Cyber Threat Actor: Electrum
| Actor Type | Location | Known Incidents |
Nation State
|
Russia
|
1 incident |
|---|
Profile
Electrum is an alias used for a Russia‑linked threat group that is also tracked under the names Static Tundra, Berserk Bear, Ghost Blizzard, and Dragonfly, and is publicly associated with the Sandworm activity set. The group has been observed conducting cyber operations that focus on disruptive effects rather than financial gain or espionage, as evidenced by its use of wiper malware and deliberate corruption of industrial control system components. Attribution to a Russian state‑nexi is based on public analysis linking the observed tactics, techniques, and procedures to previously documented Russian‑origin actors.
In the incident dated 2025‑12‑29, Electrum exploited internet‑exposed FortiGate VPN devices that were protected only by default credentials and lacked multi‑factor authentication to gain initial access to Polish renewable energy facilities. After establishing a foothold, the actors moved into the operational technology network, where they corrupted firmware, deleted files, and reset remote terminal units, protection relays, human‑machine interfaces, and serial device servers from vendors such as Hitachi Energy, Mikronika, and Moxa, thereby disrupting communication with operators while leaving electricity generation intact. Concurrently, the group deployed the wiper malware families DynoWiper and LazyWiper on Windows hosts within the targeted environment, although endpoint detection and response tools limited the malware’s overall impact. Similar destructive attempts were observed against a heat‑and‑power plant and a manufacturing firm during the same operation, indicating a broader intent to impair critical infrastructure functionality.
The Poland‑based campaign represents a notable public example of Electrum’s operational pattern, highlighting reliance on readily exploitable misconfigurations rather than zero‑day vulnerabilities and demonstrating a preference for tools that cause direct disruption to industrial processes. The group’s association with the Sandworm umbrella further situates it within a larger set of Russian‑linked actors known for conducting destructive cyber attacks against energy and industrial sectors. This profile reflects only the facts explicitly provided in the source material, without speculation on unconfirmed attributes such as group size, funding, or broader strategic goals beyond those demonstrated in the observed activity.
