
Loading summary
A
Hello, everyone, this is Tom Uren. I'm here with this week's edition of between two Nerds. G', day, Grak. How are you?
B
G', day, Tom. Finding yourself?
A
I'm very well. This week's edition is brought to you by Dropzone. They make AI powered. Well, are they SOC analysts? They're AI powered SOC agents who make your SOC run better by employing advanced analytics automatically. Find them at DropZone AI. So this curious thing happened, Grok, where.
B
It'S been a very quiet week in cyber. No major reports, no.
A
No big escalations, where the Dragos came out with a report. So Dragos is the. I guess they specialize in operational technology, industrial control systems, electrical network security.
B
Yeah. And they produced this report, I guess. Yeah.
A
It appears that the Russian state group, sometimes or often known as Sandworm, has actually attacked Polish electrical infrastructure and appears to have tried to, like, cause power disruptions across Poland. And this just left me with so many questions, mostly about like, why? Why would you do that? Yeah, like, what were you thinking? Now, Poland, just for context, is right next door to Ukraine, so there's a lot of support that goes to Ukraine through Poland. And I mean, in some sense this feels like an escalation, but in another sense, I've heard several times that there have been attempted sabotage operations in Poland dealing with particularly logistics, military logistics, that is providing supplies. Military supplies. So in a way it's like, you know, more of the same.
B
Yeah. So like, Poland is essentially a staging area for the Ukrainian war. Like, there's a lot of, like, military equipment, personnel, you know, huge amounts of logistics, all of that stuff stored sort of just outside the war zone, one border away.
A
Yeah.
B
And that's. That's placed them not exactly in the firing line, but very, very close.
A
Well, I mean, this seems like kind of the firing line, doesn't it? Right.
B
Well, like, what. What I'm getting at is like they, like, they've been very, very close, but Russia seems to have been escalating. Like there's all those drone overflights a while ago, right?
A
Yep.
B
And this seems to fall in line with that. And as you say, like, there's escalating sabotage attacks against logistics targets. You know, like, I don't think we would see this in Portugal.
A
Right.
B
The Russians are not going to just pick a random European country for this. It's. There is a military logic to it in the sense of like, well, you know, they're. They're very, very close, but it's still like, why would you pick a NATO member? The One with the largest army in Europe, who have the deepest historical dislike of Russians. They're very much like, give me an excuse. Come on, give me an.
A
So I'll just jump in here. This is Tom and the Gruk from a couple of days later, after we recorded CERT Poland released a report that had some interesting information, so we thought we'd just jump in to mention it. So this is the fourth report now. So ESET has released two, and I believe they were actually the first, then Dragos and then CERT Poland. And this latest report has some interesting stuff. One of the things it mentions is that it has come up with a different attribution from Eset and Dragos. So both Eset and Dragos said with some degree of confidence, this is like Sandworm. So they didn't. The confidence wasn't super high, but there were a lot of similarities. And I think Dragos used the term, they called it Electrum and they said, this has got a lot of similarities to Sandworm. So they didn't call them the same thing. So fairly careful language. What I thought was interesting is the Cert Polska, they have a slightly different attribution, which is to a group called Berserk Bear, which is the CrowdStrike name, Ghost Blizzard, which is Microsoft, yada, yada, yada. The thing about that group is its svr and that's based on the infrastructure used to obtain access. So I thought it was a really interesting example of groups seeing different things. And I'm guessing that ESET and Dragos saw the malware and analyzed the malware and looked at what had happened, whereas CERT Poland had a bigger picture. I guess now they also admit that the tools themselves, the artifacts, were also similar to Sandworm.
B
So I'm not sure that tooling is, in isolation, could be considered definitive for attribution, just because at this point, you know, four years of Ukraine war, I think there's probably been a reasonable spread of tooling between the different operational units that said a bear is a bear is a bear, right? That's right.
A
Yeah. I thought it was just a nice example of that. Search showed a bit of the thinking behind it, rather than just, you know, we've got medium confidence.
B
And also, I guess the. The other thing that's interesting is of course that they used. They use different indicators to come up with slightly different attributions. So if you have access to the malware, you, you know, do attribution based on malware. If you have access to the infrastructure, you do attribution based on infrastructure.
