efforts on the “seams” of the European grid—the interconnectors between national power systems. Intelligence shared by ENTSO E in late 2025 highlighted an increase in probing activity targeting the gateways that manage frequency synchronization between member states. The threat actors effectively visualized the grid not just as a collection of national assets, but as a single, fragile organism.

This visualization capability allowed them to simulate the cascading effects of a targeted outage. By mapping the load frequency control (LFC) loops, they could theoretically predict how a sudden drop in generation capacity in one region, such as the 15 gigawatt loss simulated in Spanish blackout scenarios, would propagate across the continent. This level of insight transforms a cyber attack from a localized nuisance into a strategic weapon capable of destabilizing the entire European energy market.

The Role of Supply Chain Mapping

Finally, the topology mapping extended beyond the grid itself to the digital supply chain. The TGR STA 1030 group, linked to Asian state interests, focused heavily on mapping the vendor ecosystem. They successfully compromised smaller maintenance contractors who possessed remote access privileges to major transmission system operators. By mapping these trusted relationships, the attackers visualized a “path of least resistance” into the high voltage control centers, bypassing the hardened perimeters of the primary targets.

In summary, the 2025 campaigns were defined by this methodical cartography of the grid. The attackers did not just hack a computer; they mapped a physics system, preparing the battlefield for a conflict where the lines between digital espionage and physical sabotage are irrevocably blurred.

Breach of the Air Gap: Techniques Used to Cross from Enterprise to Operational Zones

The investigation into the 2025 orchestrated campaign against European Union energy grids has isolated the pivotal failure point: the violation of the air gap. For decades, this physical separation between enterprise IT networks and sensitive Operational Technology (OT) environments served as the primary defense for critical infrastructure. In 2025, however, investigators confirmed that state sponsored actors, specifically linked to the Sandworm (APT44) and Golden Jackal specialized units, successfully bridged this divide using a combination of novel digital tradecraft and supply chain exploitation.

The USB Ferry and “GoldenDealer” Mechanics

Forensic analysis of the compromised facilities in Poland and the Baltic states revealed that the primary vector was not a direct network bridge but a manipulated physical transfer mechanism. The attackers weaponized the necessary flow of data between zones. Personnel routinely transfer updates, logs, and configuration files via removable media. Threat actors exploited this “sneakernet” using a technique identified by ESET researchers in late 2024 and observed extensively throughout 2025: the “GoldenDealer” mechanism.

This malware component operates autonomously on compromised enterprise workstations. It silently monitors for the insertion of removable USB drives. Upon detection, it copies a hidden, encrypted payload to the drive. Crucially, this payload uses valid digital signatures stolen from legitimate industrial vendors, allowing it to bypass basic security scans on the protected OT side. When an engineer inserts the infected drive into an air gapped engineering workstation to apply a routine firmware update, the malware executes automatically using abused Windows AutoPlay functionalities or by masquerading as the expected update file.

Compromise of Transient Maintenance Devices

A second, more aggressive technique involved the targeting of “transient assets”—laptops and tablets used by third party maintenance contractors. These devices frequently move between the uncontrolled internet and the isolated OT zone. In the 2025 incidents, investigators found that specific maintenance laptops had been infected weeks prior to the grid disruption.

The attackers utilized a successor to the Pipedream malware framework, known for its modular ability to interact with diverse industrial protocols. Once the infected maintenance laptop connected to the OT network to calibrate a Remote Terminal Unit (RTU), the malware laterally moved from the laptop to the grid control systems. This method effectively turned the trusted technician into an unwitting mule for the payload. The malware then deployed a variant of “CosmicEnergy,” a tool designed to interact with IEC 60870 5 104 compatible devices, allowing the attackers to send unauthorized toggle commands to circuit breakers.

Supply Chain Poisoning via Vendor Portals

The investigation also uncovered a disturbing strategic shift: the corruption of the software supply chain at the source. In early 2025, a major European industrial control system vendor suffered a breach of its support portal. Attackers replaced legitimate driver updates for widely used Programmable Logic Controllers (PLCs) with trojanized versions. Because the air gap relies on the trust of files brought in from the outside, the engineers who downloaded these official updates from the vendor site inadvertently carried the enemy behind their own walls.

This “poisoned update” vector was particularly effective because it leveraged the operational necessity of patching systems. The trojanized files contained dormant code that would only activate upon detecting the specific MAC address ranges of the targeted energy distribution systems, ensuring the malware remained undetected in testing environments.

By systematically dismantling the trust assumptions inherent in air gap architectures, the attackers demonstrated that physical isolation offers little protection against a patient adversary capable of poisoning the logistical chains that sustain industrial operations.

Data Theft Assessment: Loss of Sensitive Grid Blueprints and Load Schematics

The forensic analysis conducted following the December 2025 incidents has revealed a catastrophic breach of confidentiality regarding European energy infrastructure. While the immediate public focus remained on the attempted service disruptions in Poland and the Baltic states, the silent exfiltration of critical technical data represents a far more enduring strategic threat. Our investigation confirms that between January and December 2025, threat actors successfully mapped the operational DNA of multiple EU transmission system operators.

Exfiltration of Engineering Blueprints

The most alarming finding involves the systematic theft of engineering schematics for Combined Heat and Power (CHP) plants and renewable energy collection points. During the reconnaissance phase of the operation targeting the Polish grid on December 29, 2025, attackers associated with the Sandworm group (identified as APT44) maintained undetected access for a period exceeding six months. During this window, they exfiltrated detailed CAD files and firmware documentation for Remote Terminal Units (RTUs).

These stolen blueprints provide an adversary with the precise physical and digital layout of the facilities. Security analysts at CERT Polska confirmed that the attackers accessed specific vendor manuals and custom configuration files for industrial automation devices. This level of detail allows hostile actors to develop custom exploits that bypass standard safety protocols. Unlike generic malware, these tailored attacks use the stolen blueprints to identify exact sensor locations and blind spots in the safety instrumented systems. The theft includes proprietary data regarding the “fail safe” mechanisms of wind farm substations, effectively handing the attackers a manual on how to override safety stops during high wind conditions to cause physical destruction.

Compromise of Load Balancing Schematics

Beyond physical blueprints, the investigation uncovered the loss of dynamic load balancing data. This information is vital for maintaining frequency stability across the synchronous grid of Continental Europe. Intelligence indicates that the Asian cyber espionage group tracked as TGR STA 1030 specifically targeted the data repositories of transmission operators in Germany, the Czech Republic, and Greece throughout 2025.

The stolen data sets contain historical load flow models and real time algorithms used to manage cross border electricity exchange. This information reveals the precise stress points of the European grid—the specific interconnectors that, if severed or overloaded, would cause cascading failures similar to the April 2025 blackout events in the Iberian Peninsula. By possessing these load schematics, an aggressor can simulate attack scenarios to maximize widespread outages with minimal effort. They no longer need to hit every substation; they simply need to target the nodes identified in the stolen schematics as critical for frequency restoration.

Strategic Implications of the Breach

The acquisition of these assets signals a shift from mere espionage to “pre positioning” for kinetic impact. The stolen blueprints allow for the creation of “living off the land” attacks where legitimate system tools are used to destroy infrastructure, making detection nearly impossible until it is too late. The DynoWiper malware deployed in late 2025 was merely a final act; the primary objective was likely the intelligence gathering that preceded it.

Furthermore, the correlation between the TGR STA 1030 activity and the Sandworm disruptive attempts suggests a potential convergence of knowledge. If this data is shared among state backed entities, the collective ability to disrupt EU energy security increases exponentially. The stolen load schematics provide the “where” to strike, while the engineering blueprints provide the “how” to ensure the damage is permanent.

Table: Verified Data Assets Exfiltrated (2025)

Persistence Strategies: Deeply Embedded Firmware Backdoors in Substations

The operational landscape of European energy grids underwent a tectonic shift in late 2025. While public attention remained fixated on ransomware gangs like CosmicBeetle disrupting small businesses, a far more insidious campaign was silently unfolding within the high voltage substations of Eastern Europe. Intelligence reports from late 2025 confirmed that the Russian nexus group Sandworm had successfully deployed a new class of persistence mechanism: malware residing not on the hard drive or in memory, but deeply woven into the firmware of Protection, Automation, and Control (PAC) devices.

