ELECTRUM and KAMACITE split OT access-and-execution operating model
Threat Actor Meta
Summary
Hide ▲
Show ▼
ELECTRUM and KAMACITE are operating as a split OT intrusion ecosystem, with one cluster focused on access and the other on execution, which increases flexibility and extends risk across industrial networks. The model matters because it can sustain latent exposure in OT environments even before any disruptive action is taken. The same ecosystem overlaps with Sandworm aliases, tying the behavior to a broader state-sponsored actor set. Recent activity referenced July 2025 scanning against industrial devices in the U.S., showing the pattern is not geographically constrained.
Related Happenings
Iranian-affiliated US CNI OT attack campaign
Campaign
First: 08.04.2026 11:15
Last: 08.04.2026 11:15
Sources 1
About this happening:
An **Iranian-affiliated** campaign is actively targeting **US critical national infrastructure providers**, creating **operational disruption** and **financial loss** across multi...
Iranian-affiliated US CNI OT attack campaign
CampaignAbout this happening: An **Iranian-affiliated** campaign is actively targeting **US critical national infrastructure providers**, creating **operational disruption** and **financial loss** across multi...
Electrum and Kamicite destructive OT/ICS campaign
Campaign
First: 17.02.2026 23:31
Last: 17.02.2026 23:31
Sources 1
How related:
Dragos said that over the past year, Electrum has worked alongside another threat actor, tracked as Kamicite, to conduct destructive attacks against Ukrainian ISPs and persistent scanning of industrial devices in the US.
About this happening:
A **2025 destructive campaign** tied to **Electrum** and **Kamicite** combined **persistent scanning** with attacks that could disrupt industrial and communications infrastructure...
Electrum and Kamicite destructive OT/ICS campaign
CampaignHow related: Dragos said that over the past year, Electrum has worked alongside another threat actor, tracked as Kamicite, to conduct destructive attacks against Ukrainian ISPs and persistent scanning of industrial devices in the US.
About this happening: A **2025 destructive campaign** tied to **Electrum** and **Kamicite** combined **persistent scanning** with attacks that could disrupt industrial and communications infrastructure...
Poland's energy sector hit by network compromise
Incident
First: 17.02.2026 23:31
Last: 17.02.2026 23:31
Sources 1
How related:
On Dec. 29 and 30, 2025, attackers targeted Poland with wiper attacks against more than 30 renewable energy farms, a private manufacturing sector company, and a combined heat and power plant.
About this happening:
A **wiper attack** hit **Poland's energy sector** on **Dec. 29 and 30, 2025**, damaging OT visibility and firmware across **more than 30 renewable energy farms** and other facilit...
Poland's energy sector hit by network compromise
IncidentHow related: On Dec. 29 and 30, 2025, attackers targeted Poland with wiper attacks against more than 30 renewable energy farms, a private manufacturing sector company, and a combined heat and power plant.
About this happening: A **wiper attack** hit **Poland's energy sector** on **Dec. 29 and 30, 2025**, damaging OT visibility and firmware across **more than 30 renewable energy farms** and other facilit...
CISA releases secure OT communications guide
Public Sector Action
First: 10.02.2026 14:00
Last: 10.02.2026 14:00
Sources 1
About this happening:
CISA released **Barriers to Secure OT Communications: Why Johnny Can’t Authenticate**, a new guide meant to help **OT owners and operators** adopt **secure communications** and re...
CISA releases secure OT communications guide
Public Sector ActionAbout this happening: CISA released **Barriers to Secure OT Communications: Why Johnny Can’t Authenticate**, a new guide meant to help **OT owners and operators** adopt **secure communications** and re...
DKnife gateway-monitoring malware framework
Malware Activity
First: 06.02.2026 19:00
Last: 06.02.2026 19:00
Sources 1
About this happening:
The discovery of **DKnife** exposes a **long-running malware framework** that has remained active since at least **2019**, raising the risk of **gateway-level traffic interception...
DKnife gateway-monitoring malware framework
Malware ActivityAbout this happening: The discovery of **DKnife** exposes a **long-running malware framework** that has remained active since at least **2019**, raising the risk of **gateway-level traffic interception...
Timeline
-
28.01.2026 18:06 3 articles · 3mo ago
Initial report: ELECTRUM and KAMACITE split OT access-and-execution operating model
Initial DisclosureInitial access is built first, often through phishing, stolen credentials, exposed services, and extended reconnaissance. The execution phase then follows later inside OT networks, which can delay visible disruption while increasing the risk of industrial impact.
Show sources
- Russian ELECTRUM Tied to December 2025 Cyber Attack on Polish Power Grid — thehackernews.com — 28.01.2026 18:06
- Russian ELECTRUM Tied to December 2025 Cyber Attack on Polish Power Grid — thehackernews.com — 28.01.2026 18:06
- Poland Energy Survives Attack on Wind, Solar Infrastructure — www.darkreading.com — 17.02.2026 23:31