A
Right.
B
And you apparently get slightly different results, right?
A
Yeah, depends which part of the elephant holding. With that little insert. We'll go back to our discussion from earlier. Yeah. So the attack was essentially thwarted, and so Dragos has come out with this report. I think there's a few interesting things. One part is that Polish electricity generation is becoming more distributed because of renewable sources. And Dragos actually says that this made it harder to attack.
B
There was something like 30 different targets, each with their own system. Like, each one was just different enough that they couldn't create one generic wiper, I guess, that they could then run everywhere. They had to customize 30 different things for specific environments.
A
So what would make sense to me for this kind of attack is if, like. Like you said, Poland's a staging area, if somehow the electricity attack resulted in a massive disruption in the flow of military equipment.
B
Right.
A
But it doesn't seem that that was the plan. Like, nowhere in Dragos's. And maybe that's something you would leave out, but nowhere in Dragos's report does it say that the intent seems to have been to disrupt military logistics. It's just the intent seems to be just to disrupt the electricity network.
B
So one of the things is, even if you do create something like interrupting military logistics, that's only valuable if you can exploit that, Right. Like, it creates an opportunity that you could take advantage of. Like, if there was some offensive that you're conducting and you disrupt the supply of artillery shells to the front line, like, that is a useful thing to do at that point. But if, for example, you disrupt the flow of artillery shells to the front line, just because you can, like, that doesn't meaningfully advance your goals. Like, that doesn't help. And so I just point out that, like, even if they were doing it to disrupt logistics, if there is no exploitation of that, then it's still the same thing as not even bothering to do it, because, like, it's a means.
A
To a means rather than a means to a means.
B
Right, a means to a means.
A
So a while back, we spoke about, I think, the episode we call. We called it Cyber Russia's Cyber War on Wheat.
B
Right? Yeah.
A
And so that was BTN145, and that was off the back of a report that there'd been a. Some sort of concerted effort to attack Ukraine's agricultural sector. And at the time, I tried to. I don't know if it was. Make light of it, but put it in context that there was a massive amount of Ukrainian agricultural land that was actually off limits because it was either a war zone or because there were leftover minions or.
B
Yeah, unequal.
A
But you. You got some feedback.
B
So I spoke with some people who are sort of more familiar with the situation, and they explained to me that the agricultural industry is actually incredibly digitized. They are. Or at least they were to the other point. Like, they were vulnerable to this sort of event. Right. Like a cyber attack did meaningfully impact distribution, collection, the things that you do with agriculture, I don't really know what those are, but apparently the interesting thing here is that these aren't new. So, like, they sort of happen cyclically at opportune times, right?
A
Yep.
B
At opportune times. When they have the most impact economically, like during a harvest time or during the big shipment period or whatever it is. And the result of these periodic reoccurring attacks has been that there are now fewer of them than there used to be, because every time it happens, everyone in the sector freaks out and gets a little bit more resilient. They start taking backup seriously. They actually do buy that firewall they've been putting off. They make a plan for what to do when things happen. They speak to their peers who say, like, this worked. So overall, the entire sector is getting hardened up against cyber attacks because of the cyber attacks.
A
Yeah. So I thought that was interesting in the context of this attack, where there didn't seem to be any particular end goal that they were contributing to. And I think also the history of attacks on Ukrainian critical infrastructure is that and electrical infrastructure is the more you attack it, the better it gets, the more resilient it gets.
B
Yeah. I believe there's a UK intelligence official who said, sort of, when we do cyber, we don't want to be strength training our adversaries. Forget the exact wording.
A
Yeah. And so unless you've got a particular goal that you think is going to be worth that.
B
Training, there's equities involved. One of them is immediate access, but another one is future access. Right. Like from here out to infinity. It's going to be harder once you've done this. So you have to evaluate those versus whatever you're getting in the short term.
A
Yeah, yeah. So in the Dragos report, there's a couple of interesting paragraphs. Well, there's more than a few interesting paragraphs, but I'm going to read out a couple. And they're in a section that compares the 2025 attack, this most recent attack on Poland, to previous operations, previous Russian operations. Previous attacks focused on centralised control systems, managing large portions of the grid distribution control centers in 2015, a transmission substation in 2016. Like that makes sense. That's what you would target. Centralised, I guess, choke points or critical points, whatever. The Poland attack instead targeted the distributed edge of the grid, the rtus, which are remote terminal units and communication systems managing dozens of smaller generation sites. This shift reflects the changing nature of electric grids as countries like Poland add more distributed renewable generation. So that reads to me that just a shift to renewables makes grids more resilient. I guess it wasn't clear to me before this that that would necessarily be true.
B
Right. So I'd never, I hadn't even thought about it, but it actually makes complete sense. Just in terms of the. The Dan Geer article from. I mean it must be 20 years ago now on monoculture as a vulnerability and how diversity is a security strength. And I think the way that that plays out here is that if you have, you know, 30 companies each offering renewables, they don't all have the identical equipment and setup. You know, one will buy from Siemens, one will buy from Huawei, one will buy from Ericsson or whomever. And so yeah, just because of that, it's going to be very difficult to have a generic piece of malware that will do, you know, your attack against every single.
A
There's a couple other powers that kind of follow on, complement that. When compared to the 2015 attack in Ukraine, it shows similar technical tactics, techniques, procedures, etc. Etc.
B
Etc.
A
But lacks the coordinated sequencing that maximized impact in that operation.
B
Right.
A
And so it goes on. The adversaries demonstrated an understanding of the equipment but achieved limited impact. Dragos assesses with low confidence that this was due to incomplete preparation rather than a lack of capability. So it goes on. Electrum, which is what they call this group, possesses the skills to develop these site specific commands, but doing so requires time, testing and detailed knowledge of each location's configuration. So it kind of makes sense that the more distributed generation you have, the more locations it gets. Maybe not exponentially harder, but because you've got more sites and more, like you say, not a mother culture, it takes longer to prepare. The attack timeline may not have allowed for this level of preparation.
B
Why do you think they would have needed to get it done before the end of the year?
A
Well, before we started right in under the Wire, we were discussing this and in fact in the War on Wheat, we also discussed how there were timing of attacks seemed to coordinate with the Russian financial year, which ends on the 31st of December. And so this attack was on the 29th of December.
B
As I recall in that BTN episode we did make the prediction that one of the pieces of evidence that would confirm our theory that these destruction attacks were motivated by political reasons of like showing that you've done something. One of the pieces of evidence that would confirm this would be if there were major attacks in December before the end of the year. That's right.
A
So in fact I think the previous Ukrainian electricity attacks were both in December.
B
Yep. Okay.
A
One was Christmas Eve if I remember rightly. And that was before the full on invasion.
B
Right.
A
And so I think if you've got extra planning time, you would probably go, okay, Christmas Eve is the most annoying.
B
Right. That's exactly like let's we're going to take out their Christmas trees. No one seems to have lit up no Christmas lights.
A
I, I think another was also in December is right.
B
I, I know that there was another attack that happened sort of in 2022 just as the war was sort of settling into a long, a long thing. And the, the attack against the grid was successful in that it shut down electricity, but not very successful in that like it shut down electricity for a few hours.
A
Right, right.
B
Whereas like a shahed shuts it down for months.
A
Yeah.
B
And I think that one of the things that the incident response report made about it was that it was very lightweight compared to their previous attacks. Like they were using much simpler tooling. There was less sort of involved planning stuff like that. It was much more of a light touch, which I think was probably an assessment of just how much effort they should put into this.
A
Right, yeah. You need to get something out the door quickly that will demonstrate something. So, so to be clear, the, the hypothesis here is that there's internal reporting metrics where disruptive attacks look good and they're whipped up in with relatively little preparation or not enough preparation or pushed out the door before they're ready because of that reporting cycle rather than because of well planned orchestrated timed operations.
B
But so like the thing is, I think that makes sense because if you are cyber espionage or if you do cyber intelligence during a war, all of the value you have is intelligence collection. Right. Like if you want to destroy something, there's basically nothing you can do with cyber that is as good as a bomb. Right. So you can't compete against bombs and missiles for destruction. But bombs and missiles can't get CCTV camera access or read intent based on operational plans that you've stolen from a laptop where you add value is on the intelligence side. So every time you have to take people off of intelligence collection and put them on destruction. That's actually, that's hurting your value add. So you're going to try and do just enough like the bare minimum, like you want to show that you're willing, that you're taking part, that you know you are doing this, but you're not going to treat it as a major part of your mission.