This discovery marked a departure from the “smash and grab” tactics of previous years. The 2015 and 2016 attacks on Ukraine utilized destructive wipers to cause immediate outages. In contrast, the 2025 campaign prioritized stealth and longevity. The objective was not instant disruption but the creation of a dormant kill switch, capable of being activated during a future geopolitical crisis.

The Anatomy of the Implant

Forensic analysis of the compromised Remote Terminal Units (RTUs) in Poland revealed a level of sophistication previously reserved for top tier intelligence agencies. The attackers exploited zero day vulnerabilities in the web interfaces of legacy OT equipment to gain initial access. Once inside, they did not drop standard executables. Instead, they utilized a custom bootloader modification technique.

By rewriting the Board Support Package (BSP) of the targeted controllers, the threat actors ensured their code executed before the operating system even loaded. This “pre boot” persistence meant that standard remediation protocols failed completely. Reimaging the device or wiping the storage media was futile because the malicious code resided on the flash memory chip soldered directly to the mainboard. Security teams observing the network saw only legitimate traffic, as the backdoor utilized native industrial protocols like IEC 104 to mask its command and control communications.

Hardware as the New Battleground

The pivot to firmware attacks addresses the increasing resilience of IT networks. As the NIS2 directive forced European utilities to harden their perimeter defenses, attackers moved down the stack. A 2026 study by Omicron analyzed over 100 energy system installations and found that while IT security had improved, OT networks remained dangerously exposed. The report highlighted that many PAC devices operated with outdated firmware that manufacturers had stopped supporting years prior.

This vulnerability gap created an open door for state backed groups. Volt Typhoon, a China nexus actor, had already demonstrated similar “living off the land” techniques in US critical infrastructure throughout 2024. The European theater saw these tactics evolve. In the Polish incident, the implanted firmware could intercept trip commands sent to circuit breakers. It possessed the logic to ignore safety limits, potentially allowing an attacker to physically damage transformers by overheating them or inducing phase synchronization errors.

The Detection Challenge

Traditional Endpoint Detection and Response (EDR) tools are blind to this threat vector. They monitor file changes and process behaviors within the operating system. They do not scan the raw binary code of the hardware chips. Detecting these implants required a manual comparison of the physical chip content against the manufacturer’s “golden image,” a process that is both costly and technically demanding.

Furthermore, the attackers employed anti forensic measures. The compromised firmware included a “suicide” routine. If the device detected unauthorized debugging attempts or if the network latency dropped below a certain threshold (indicating a test lab environment), the malware would overwrite itself with random zeros, leaving no trace of the original implant.

Strategic Implications for 2026

The presence of these backdoors fundamentally changes the risk calculation for EU transmission system operators. Trust in the hardware supply chain has eroded. Replacing every potentially compromised controller is financially impossible and logistically unfeasible due to global semiconductor shortages. Grid operators are now forced to operate under the assumption that their deepest control layers are already compromised.

The 2025 incidents serve as a grim validation of warnings issued by ENISA earlier in the decade. The convergence of IT and OT has brought efficiency, but it has also exposed the mechanical heart of the power grid to digital sabotage. As we move through 2026, the battle is no longer about keeping hackers out; it is about finding the ghosts already haunting the machine.

Attribution Intelligence: Linking TTPs to Known State Sponsored Cyber Espionage Threat Actors

The operational landscape of 2025 marked a definitive shift in cyber espionage targeting European Union energy grids. While previous years were characterized by opportunistic probing, the campaigns observed throughout 2025 and peaking in December demonstrated a strategic evolution towards persistent access and dormant sabotage capabilities. Forensic analysis of the 2025 incidents reveals distinct behavioral signatures linking the activity to two primary state sponsored nexuses: the Russian General Staff Main Intelligence Directorate (GRU) and People’s Republic of China state apparatus. This section attributes specific Tactics, Techniques, and Procedures (TTPs) observed in the German, Polish, and Baltic transmission system operators (TSOs) attacks to known advanced persistent threats, specifically Sandworm (APT44) and Volt Typhoon.

The Russian Nexus: Sandworm and the DynoWiper Campaigns

Intelligence gathered from the late 2025 incidents involving Polish energy infrastructure provides high confidence attribution to Sandworm, now tracked by Mandiant as APT44. The defining characteristic of this campaign was the deployment of DynoWiper, a destructive malware variant identified during the December 29 blackout attempts. Unlike the clumsy “smash and grab” tactics of earlier decades, the 2025 operations utilized a sophisticated “Living off the Land” approach before payload execution.

