A coordinated cyber campaign attributed to Russian state-sponsored threat actor Midnight Blizzard (also tracked as APT29, Cozy Bear, and Nobelium) has successfully compromised at least 47 European energy utilities across Germany, France, the Netherlands, Austria, and Poland. The campaign, active since mid-January 2026, represents one of the most significant attacks on European critical infrastructure since the 2022 escalation.
The attackers compromised the update server of Schneider Electric's EcoStruxure SCADA management platform, injecting a modified firmware update package containing a sophisticated backdoor dubbed 'VoltDrop.' The trojanized update was digitally signed using a stolen code-signing certificate, bypassing integrity verification checks at 47 utility companies that deployed the update between January 18 and February 12, 2026.
The VoltDrop implant operates at the firmware level of Schneider Electric Modicon PLCs, providing attackers with:
Germany bears the heaviest impact with 19 confirmed compromises, including three of the country's largest regional energy providers. Austria reports 7 compromised utilities, and Switzerland, while not directly affected through EcoStruxure, has identified reconnaissance activity against its grid operators. The BSI (Federal Office for Information Security) has issued a RED alert and is coordinating incident response with affected operators.
This incident triggers mandatory NIS2 reporting obligations for all affected entities. Under NIS2 Article 23, essential entities must submit an early warning to their national CSIRT within 24 hours and a full incident notification within 72 hours. KENSAI analysis suggests that at least 12 of the compromised utilities had not yet fully implemented NIS2 supply chain security requirements, highlighting the urgency of compliance.
KENSAI has published a comprehensive IoC package including: