Polish Water Infrastructure Targeted in Series of ICS Breaches
Poland’s Internal Security Agency has confirmed that five water treatment plants were breached in 2025, with attackers gaining the ability to manipulate critical operational equipment.

Poland’s Internal Security Agency (ABW) has confirmed that five water treatment facilities across the country were compromised by cyberattacks throughout 2025. The incidents affected stations in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo, marking a significant escalation in threats against the nation's critical infrastructure SecurityWeek.
The breaches involved direct intrusions into Industrial Control Systems (ICS), which are essential for managing the physical operations of water treatment plants. In several instances, the attackers successfully bypassed security measures to gain unauthorized access to these systems. Once inside, they obtained the ability to modify operational parameters, posing a direct threat to the continuity of service and the safety of the public water supply SecurityWeek.
According to the ABW, the intrusions were facilitated by two fundamental security failures: the use of weak password policies and the exposure of OT systems directly to the internet. These vulnerabilities allowed threat actors to bypass perimeter defenses and interact with sensitive equipment. The agency noted that these same hygiene failures were previously exploited in separate, Russia-linked attacks targeting Polish energy facilities SecurityWeek.
The ABW report attributes these activities primarily to hacktivist groups, though it emphasizes that these entities often serve as personas for foreign intelligence services. Specifically, the agency identified Russian-linked Advanced Persistent Threat (APT) groups, including APT28 and APT29, as well as the Belarusian-linked group UNC1151, as active participants in the campaign against Polish targets SecurityWeek.
Beyond the direct attacks on water utilities, the investigation revealed a broader pattern of malicious activity targeting municipal infrastructure, including wastewater treatment plants and waste incineration facilities. Investigators found that attackers frequently targeted supply chains to harvest contract data, project documentation, and authentication credentials. These stolen assets were then used to facilitate downstream access to more secure, internal systems SecurityWeek.
This surge in activity reflects a growing trend of state-sponsored actors shifting their focus toward the physical disruption of critical services. The ABW’s findings highlight the persistent risk posed by legacy OT security vulnerabilities and the strategic importance of securing supply chain relationships. As these actors continue to refine their tactics, the focus for utility operators remains on addressing long-standing hygiene issues and mitigating the risk of unauthorized remote access to industrial control environments SecurityWeek.