A
Right?
B
Yeah.
A
So that implies that somewhere in their management chain there is some disconnect regarding the value of intelligence.
B
Right.
A
Because if you had a fully holistic assessment, the manager would go, oh great, you're getting me intelligence that we can use. That's valuable.
B
Why did you guys go ahead and. Yeah, like why did you destroy that? That could have been useful intelligence. Why did you break that? Right. Like that's what you'd want your leaders to be saying. Right. I think to a degree part of it is that this becomes political. Like it's not that their military leadership or the cyber bosses are making these decisions, but I think that they're making the decisions because they need like cover or ammunition to make arguments to their political leadership that keep funding us. We're doing good work. Remember when we wiped that electrical grid substation and there was like an eight hour blackout?
A
Yeah. So the other curious wiping attack where you had this hypothesis that it was political rather than practical was keevstar.
B
Yeah.
A
And I went and looked at the date of that and that was 12th of December. So it's not quite close. It's pretty close to the end of the year.
B
But. So that was a very comprehensive attack as well though. So I think it might have been, I think it's, it's, it would be fair to argue that they had sufficient time to prepare it and it was just ready to go sort of whenever I would say, like if there's political reasons for, for doing the tax at all, there's very likely internal political reasons for picking the dates that they picked. Like you, you do it on the 12th because there's a reporting session on the 16th and you need to make sure that there's enough time for it to sort of get out and you can write your reports and make your pretty graphs and do the slideshows and all that so that your boss can look good to his boss can look, et cetera. Right. And, and that logic is going to be opaque to us because we don't know those internal schedules. So I wouldn't put too much stock in the fact that. Oh, why wasn't it the 23rd? Right.
A
That's right, yeah, yeah, yeah. I mean, I like it as a theory, but I'm still.
B
I'd say I'm 51% positive it's true and 49%. Okay, yeah. No, there's no way, like it's slightly more than 50. 50.
A
This attack in particular, I think is a good piece of evidence because of the date and because it doesn't seem aligned with any other sort of purpose. So if you eliminate other reasons to do it, what you're kind of left with is internal reasons that are opaque to us. And one of those has got to be like sort of internal domestic political reasons.
B
But on the other hand, one does feel that, like it would be quite a rogue act to go out and attack a neutral NATO party just to impress the boss. Right. Like, on the off chance, I very much feel as if that would. That's the sort of thing that you'd need to get sign off all the way up the chain before you pull the trigger.
A
I mean, you would think so. Right. What it brought to mind was a while back we spoke about Bellingcat had produced. No, it wasn't Bellingcat. It was the insider. Which one? A former Bellingcat researcher. I think it was Christo. Christo Grotzev? Yep. He had produced this report on how Russia's sabotage unit had got into cyber. And so that was BTN124. And basically, like, based on his investigation, it was just some guy decided it was a good idea. Right. And hired someone.
B
Yeah, I remember that. It had a very personal feel to it. It felt like a mom and pop store operation. Right. It was like, you know, like, my dad likes you. So. Yeah, we'll bring you on. What did you say you were good at? Okay, let's do some of that. You know, it was.
A
Yeah.
B
As opposed to, you know, this is within our mission and, you know, we have additional headcount to expand capability within this sector, and we're looking for someone with the skill set to augment our existing. Like it. Yeah. It certainly didn't seem planned and authorized.
A
In the same way. So I guess my point is that this sort of random stuff just does go on. And again, go back to the. There have been other, like, real world sabotage instance.
B
Right. Yeah. So I. All right, let me. Let me throw this back at you then. So, like, the way I could see it is that there's a sort of an accepted level of mayhem that you're allowed to do and maybe even expected to do in Poland. Right. Like blow up a train track or you know, set fire to a transformer or some. Some level of thing. So someone could look at that and be like, that's basically the same thing as, like, doing cyber attacks against the electrical grid. And so they would feel that the sort of the blanket authorization that exists would cover their attacks. Yeah. And like, yeah, there's a case that could be made that I think is very plausible.
