Russian Attacks on Polish Water Utilities Use Fear as Weapon

Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime Russian Attacks on Polish Water Utilities Use Fear as Weapon Russian Hybrid Warfare Illuminates Debate Over Defending Cyber Poor Operators Shaun Waterman • May 13, 2026     Credit Eligible Get Permission A view of Warsaw, Poland, in a photo dated April 19, 2025. (Image: Jeff Schniers/Shutterstock) A spate of pro-Russian hacktivists attacks against Polish water facilities have illuminated a debate about the best way to defend water utilities and other critical service providers below the cyber poverty line, meaning they face a threat that they cannot afford to defend against. See Also: How Cyberattacks Can Turn Battery Farms Into Grid Blackouts None of the five known intrusions impacted the water supply of the targeted facilities, but the hacks - confirmed by Warsaw's Internal Security Agency as pro-Russian incidents - are part of Kremlin campaign of hybrid warfare against NATO's Eastern flank. Some of the attacks had been reported by local cybersecurity news outlets or publicly referenced by Polish officials. A recent report from the Internal Security Agency confirmed those reports and definitively linked them together as part of Russia's hybrid warfare campaign. The agency said it had seen "a steady increase" in the number of cyberattacks against Poland's critical infrastructure facilities and industrial control systems for municipal infrastructure, including sewage treatment plants, water treatment plants and waste incineration plants. The agency, whose Polish acronym is ABW, said attackers in some cases gain access to industrial control systems and "were able to change the technical parameters of the devices, posing a direct risk to their continued operation and, consequently, to the supply of water to the public." Pro-Russian hackers targeted water utilities serving small towns or rural communities. The agency said hackers exploited "improper password policies and unsecured device management panels accessible directly from the public internet." The five Polish water utilities targeted were easy targets and the intrusions were more important as theater, as part of an information operation designed to sow fear in the population and undermine their support for neighboring Ukraine in its effort to expel Russian invaders, according to Piotr Kupisiewicz, the Cracow, Poland-based CTO of cybersecurity firm Elisity. "The attacks were nothing really sophisticated," he told ISMG in an interview. They succeeded because the facilities used weak or default passwords on portals directly accessible from the internet or via poorly defended jump hosts. These intrusions worked as part of a hybrid warfare campaign "because it produces a propaganda video without forcing a serious response," Kupisiewicz said. And that meant being a small or insignificant target was no protection. "Obscurity is no longer protection. Obscurity is a discount on the attacker's targeting cost," he said. Research published Wednesday by Nozomi Networks notes that even Sandworm - the Russian military intelligence hacking unit formally known as Military Unit Number 74455 - typically relies on old but unpatched vulnerabilities for its access. And the group is noisy, generating plenty of automated alerts by its post-intrusion activities. "These were not stealthy zero-day attacks," wrote Nozomi Cybersecurity Director Chris Grove of the dozens of Sandworm intrusions they analyzed, "These were noisy, well-documented techniques that went uninvestigated." The bottom line: "There is a lot we can do to raise the bar in cybersecurity, just with the basics," said Kupisiewicz. A lack of basic cyber hygiene is hardly unique to Poland. A May advisory from the U.S. federal government urged critical infrastructure providers including water utilities to implement cybersecurity measures. The first two were "remove OT connections to the public internet," and "change default passwords immediately." That thought was echoed in a presentation Wednesday titled "Managing Political Risk," by Danielle Jablanski, a former Atlantic Council scholar who is now the lead OT cybersecurity consultant for engineering service provider STV. In the current fast developing threat environment, "We have to get back to basics," she said, adding security experts "end up sounding like a broken record," because they have to repeat the same half-dozen pieces of advice over and over again. Unsophisticated though they might have been, the attacks on the Polish water supply created an effect on the population out of proportion to their real impact Kupisiewicz said. "People were scared. If the water supply can be attacked, what about the hospitals? What about the power plants?" Water is an ideal target for hacks designed to sow fear and doubt, he added, because it is essential for life and - unlike the power system, for instance - it might not always be apparent that it's been sabotaged. To magnify that fear hackers posted last September a video of their access to a control interface for a water utility serving Jabłonna Lacka, a rural community of over 4,000 in the eastern central province of Masovian Voivodeship, which includes the capital Warsaw. The video showed the hacker logged in as an administrator, and able to change settings on water pumping and treatment equipment. "The configuration was designed to suppress alarms while pushing the pump and filter assemblies into unsafe operating envelopes," said Kupisiewicz of what the video showed. "They couldn't poison the water, but they could change settings to make it unsafe to drink," because it hadn't been filtered or treated properly. In a case like the Jabłonna Lacka intrusion, "where you have interfaces right there, and unfettered access on the internet … an attacker can do basically anything that you could do as the water engineer, if you went evil or wanted to do harm," said Josh Corman, who heads the non-profit UnDisruptable27.org. The group, based at the Institute for Security and Technology in Washington, offers training, best practices and other resources to the 6,000 water utilities that count a hospital among their customers. "No water means no hospital, within a few hours," Corman pointed out. He said the water sector, which he called "possibly our most depended-upon critical function," was also the least cyber ready of any critical infrastructure sector and if successfully attacked would produce "the most severe second and third order consequences." The 27 in his organization's name is a reference to U.S. intelligence reporting that Chinese President Xi Jinping has ordered his country's military to be ready to seize Taiwan by 2027. Those same U.S. intelligence agencies, and the Cybersecurity and Infrastructure Security Agency have warned that a threat actor linked to the Chinese military, tracked as Volt Typhoon, had infiltrated and prepositioned itself in the networks of water utilities, electricity suppliers and other critical service providers, with a view to sabotaging them in the event of a conflict. Going back to cybersecurity basics wouldn't do any good against Volt Typhoon, argued Corman, who will testify before Congress on the topic next week. The Jabłonna Lacka hackers main skill "is to use a default password or guessable password, and if you just add some firewall or some segmentation or change and maintain your passwords or enable multi-factor authentication" you can stop them. Volt Typhoon is a far more capable attacker, which had used edge devices such as routers and firewalls as an initial access vector, rather than relying on default passwords and internet exposed control interfaces. Small or rural utilities "lack the means, the time and the budget … to replace those old, unsupported devices." Obviously, there were measures that all organizations could and should take to reduce the risk of a cyber compromise, but ultimately, Volt Typhoon "won't be deterred or stopped by good password hygiene." Instead, Corman explained, utilities should engineer in physical limits and controls that reduce the consequences of a successful intrusion, even if hackers take control of the OT system. He gave as an example a device which would limit the number of commands that could be received by a remotely controlled pump in a certain span of time to prevent hackers repeatedly turning it on and off in an effort to short it out. Most of the worst consequences of a successful cyberattack could be mitigated by easy and relatively cheap real-world solutions, he said, "There are well-known engineering mitigations, but these water facilities almost never have the time or the budget to do them. … So there are preventable, but often not yet prevented, harm cases." For organizations below the cyber poverty line - where the threat outpaced the resources available to confront it - more cyber is not the answer, he said. "Sometimes it's not a matter of 'Shields Up!'" Corman concluded, citing the CISA slogan, "but rather 'Connections down!'" and disconnecting some system elements from the internet, "or 'Engineering in!' by adding a known physical mitigation."