What happened
Poland’s Internal Security Agency, known as the ABW, has publicly disclosed that attackers breached water treatment facilities in five Polish towns during 2025, gaining access to industrial control systems and creating what the agency described as a direct risk to the continuity of water supply operations. The affected facilities were located in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo.
The ABW stated that in some cases attackers were able to alter technical parameters of devices within the ICS environments. Polish cybersecurity publication CyberDefence24 previously linked several of the incidents to a pro-Russian hacktivist group that posted propaganda videos of its intrusions online, and reported that attackers at one facility altered settings linked to pumps and alarms after accessing an administrator account.
The ABW did not formally attribute the water facility attacks to a specific group or country, but stated that Poland faced intensified hostile cyber activity in 2024 and 2025 with particular emphasis on the special services of the Russian Federation. The report described Russia as conducting a long-term campaign aimed at destabilizing NATO and EU member states, with large-scale reconnaissance underway in Poland in preparation for sabotage operations targeting military sites, critical infrastructure, and public facilities. The agency noted that Russian operations are evolving from loosely recruited online operatives toward more structured networks linked to organized crime groups, using encrypted messaging platforms and cryptocurrency for recruitment.
Poland’s government incident response team recorded more than 40,000 reports of potential cybersecurity incidents during the reporting period. The publication marked the ABW’s first public activity summary since 2014. Other incidents documented in the report include a hack of the national railway communications network, an outage of the country’s air traffic control system, a false mobilization order briefly published through a compromised state news agency, and a near-miss large-scale power outage attributed to a Russian attack on energy infrastructure. The agency said 48 espionage investigations were opened in 2025 alone, compared with six in 2022.
Who is affected
Water utilities and critical infrastructure operators across Poland are the confirmed targets in this report. The broader threat extends to NATO and EU member states across Europe, which the ABW explicitly identifies as targets of Russia’s destabilization campaign. Organizations operating OT and ICS environments in the energy, water, transportation, and logistics sectors in NATO-adjacent countries face the most directly relevant threat profile.
Why CISOs should care
Water treatment ICS access is not the end goal here. It is part of a documented pattern of pre-positioning and capability demonstration by Russian-linked actors across multiple infrastructure categories simultaneously, including water, power, rail, and aviation. The ABW’s characterization of Russian intelligence as increasingly willing to accept civilian casualties in sabotage operations is a significant escalation in public threat framing from a Western intelligence service.
For security leaders in critical infrastructure, the water facility incidents demonstrate that ICS environments in municipal utilities, which frequently operate with limited security resources and legacy control systems, are being actively targeted and successfully breached. The propaganda video angle also signals that some of these intrusions are designed as much for psychological effect and capability signaling as for immediate physical damage.
3 practical actions
- Audit remote access controls on OT and ICS environments at water and utility facilities: The water facility breaches involved access to administrator accounts and device parameter modification. Review whether ICS and SCADA systems have internet-exposed remote access, enforce MFA on all administrative access paths, and apply network segmentation that limits what compromised credentials can reach within the control environment.
- Treat pro-Russian hacktivist ICS intrusions as intelligence-linked operations, not opportunistic attacks: The ABW’s report connects hacktivist activity to Russian state objectives. Organizations that have dismissed ICS intrusion attempts from hacktivist groups as low-sophistication threats should reassess that posture given the documented coordination between hacktivist activity and Russian intelligence operations.
- Implement behavioral monitoring and anomaly detection on ICS device parameter changes: The ability to alter pump settings and alarm configurations represents meaningful physical risk. Establish monitoring that alerts on parameter changes outside authorized maintenance windows and requires out-of-band verification for any modification to safety-critical device settings in water treatment, energy, and transport OT environments.
Also in the news today:
- Fake Claude AI Website Delivers New Beagle Windows Backdoor via Malvertising
- NVIDIA Confirms GeForce NOW Data Breach Affecting Armenian Regional Partner
- Zara Data Breach Exposed Personal Information of 197,000 People
- Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
- Australia Warns of ClickFix Attacks Pushing Vidar Stealer Malware
- New TCLBanker Malware Self-Spreads Over WhatsApp and Outlook