A
Yeah. So I think also this attack, just looking at Dragos report, it was not, we're going to take down the entire Polish electoral electricity grid. It was. It seemed like it would be, if effective, a disruption, maybe like some blackouts in some places, but not.
B
Right.
A
I guess from Poland's point of view, it's hard to know what to do about that. Like, I think there's like, a point.
B
Where you start a war with a nuclear neighbor because the lights went out for three hours in a rural.
A
Exactly. Yeah. None of this seems well planned, but it seems like if it had been well planned, it would be calibrated to be at the level of annoyance rather.
B
Than it would be part of Russia's hybrid war in the gray zone against blah, blah, blah, as opposed to tanks over the border.
A
Yeah.
B
So, yeah, I see that. One of the things that Dragos keeps bringing up is that it was very opportunistic and that the motivation seems to be more about they could do it rather than they had planned it out. Even that plays well to the hypothesis that this is motivated more by, say, political concerns or internal politics rather than military needs.
A
This is Tom and Gruck from the future again, jumping in. The other interesting thing that the Cert Poland report in particular mentioned that is relevant here is that there were many default configurations that enabled access, so it wasn't so many. It was essentially just default passwords or vulnerable devices.
B
Like, if this was a ctf, people would wonder why you deployed honeypots in your ctf.
A
It was too easy.
B
I would have been suspicious. I would have been like, wait, they left the remote root default configuration? No way. No, no, no. This is like, this is some sort of trap. Don't fall for it. It's just insane.
A
I think it makes sense that they've just found something lying around. And the key expected results, or the imperative to show some results is, well, we've got these passwords. It's not the target we'd really like, but it's pretty close.
B
Yeah, I mean, it's the target we have. So what I take from this, which I think is actually an interesting point, is our contention is that the driver for this particular attack was probably not some sort of external or strategic move, but rather it was responding to internal stimulus, some sort of internal political target, whether it's making your year end quota or showing willing or some sort of thing that would be very opaque and difficult for us to interpret from the outside. And I think that that is reinforced by how easy it was to do the attack. Because to me, looking at this, I would say if it's this insecure, like this many years of no patching, this many years of just being left out, it's going to wait a month. Like, if we come back next year, it's still going to be here in the same state of like, just no one cares. Right. So there's no reason to do it now. Just to make sure that we get in ahead of time before they do the big rollout of the, I don't know, the 13.77 firmware that's going to have cryptographic verification of updates. We won't be able to. Like, there's no getting in before the deadline due to changes you anticipate in the environment. That doesn't seem to be a driver.
A
And I think it's also a pretty clear example of how this will drive them to change their default passwords. So security will get better as well. Yeah. It's not as if they're being asked to drastically reshape the entire infrastructure. Like, it'll be right.
B
It's changed up to the point of like, it would be great if you could have a firmware that was released in the last two years, you know?
A
Yeah.
B
Like if you could just.
A
Yep. Okay. So back to our discussion, I guess.
B
I'd say for the other thing is if this was made it, if this was motivated by a military strategy, it was a complete failure. Like, it didn't work. So if you did that, if you, if you said to the military, don't worry about it, guys, I got this. Me and my team, we've got you covered. We will make sure that all of that electricity is out when you need it.
A
Yep. You say that from a military perspective, it's a failure. Right. Because it didn't achieve anything. It looks like it didn't achieve what they set out to do. And I was wondering if it's from a key expected results metric, whether it's a failure as well. Because they've got some press, they made a splash, the newspaper, they can report.
B
Like, that's, that's exactly what I would do is. So here's the thing. If you announce beforehand, boss, I'M going to wipe out electricity in the eastern half of Poland. And then you don't, that's a failure. But if you come afterwards and say, boss, we created a huge amount of publicity and a lot of scare and, and there's going to be a lot of investment now that would go to other things. By hacking into this many targets in, in Poland, that's a huge success.
A
I mean, well, it, it was briefed by Poland's Prime Minister, Donald Tusk, according to the, you know, so it reached the top level in Poland. So this is, yeah, channeling my inner GRU bureaucrat. This is a significant attack. We, we reached the Prime Minister in terms of the news. We didn't actually impact him, but we didn't reach reach. But, you know, he talked about it.