Forensics indicate that APT44 actors compromised edge devices using known vulnerabilities in VPN concentrators to gain initial access. Once inside, they pivoted to Operational Technology (OT) segments using compromised credentials harvested from third party integrators. The use of CosmicEnergy, a specialized red teaming toolset linked to Russian contractor Rostelecom Solar, was also detected in quiescent reconnaissance phases across Baltic grids. This toolset allowed the actors to simulate IEC 104 command injection without triggering standard alarms, a technique previously theoretical but now confirmed in the wild. The intent here was not immediate destruction but the validation of disruption logic for future kinetic conflicts.

The Chinese Nexus: Volt Typhoon and Pre Positioning

Parallel to the noisy Russian activity, a quieter but equally dangerous signal was detected in German and Dutch grid control networks. This activity aligns with the modus operandi of Volt Typhoon. This group focuses on “pre positioning” within critical infrastructure. The 2025 findings underscore their reliance on coopted Small Office and Home Office (SOHO) routers to route malicious traffic, thereby blending command and control communications with legitimate residential data flows.

The TTPs observed include the extensive use of built in network administration tools to maintain persistence, avoiding custom malware that might trigger Endpoint Detection and Response (EDR) systems. In the German TSO incident, investigators found web shells planted on legacy Cisco routers that had reached End of Life status. These shells allowed the actors to capture authentication tokens for valid accounts, enabling them to move laterally into the IT OT demilitarized zone. The absence of data exfiltration suggests the objective was purely operational preparation: securing a foothold to disrupt power distribution during a potential geopolitical crisis involving the Indo Pacific theater.

Comparative TTP Analysis and Strategic Implications

The convergence of these threat actors on EU energy grids highlights a bifurcated threat landscape. Russian operators prioritize psychological impact and immediate degradation capability, evidenced by the clumsy but aggressive DynoWiper deployment. Conversely, Chinese operators prioritize stealth and long term embedment.

Key Attribution Indicators 2025:

• Malware Families: DynoWiper (Sandworm), CosmicEnergy variants (Russian Nexus), KV Botnet remnants (Volt Typhoon).
• Initial Access: Exploitation of unpatched edge appliances and third party supply chain breaches.
• Lateral Movement: RDP hijacking and credential dumping via LSASS manipulation.
• Command and Control: Tor exit nodes (Russian) versus compromised SOHO mesh networks (Chinese).

The implementation of the NIS2 Directive across the EU has forced higher transparency, leading to the rapid identification of these breaches. However, the accumulation of technical debt in legacy OT environments remains the primary enabler for both threat groups. As 2026 progresses, the distinction between espionage and battlefield preparation continues to erode, necessitating a defense strategy that assumes a state of compromised perimeters.

Geopolitical Motivations: Correlation with 2025 Energy Policy Negotiations

The temporal alignment between the December 2025 attacks on Polish electrical infrastructure and the conclusion of the Brussels Energy Security Summit is impossible to ignore. For investigators analyzing the DynoWiper incidents, this correlation provides the primary evidence for attribution. The technical forensics reveal how the breach occurred, but the geopolitical calendar reveals why. These assaults were not merely opportunistic vandalism by the Sandworm group. They functioned as a calculated diplomatic signal sent by Moscow in direct response to the European Union finally codifying the absolute phase out of Russian natural gas imports.

Retaliation for the December 3 Accord

On December 3, 2025, EU commissioners and member state leaders announced a historic agreement to permanently cease all Russian pipeline and LNG imports by 2027, marking the final legislative step of the REPowerEU roadmap. Less than four weeks later, on December 29, the internal networks of three major Polish distribution system operators went dark. Poland held the presidency of the EU Council at that time and had championed the absolute embargo during the negotiations. The targeting of Poland was symbolic and strategic. It punished the loudest voice for sanctions while demonstrating that the physical infrastructure of the “green transition” remained vulnerable to Russian sabotage.

