Executive Summary

On March 12-13, 2026, Poland’s National Centre for Nuclear Research (NCBJ) was the target of a cyberattack aimed at its IT infrastructure. The attack was detected and blocked by internal security systems before any operational impact or data compromise occurred. All safety and research systems, including the MARIA research reactor, continued to function normally throughout the incident. The event triggered a coordinated response involving national cybersecurity agencies and the Ministry of Energy. Early investigation by Polish authorities identified entry vectors associated with Iranian infrastructure, but officials caution that these indicators may be deliberate misdirection, and no technical evidence has been published to confirm attribution. The incident highlights the persistent threat to Poland’s critical infrastructure from foreign cyber actors, particularly in the context of recent Russian and Iranian-linked activity. All facts in this summary are corroborated by official statements and multiple independent, primary sources (BleepingComputer, Security Affairs, Politico).

Technical Information

The attempted cyberattack on the NCBJ targeted the institute’s IT infrastructure, which supports both administrative and research operations, including the MARIA research reactor. The NCBJ is Poland’s primary government nuclear research institute, specializing in nuclear physics, reactor technology, particle physics, and radiation applications. The MARIA reactor is a high-flux research reactor used for scientific experiments, isotope production, and training, but is not used for electricity generation (BleepingComputer, Security Affairs).

Attack Vector Analysis

The specific initial access vector used in the attack has not been disclosed in any primary source. Polish authorities referenced “entry vectors” traced to Iran, suggesting the use of infrastructure or IP addresses geolocated in Iran (Security Affairs, Politico). No technical indicators such as phishing emails, exploit details, or malware hashes have been published. The attack was detected and blocked by internal security systems and procedures, with no compromise of system integrity or reactor operations (BleepingComputer, Security Affairs).

MITRE ATT&CK Mapping

The general targeting of IT infrastructure in critical sectors aligns with several MITRE ATT&CK tactics and techniques, though none are confirmed for this incident due to lack of technical detail. Plausible techniques include Initial Access [TA0001] via Valid Accounts [T1078], Phishing [T1566], or Exploit Public-Facing Application [T1190]. Defense Evasion [TA0005] was attempted but unsuccessful, as detection systems were effective. Impact [TA0040] was not achieved.

Malware and Tools Identified

No malware or specific tools have been publicly identified in relation to this incident. All sources confirm the absence of technical compromise and do not mention any discovered payloads, implants, or toolkits (BleepingComputer, Security Affairs, Politico).

Historical Context of Threat Actor Activities

Early investigation by Polish authorities found “indicators” pointing to Iran, specifically that “entry vectors” were related to Iranian infrastructure (Security Affairs, Politico). Authorities caution these may be false flags, and no technical evidence (malware, TTPs, or infrastructure overlap) has been published to support definitive attribution. Poland’s critical infrastructure, especially energy and nuclear sectors, has been a repeated target of foreign cyber operations. In January 2026, Russian APT44 (“Sandworm”) targeted Poland’s power grid, including DER, CHP, wind, and solar dispatch systems (BleepingComputer). An ICCT report in February 2026 listed 31 confirmed Russian-attributed incidents against Polish critical infrastructure since mid-2025. Western intelligence agencies have warned of increased Iranian cyber activity against critical infrastructure since late February 2026 (Politico).

Technical Details of Attack Methods Mapped to MITRE ATT&CK

Initial Access [TA0001] may have involved Phishing [T1566], Exploit Public-Facing Application [T1190], or Valid Accounts [T1078], but this is not confirmed. There is no evidence of successful code execution or malware deployment (Execution [TA0002]), persistence (Persistence [TA0003]), or privilege escalation (Privilege Escalation [TA0004]). Defense evasion was attempted but unsuccessful (Defense Evasion [TA0005]). No impact was achieved (Impact [TA0040]).

Attribution and Confidence Levels

No technical indicators have been disclosed. Attribution to Iran is based on circumstantial evidence—entry vector geolocation—not technical artifacts. Authorities warn of possible false flag operations. The attack fits a broader pattern of targeting Polish critical infrastructure by Russian and Iranian actors, but no direct technical linkage to known threat groups has been established. Attribution confidence is low.

Affected Versions & Timeline

The attack targeted the IT infrastructure of the National Centre for Nuclear Research. No specific software, hardware, or product versions have been disclosed as affected. The incident occurred “in the past few days” prior to March 12-13, 2026, according to statements from the Minister for Digital Affairs (Politico, Security Affairs). The MARIA reactor and all research and production systems remained operational and uncompromised throughout the incident (BleepingComputer, Security Affairs).

Threat Activity

The attempted intrusion was detected and blocked by the NCBJ’s internal security systems and procedures. No operational impact, data compromise, or disruption to the MARIA reactor occurred. The institute immediately informed relevant authorities and began an investigation. Internal security teams were placed on high alert, and the response was coordinated with national cybersecurity agencies, including NASK-PIB, the Ministry of Digital Affairs, the Ministry of Energy, and the Deputy Prime Minister (Security Affairs). The situation continues to be monitored by appropriate services and security teams.

Early investigation found entry vectors associated with Iranian infrastructure, but authorities caution that these may be deliberate misdirection. No technical indicators, malware, or tools have been disclosed. The incident fits a broader pattern of targeting Polish critical infrastructure by foreign actors, with recent Russian and Iranian-linked activity in the energy and nuclear sectors (BleepingComputer, Politico).

Mitigation & Workarounds

The following mitigation actions and recommendations are prioritized by severity:

Critical: Maintain and regularly test incident detection and response capabilities for all critical infrastructure IT and operational technology (OT) systems. Ensure that all security systems, including intrusion detection and prevention systems, are configured to detect and block unauthorized access attempts. Conduct regular tabletop exercises simulating targeted attacks on nuclear and energy sector assets.

High: Review and update access controls for all critical systems, including multi-factor authentication and least-privilege principles. Monitor for anomalous activity, especially from foreign IP addresses or infrastructure associated with known threat actors. Ensure that all systems are patched and up to date, particularly those exposed to the internet.

Medium: Enhance coordination and information sharing with national cybersecurity agencies and sector-specific authorities. Implement network segmentation between administrative IT and operational technology environments to limit lateral movement in the event of a breach.

Low: Provide ongoing security awareness training for staff, focusing on phishing, social engineering, and reporting suspicious activity. Maintain up-to-date inventories of all IT and OT assets.

No specific software vulnerabilities or product workarounds have been disclosed in relation to this incident. All recommendations are based on sector best practices and the observed threat landscape.

References

https://www.bleepingcomputer.com/news/security/polands-nuclear-research-centre-targeted-by-cyberattack/ https://securityaffairs.com/189399/security/hackers-targeted-polands-national-centre-for-nuclear-research.html https://www.politico.eu/article/poland-investigates-iran-links-as-hackers-target-nuclear-facility/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and critical infrastructure partners. Our platform enables continuous risk assessment, automated evidence collection, and real-time alerting for emerging threats relevant to critical sectors such as energy, nuclear research, and government. For questions or further information, please contact us at ops@rescana.com.