Polish Security Agency Reports ICS Breaches at Five Water Treatment Plants

Poland’s Internal Security Agency (ABW) has documented a significant escalation in cyberattacks targeting industrial control systems (ICS) and other operational technology (OT) infrastructure during 2024 and 2025, with state-sponsored threat actors increasingly shifting focus toward the physical disruption of critical services. A Polish official revealed in August 2025 that a cyberattack could have caused a city to lose its water supply, but the attack was thwarted. No technical information was shared at the time.  The government agency’s new report [written in Polish] provides more information about these types of attacks on the country’s water sector.  [ Read: Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion ] According to ABW, the most significant incidents involved direct intrusions into ICS at water treatment facilities across multiple Polish municipalities. In 2025, the agency recorded security breaches at water treatment stations in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo.  In some cases the attackers gained access to ICS and obtained the ability to modify the operational parameters of equipment, creating a direct risk to operational continuity and the public water supply. The agency identified two primary attack vectors enabling these ICS intrusions: weak password policies and systems exposed directly to the internet. These are longstanding OT security hygiene failures, and they were also recently leveraged in a Russia-linked attack on Polish energy facilities.  Beyond water systems, ABW documented an increase in attacks targeting supply chains, critical infrastructure, and ICS at other types of municipal utilities, including wastewater treatment plants and waste incineration facilities.  Investigators determined that attackers targeting supply chains specifically sought contract data, project documentation, and authentication credentials that enable downstream access to systems. ABW attributed primary responsibility to hacktivist groups, though these are often personas used by foreign governments, particularly Russian intelligence services. The report specifically names Russian APT groups such as APT28 and APT29, and Belarusian-linked UNC1151 as operating against Polish targets.  Related: Polish Space Agency Hit by Cyberattack Related: Poland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy Sector Related: Man Linked to Phobos Ransomware Arrested in Poland Related: Hacking Attempt Reported at Poland’s Nuclear Research Center WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking Attackers Could Exploit AI Vision Models Using Imperceptible Image Changes Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion Romanian Man Extradited to US for Role in Hacking Scheme 17 Years Ago CISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber Conflict Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls Microsoft Warns of Sophisticated Phishing Campaign Targeting US Organizations Critical Remote Code Execution Vulnerability Patched in Android Latest News In Other News: Train Hacker Arrested, PamDOORa Linux Backdoor, New CISA Director Frontrunner AI Firm Braintrust Prompts API Key Rotation After Data Breach Cyberattack Hits Canvas System Used by Thousands of Schools as Finals Loom ‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials Ransomware Group Takes Credit for Trellix Hack Vulnerability in Claude Extension for Chrome Exposes AI Agent to Takeover Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks Worries About AI’s Risks to Humanity Loom Over the Trial Pitting Musk Against OpenAI’s Leaders Trending Webinar: ROSI For CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Malwarebytes has named Chung Ip as Chief Financial Officer. Semperis has appointed John Podboy as Chief Information Security Officer. Randy Menon has become Chief Product and Marketing Officer at One Identity. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Email