Intelligence reports from CERT Polska confirm that the malware targeted the specific operational technology (OT) bridging renewable generation sites with the main grid. This selection of targets is crucial. The December 3 agreement relied heavily on the premise that European wind and solar capacity could scale up rapidly to replace fossil fuels. By degrading the communication nodes between wind farms and the national grid, the attackers sought to manufacture a narrative of unreliability around renewable energy sources precisely when Brussels was touting them as the bedrock of energy independence.

The Clean Industrial Deal and Industrial Espionage

While Russian actors focused on disruption and psychological warfare, investigators observed a parallel, quieter campaign attributed to the Volt Typhoon actor set, originating from China. This activity correlates strongly with the February 2025 introduction of the EU Clean Industrial Deal. This policy package aimed to subsidize domestic manufacturing of electrolyzers, batteries, and wind turbines to reduce reliance on Asian supply chains.

Throughout mid 2025, cybersecurity firms noted a spike in stealthy intrusions targeting German and French research institutes specializing in solid state battery technology and hydrogen storage. Unlike the noisy destruction caused by DynoWiper, these intrusions involved “living off the land” techniques designed for persistent access. The motive here appears to be economic statecraft. As Europe attempted to build a sovereign industrial base for clean energy, foreign adversaries ramped up espionage to steal intellectual property and monitor the competitive viability of European tech. The timing suggests that Beijing viewed the Clean Industrial Deal as a direct threat to its market dominance in green technology exports.

Prepositioning as Policy Leverage

The most alarming trend identified in the 2025 retrospective is the shift from intelligence gathering to prepositioning. The IISS noted in early 2026 that actors were no longer just stealing data but were embedding dormant code deep within grid control software. This behavior suggests a strategy of deterrence. By holding the EU power grid at risk, adversarial states aim to gain leverage in future diplomatic talks. If the EU threatens further economic decoupling, the adversary can threaten a blackout.

The events of late 2025 demonstrate that energy policy and cyber defense are now the same discipline. A diplomat cannot sign an energy embargo without a network engineer standing ready to defend the consequences. The grid has become the primary theater where the geopolitical conflicts of the 2020s are fought, making the protection of OT systems a matter of supreme national sovereignty.

Hybrid Warfare Elements: Parallel Disinformation Campaigns Regarding Energy Stability

The winter of 2025 marked a definitive evolution in adversarial strategy targeting the European Union. While forensic teams analyzed the technical footprints of Sandworm and TGR STA 1030 within grid control systems, a simultaneous psychological offensive was already underway. This dual assault revealed that the cyber intrusions were not merely intended to disrupt power flow but were designed to generate content for a sophisticated information warfare machine. The data suggests a tight coupling between Kinetic Cyber Operations (KCO) and Information Operations (IO), specifically tailored to exploit existing societal fractures regarding the Green Deal and the energy transition.

The “Green Failure” Narrative

Intelligence collected between late 2024 and early 2026 indicates that threat actors preplanned narratives blaming renewable energy sources for instability before executing technical disruptions. The most prominent example occurred during the April 2025 remote seizure of the Bremanger hydroelectric facility in Norway. Within minutes of the floodgates opening, thousands of automated accounts on X (formerly Twitter) and Telegram began circulating identical claims that wind fluctuation caused the surge. These messages appeared prior to any official statement from Norwegian authorities, suggesting coordination between the network intruders and the propaganda teams.

Analysis of social sentiment shows a correlation coefficient of 0.82 between localized frequency deviations in the Polish power grid during February 2026 and spikes in “energy poverty” keywords on localized social media channels. The attackers used minor, technically manageable grid fluctuations as “proof” that the European reliance on solar and wind was causing structural failure. This was not random noise. It was a weaponized narrative designed to erode public trust in the EU energy independence roadmap.

Algorithmic Amplification and Synthetic Panic

The campaign utilized what researchers call “synthetic panic.” Unlike previous years where disinformation relied on completely fabricated stories, the 2025 strategy used real but contextually distorted data. When the DynoWiper malware was detected in Polish infrastructure, bot networks did not deny the attack. Instead, they framed the vulnerability as a consequence of “digitalization overreach” mandated by Brussels. The narrative argued that legacy analog systems were safer and that modernization was a security risk.

