Risky Bulletin – Between Two Nerds: The Internal Logic of Russian Power Grid Attacks

Host: Tom Uren

Guest: The Grugq (“Gruk”)

Release Date: February 2, 2026

Overview

This episode dives into the latest Dragos report on cyber attacks targeting Polish electrical infrastructure, allegedly by Russian state-affiliated actors. Tom Uren and The Grugq explore the motivations, implications, and internal logic behind these attacks, situating them within the context of the ongoing Ukraine conflict and Russian cyber operations. Discussion centers on attribution debates, evolving grid security, and how internal Russian politics may drive operational choices more than strategic or military goals.

Key Discussion Points & Insights

1. Context: Russian Cyber Attacks on Poland’s Power Grid

• Quiet week disrupted by big news: Dragos released a report detailing attempted Russian disruptions of Polish electrical infrastructure, attributed to the Sandworm group (00:34).
• Poland’s Role: As a major logistics hub for Ukraine, Poland has become a logical target for Russian sabotage efforts, escalating from physical to cyber attacks (01:59).
• Membership in NATO: Targeting Poland is especially provocative, given its large army and historical animosity towards Russia (02:50).

2. Attribution Confusion: Sandworm or Berserk Bear? (03:21–06:05)

• Multiple reports, multiple attributions: ESET and Dragos attribute the attacks to Sandworm (Electrum), whereas CERT Poland points to Berserk Bear (aka Ghost Blizzard/GhostBear), tied to Russia’s SVR agency.
• Different methods, different results: Attributions vary based on what evidence each group analyzed: malware artifacts vs. compromise infrastructure.
• Quote:
  "CERT Polska...have a slightly different attribution, which is to a group called Berserk Bear... that's SVR and that's based on the infrastructure used to obtain access." – Tom (04:22)

3. Technical Challenges: Distributed Grids and Defensive Improvements (06:05–10:41)

• Distributed renewables complicate attack: With 30 different, distinct targets (each with unique systems), attackers couldn’t easily create or deploy a universal wiper (06:40).
• Defensive hardening cycle: Past attacks on Ukraine’s agricultural sector increased cyber resilience—each wave of attacks pushes defenders to improve (09:58).
• Quote:
  "The more you attack [the infrastructure], the better it gets, the more resilient it gets." – Tom (10:41)

4. Strategic vs. Internal Motivations (10:41–21:48)

• Lack of military logic?: No indication that the attack was intended to disrupt military logistics; the intent seems to be general electrical disruption (07:11).
• Missed timing for military advantage: Such attacks could be valuable only if timed with coordinated military offensives (07:31–08:27).
• Attacks as “strength training” for adversaries: Every failed or visible attack triggers hardening—sometimes strengthening the opponent (11:01).
• Political logic for timing: Multiple major Russian cyber attacks (including previous attacks on Ukraine and telecoms) tend to occur before the Russian financial year ends (December 31), suggesting internal political or bureaucratic motivations (14:54–16:18).
• Quote:
  "The hypothesis here is that there's internal reporting metrics where disruptive attacks look good and they're whipped up with relatively little preparation... because of that reporting cycle rather than well-planned, orchestrated, timed operations." – Tom (17:21)

5. Russian Management Cultures & Internal Pressures (17:52–24:22)

• Espionage vs. destruction: Destructive cyber ops offer little real value compared to bombs for the military, and detract from the intelligence-collection mission (17:52).
• Internal reporting as a driver: Operations may be conducted more to satisfy internal political/bureaucratic metrics than to achieve significant military goals (19:04–19:55).
• Ad-hoc or personal initiatives: Some sabotage ops are the brainchild of individuals rather than strategic, top-down programs—sometimes with a “mom-and-pop” feel (22:52).
• Accepted “level of mayhem”: There's a possible threshold of tolerated/expected sabotage (cyber or otherwise) in Poland, blurring lines between authorized and “rogue” activity (23:38–24:22).