B
He was briefed over his morning coffee. So, you know, that's right. It's basically the same thing. If you think about it. I think you could very much spin this as a huge success. Look, look at the fear that we've produced. Look at all the reporting. Like this is causing panic across the West. It went up to the highest levels of government. They were aware of this, they were involved. You know, this was a major incident that we caused. In theory.
A
Well, it's more an information coup rather than an electricity coup.
B
So I think one of the ways that this works better for Russia than it would for a Western agency is that in the west, our ideas of cyber conflict are very much tied to these sort of physical events. So if, if you're a Western intelligence agency who sets out to shut down the grid and you fail and it gets a lot of press and everyone's talking about it, that's a bigger fail. Right. Like you, you've now, you've, you've missed the technical side and you've brought attention to it, that's, that's bad. Whereas from a Russian perspective, where the idea is about information dominance, like this information confrontation idea of like making the other side, like psychologically unable to continue to resist, to sort of overcome them having caused distress and it's like that's a win. Even if the technological side doesn't happen, which you don't count as a sort of a separate metric.
A
Right.
B
It's sort of like it's an add on bonus. But the real thing that you're trying to do is upset people and damage their, you know, social cohesion or whatever.
A
Yep, yep. So what you're really saying is that Russians are driven by key expected results. It's just where it's just that the results are not the ones that we expect.
B
They're not our expected results.
A
Thanks a lot.
B
Thanks a lot, Tom.
This episode dives into the latest Dragos report on cyber attacks targeting Polish electrical infrastructure, allegedly by Russian state-affiliated actors. Tom Uren and The Grugq explore the motivations, implications, and internal logic behind these attacks, situating them within the context of the ongoing Ukraine conflict and Russian cyber operations. Discussion centers on attribution debates, evolving grid security, and how internal Russian politics may drive operational choices more than strategic or military goals.
"CERT Polska...have a slightly different attribution, which is to a group called Berserk Bear... that's SVR and that's based on the infrastructure used to obtain access." – Tom (04:22)"The more you attack [the infrastructure], the better it gets, the more resilient it gets." – Tom (10:41)"The hypothesis here is that there's internal reporting metrics where disruptive attacks look good and they're whipped up with relatively little preparation... because of that reporting cycle rather than well-planned, orchestrated, timed operations." – Tom (17:21)"If this was motivated by a military strategy, it was a complete failure... if you said to the military, don't worry, we'll make sure that all of that electricity is out when you need it... it didn't achieve what they set out to do." – Tom & Grugq (28:41–29:03)"It was briefed by Poland's Prime Minister... We didn't actually impact him, but, you know, he talked about it." – Tom (29:58)
"Look at all the reporting... this is causing panic across the West." – Grugq (30:27)On attribution ambiguity:
"A bear is a bear is a bear, right?" – Grugq (05:13)
On why attacks may not be well-planned:
"If it had been well planned, it would be calibrated to be at the level of annoyance..." – Tom (25:01)
"It would be part of Russia's hybrid war in the gray zone, as opposed to tanks over the border." – Grugq (25:01–25:10)
On easy exploits in OT environments:
"It was too easy. I would have been suspicious. I would have been like, wait, they left the remote root default configuration? No way. No, no, no. This is like, this is some sort of trap." – Grugq (26:06)
On internal politics vs. external logic:
"Our contention is that the driver for this particular attack was probably not some sort of external or strategic move, but rather it was responding to internal stimulus... some sort of internal political target." – Grugq (26:40)
| Name | Reported By | Russian Org | |-----------------|--------------------|--------------------| | Sandworm | ESET, Dragos | GRU | | Electrum | Dragos | Subset? | | Berserk Bear | CERT Poland, CrowdStrike | SVR | | Ghost Blizzard | Microsoft | SVR |
This episode presents a compelling overview of how Russian cyber operations against European infrastructure are driven not only by strategy but also by bureaucratic pressures and internal metrics, frequently resulting in poorly timed, poorly planned, but highly publicized attacks. As critical infrastructure becomes more distributed and diverse, technical resilience to such attacks increases, while the political and psychological aims behind them remain opaque and subject to speculation.