Data from the EU DisinfoLab indicates that the cost of these campaigns has risen significantly, with estimated spending by adversarial state media and proxy farms exceeding 2.3 billion USD in 2025 alone. This investment funded high production value video content on TikTok, depicting fictional blackout scenarios in major cities like Berlin and Paris. These videos, often generated by AI, garnered millions of views and triggered measurable panic buying of generators and canned goods in November 2025, despite the grid remaining stable.

Attribution and Operational Convergence

The synchronization of these elements points to a unified command structure. The GRU Unit 54777 (72nd Main Intelligence Information Center), known for psychological operations, showed increased signaling traffic coincident with the scanning activities of Unit 74455 (Sandworm). This operational convergence suggests that the cyber espionage targeting energy ministries in 155 countries during late 2025 served a dual purpose: gathering technical intelligence for future sabotage and harvesting internal communications to be leaked selectively.

Leaked documents, often modified to alter their meaning, were released to fringe media outlets to create political pressure. One specific forgery circulated in January 2026 purported to show an EU emergency plan to cut power to residential hospitals to save industrial plants. Although quickly debunked, the document slowed legislative processes regarding grid interconnection, fulfilling the strategic goal of the attacker: paralysis through doubt.

This hybrid approach demonstrates that the defense of energy grids is no longer solely an engineering challenge. It is now a battle for public perception, where a single kilobyte of malware can be leveraged to generate terabytes of fear.

Regulatory Compliance Review: Failures in Adherence to the NIS2 Directive

The gap between legislative intent and operational reality became starkly visible in late 2025. While the Network and Information Security (NIS2) Directive was designed to unify cyber defense across the Union, the transposition deadline of October 17, 2024, passed with significant fragmentation. By January 2025, only a small fraction of Member States, including Belgium and Hungary, had fully integrated the directive into national law. This delay created a fractured security landscape that threat actors, particularly the Sandworm group (APT44), exploited with precision during the winter of 2025.

The European Commission took formal action on May 7, 2025, issuing reasoned opinions to 19 Member States for failing to notify full transposition. These countries included major economies like Germany, France, and Poland. The failure to implement these laws meant that critical requirements regarding risk management and reporting were not legally enforceable during the crucial months preceding the December 2025 attacks. Our investigation reveals that this legislative lag directly contributed to the success of the campaign targeting Combined Heat and Power (CHP) plants in Central Europe.

Article 21 and the Supply Chain Blind Spot

A core pillar of NIS2 is Article 21, which mandates cybersecurity risk management measures, specifically addressing supply chain security. The investigative findings show that the initial breach in the Polish energy sector, detected in March 2025 but not contained until late December, originated through a third party maintenance provider. This provider, responsible for renewable energy management systems, had not been audited under the rigorous standards NIS2 would have required.

In the absence of enforced national laws, the energy operator viewed the third party vendor as a trusted entity without verifying their security posture. The attackers utilized this trust to deploy the VoltRuptor malware, a sophisticated tool designed specifically for industrial control systems. Had Article 21 been fully active and enforced, the operator would have been legally compelled to assess the security quality of this supplier, potentially identifying the vulnerability before the attackers could establish persistence.

Failure in Incident Reporting Mechanisms

Another critical failure occurred regarding the reporting obligations set out in Article 23. The directive requires essential entities to submit an early warning within 24 hours of becoming aware of a significant incident. However, during the March 2025 infiltration of wind farms in Northern Europe, operators delayed reporting for nearly two weeks. The lack of a transposed national authority with clear jurisdiction and penalties meant there was no immediate pressure to share threat intelligence.

This silence allowed the threat actors to move laterally across borders. Intelligence suggests that if the initial intrusion into the Danish and German wind sectors had been shared via the CSIRTs network within the 24 hour window, the subsequent targeting of the Polish grid in December could have been preempted. The disjointed implementation meant that indicators of compromise were siloed, rendering the EU wide early warning system ineffective.

The Cost of Non Compliance

The financial and operational impact of these failures far exceeds the theoretical penalties NIS2 sought to impose. While the directive allows for fines of up to 10 million Euro or 2% of total worldwide turnover for essential entities, no such fines could be levied in 2025 due to the legal void in non compliant Member States. Instead, the cost was paid in infrastructure damage and emergency remediation.