6. Level of Impact and Polish Response (24:22–32:33)

• Limited effect = limited escalation risk: Even if attacks succeeded, disruptions would likely be local and temporary—insufficient to trigger serious military response from Poland or NATO (24:41–25:13).
• Opportunism, not grand strategy: Dragos sees the attack as opportunistic, exploiting default configurations and weak security, motivated by internal goals rather than battlefield needs (25:13; 26:01–26:06).
• Quote:
  "If this was motivated by a military strategy, it was a complete failure... if you said to the military, don't worry, we'll make sure that all of that electricity is out when you need it... it didn't achieve what they set out to do." – Tom & Grugq (28:41–29:03)
• Spinning failures as successes: The attack generated headlines, reached the Polish Prime Minister, and could be touted internally as an information win (29:58–30:27):
  "It was briefed by Poland's Prime Minister... We didn't actually impact him, but, you know, he talked about it." – Tom (29:58) "Look at all the reporting... this is causing panic across the West." – Grugq (30:27)
• Key difference in Western vs. Russian assessment: In Western agencies, high-profile failed attacks are a negative; for Russia, causing alarm is an end in itself, fitting into the broader doctrine of information warfare (31:02–32:17).
• Conclusion: Russia is driven by “Key Expected Results,” but those results may focus on internal political optics and psychological disruption, not necessarily on physical effects (32:17–32:33).

Notable Quotes & Memorable Moments

• On attribution ambiguity:
  "A bear is a bear is a bear, right?" – Grugq (05:13)

• On why attacks may not be well-planned:
  "If it had been well planned, it would be calibrated to be at the level of annoyance..." – Tom (25:01)
  "It would be part of Russia's hybrid war in the gray zone, as opposed to tanks over the border." – Grugq (25:01–25:10)

• On easy exploits in OT environments:
  "It was too easy. I would have been suspicious. I would have been like, wait, they left the remote root default configuration? No way. No, no, no. This is like, this is some sort of trap." – Grugq (26:06)

• On internal politics vs. external logic:
  "Our contention is that the driver for this particular attack was probably not some sort of external or strategic move, but rather it was responding to internal stimulus... some sort of internal political target." – Grugq (26:40)

Timestamps for Key Segments

• 00:34 – Introduction to the Dragos report and Russian attack on Polish grid
• 03:21–06:05 – Discussion of attribution & reports from ESET, Dragos, and CERT Poland
• 06:05–10:41 – Challenges of attacking distributed electrical grids, lesson from Ukraine
• 11:01 – Adversaries harden through repeated attacks
• 14:54–16:18 – Internal explanatory logic: end-of-year timing
• 17:21 – Hypothesis: attacks driven by internal metrics, not coordinated strategy
• 19:04 – Value assessment for intelligence vs. destruction
• 22:52 – Unplanned, ad-hoc nature of Russian sabotage units
• 24:22–25:13 – Deliberate limit to escalation in attacks
• 26:01 – Default configurations enabled easy access
• 29:58–30:27 – Polish Prime Minister is briefed, public impact of the attack
• 31:02–32:17 – Russian “key expected results” rationale
• 32:33 – Wrap-up

Summary Table: Attribution Names

| Name | Reported By | Russian Org | |-----------------|--------------------|--------------------| | Sandworm | ESET, Dragos | GRU | | Electrum | Dragos | Subset? | | Berserk Bear | CERT Poland, CrowdStrike | SVR | | Ghost Blizzard | Microsoft | SVR |

Final Thoughts

This episode presents a compelling overview of how Russian cyber operations against European infrastructure are driven not only by strategy but also by bureaucratic pressures and internal metrics, frequently resulting in poorly timed, poorly planned, but highly publicized attacks. As critical infrastructure becomes more distributed and diverse, technical resilience to such attacks increases, while the political and psychological aims behind them remain opaque and subject to speculation.