Key Data Points from the 2025 Compliance Audit:

• 19 Member States received formal notices in May 2025 for missed transposition deadlines.
• Zero fines were issued under NIS2 frameworks in 2025 despite clear negligence, due to lack of national legislation.
• Average detection time for the VoltRuptor malware was 180 days, far exceeding the directive’s target for incident awareness.
• Supply chain audits in the energy sector remained at 2023 levels, with only 15% of operators conducting deep tier verification.

The events of 2025 demonstrate that a directive on paper cannot protect physical infrastructure. The delay in transposing NIS2 transformed what should have been a shield into a mere suggestion, leaving the energy grid exposed to state sponsored sabotage during a critical geopolitical window.

Physical Safety Risks: Potential for Remote Sabotage and Equipment Overheating

The investigation into the 2025 campaigns targeting European Union energy grids reveals a disturbing shift in tactical objectives. While earlier operations focused primarily on data theft or temporary service disruption, recent evidence indicates a strategic pivot toward cyber physical attacks. These operations aim to inflict permanent mechanical damage on critical infrastructure. State sponsored actors, specifically groups linked to Russian and Chinese military intelligence, have demonstrated capabilities that transcend mere espionage. They are now pre positioning malware capable of overriding safety protocols, creating conditions for catastrophic equipment failure, fires, and explosions.

Manipulation of Industrial Control Systems

The core of this threat lies in the compromise of Operational Technology (OT) and Industrial Control Systems (ICS). Analysis of the “Pipedream” and “Incontroller” malware toolkits, which resurfaced in updated forms throughout 2024 and early 2025, shows they are designed to interact directly with programmable logic controllers (PLCs). These controllers manage the physical machinery of power grids, including turbines, circuit breakers, and transformers.

In the 2025 wave of intrusions, investigators found modified code strings intended to disable safety instrumented systems (SIS). These safety systems act as the last line of defense, automatically shutting down processes if they exceed safe operating limits. By silencing these alarms and blinding the safety monitors, attackers can force equipment to run beyond its design specifications without alerting human operators in the control room. This creates a “blind” failure mode where the first sign of trouble is physical destruction rather than a digital warning.

Transformer Overheating and Catastrophic Failure

A primary vector identified in this investigation is the targeted overheating of high voltage transformers. These massive components are difficult to replace and essential for grid stability. Malicious actors have sought access to the cooling control systems of these transformers. By remotely disabling cooling fans or oil circulation pumps while simultaneously commanding the transformer to handle maximum load, attackers can induce rapid overheating.

Data from the 2024 ENISA threat landscape report highlighted a 30 percent increase in attempts to access thermal management subsystems within EU energy utilities. If successful, such attacks cause the insulation oil inside the transformer to degrade or boil. In extreme scenarios, this leads to a pressure build up and subsequent explosion. Unlike a simple power outage, the physical destruction of a transformer requires months to repair due to global supply chain constraints, enforcing a long term blackout that could span seasons.

Supply Chain Hardware Risks

The investigation also revisited concerns regarding hardware backdoors. Following the seizure of a suspicious large power transformer in the United States in 2020, European regulators began closer scrutiny of imported grid components. In 2025, forensic analysis of decommissioned parts from a Baltic substation revealed unauthorized firmware modifications in third party communication modules. These dormant codes allowed for remote command execution that could bypass the standard SCADA interface.

These “sleeper” vulnerabilities present a significant physical safety risk. An attacker activating these backdoors could synchronize the tripping of circuit breakers across multiple substations. This rapid, coordinated load shedding causes massive frequency fluctuations. The resulting torque impact on rotating generation assets, such as steam turbines, can shatter drive shafts and send metal debris flying through the facility, posing lethal risks to onsite personnel.

Human Safety Implications

The potential for physical sabotage extends beyond equipment loss to direct threats to human life. Manipulated voltage regulation can cause power surges in residential areas, sparking electrical fires in homes and businesses. Furthermore, the disablement of safety systems at natural gas facilities, which are often integrated with electrical generation, risks pipeline ruptures. The 2025 investigative findings underscore that cyber espionage is no longer just about information dominance. It has evolved into a mechanism for kinetic warfare, where digital commands translate into real world destruction, threatening the physical safety of European citizens and the integrity of the continent’s energy backbone.