Executive Summary
Five water treatment plants in Poland, located in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo, were breached by attackers who gained access to their industrial control systems (ICS). The Polish Internal Security Agency (ABW) confirmed that attackers were able to alter operational parameters of critical equipment, posing a direct risk to the continuity and safety of water supply operations. The breaches were enabled by weak password policies and the exposure of management interfaces to the public internet, rather than by sophisticated malware or zero-day exploits. Attribution points to Russian and Belarusian state-linked advanced persistent threat (APT) groups, specifically APT28, APT29, and UNC1151, as part of a broader campaign of hybrid warfare targeting NATO and EU critical infrastructure. The incidents highlight persistent security gaps in operational technology (OT) and ICS environments and underscore the urgent need for improved cyber hygiene and access controls in critical infrastructure sectors. All findings are directly supported by primary sources, including the official ABW report and independent media coverage (TechCrunch, May 8, 2026, The Record, May 7, 2026, Security Affairs, May 8, 2026).
Technical Information
The breaches at the five Polish water treatment plants represent a significant escalation in the targeting of critical infrastructure by state-linked threat actors. Attackers exploited fundamental security weaknesses—specifically, weak password policies and the direct exposure of management interfaces to the public internet. These vulnerabilities allowed unauthorized access to ICS environments, which are responsible for controlling and monitoring essential water treatment processes.
Attack Vector Analysis: Initial access was achieved through the use of weak or default credentials and by exploiting management interfaces (such as web-based human-machine interfaces (HMIs), remote desktop protocols (RDP), or virtual network computing (VNC)) that were accessible from the internet without adequate protection. There is no evidence of the use of advanced malware, custom exploit frameworks, or zero-day vulnerabilities. Instead, the attackers relied on basic but effective techniques that have been repeatedly highlighted as risks in the OT/ICS security community (Security Affairs, May 8, 2026).
MITRE ATT&CK Mapping: The attack methods align with several MITRE ATT&CK techniques: - Valid Accounts (T1078): Attackers used weak or default credentials to gain access to ICS/OT systems. - External Remote Services (T1133): Attackers exploited exposed management interfaces accessible from the internet. - Impair Process Control (T0832, ICS): Attackers gained the ability to alter operational parameters of ICS devices, directly threatening water supply continuity. - Inhibit Response Function (T0802, ICS): Attackers could potentially disable alarms or safety functions, further increasing operational risk.
Technical Evidence: According to the ABW report and corroborating media sources, attackers accessed administrator accounts and altered settings linked to pumps and alarms. In several cases, they could modify device operating parameters in real time, creating a direct and concrete risk to the continuity of public water services (The Record, May 7, 2026, Security Affairs, May 8, 2026).
Malware and Tools: No specific malware, custom tools, or technical indicators (such as file hashes or network signatures) were identified in the public reporting. The breaches were achieved through exploitation of weak credentials and exposed interfaces, not through the deployment of advanced malware (Security Affairs, May 8, 2026).
Attribution and Threat Actor Activity: The ABW and supporting sources attribute the campaign to Russian APT groups APT28 (also known as Fancy Bear), APT29 (Cozy Bear), and the Belarusian-aligned UNC1151. These groups are known for intelligence collection, disruptive cyber operations, and coordinated information warfare, with a history of targeting NATO and EU states. The attribution is based on historical targeting patterns, tactics, techniques, and procedures (TTPs), and the broader geopolitical context of Russian and Belarusian hybrid warfare. However, no technical artifacts directly link the specific breaches to these groups, so attribution confidence is assessed as medium-high (Security Affairs, May 8, 2026).
Sector-Specific Targeting Patterns: The attacks targeted water treatment plants, a critical infrastructure sector, and directly threatened public safety and the continuity of essential services. Similar attacks have been observed globally, including Iranian-backed attacks on U.S. water utilities, indicating a trend of targeting OT/ICS in the water and energy sectors (TechCrunch, May 8, 2026). The exploitation of basic security weaknesses, such as weak passwords and exposed interfaces, is a recurring theme in OT/ICS breaches.
Summary Table: Key Findings
Aspect: Attack Vector Details: Weak passwords, exposed interfaces Confidence: High Source: Security Affairs, The Record
Aspect: Malware/Tools Details: None identified Confidence: High Source: Security Affairs
Aspect: Threat Actors Details: APT28, APT29, UNC1151 (Russia/Belarus) Confidence: Medium-High Source: Security Affairs, ABW
Aspect: MITRE ATT&CK Details: T1078, T1133, T0832, T0802 Confidence: High Source: Mapped from incident details
Aspect: Sector Targeting Details: Water/critical infrastructure Confidence: High Source: All sources
Conclusion: The breaches at five Polish water treatment plants in 2025 were enabled by basic OT/ICS security failures, specifically weak password policies and exposed management interfaces. Attackers gained the ability to alter operational parameters, directly threatening water supply continuity. Attribution points to Russian and Belarusian state-linked APT groups (APT28, APT29, UNC1151), consistent with broader hybrid warfare campaigns targeting NATO/EU critical infrastructure. The attack methods map directly to MITRE ATT&CK techniques T1078 (Valid Accounts), T1133 (External Remote Services), T0832 (Impair Process Control), and T0802 (Inhibit Response Function). Attribution confidence is medium-high, based on pattern analysis and circumstantial evidence, but lacks technical artifacts for high-confidence attribution.
Affected Versions & Timeline
The breaches affected water treatment plants in the towns of Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. The specific ICS products, vendors, or software versions involved have not been publicly disclosed in the available reporting. The attacks occurred in 2025, with the ABW’s public report and international media coverage published in May 2026 (The Record, May 7, 2026, Security Affairs, May 8, 2026).
The timeline of verified events is as follows: In 2025, attackers breached the ICS environments of five water treatment plants, gaining the ability to alter operational parameters. The incidents were detected and investigated by the ABW, which published its findings in a public report on May 7, 2026. International media outlets reported on the findings on May 7 and 8, 2026.
Threat Activity
The threat activity observed in these incidents is characterized by the exploitation of weak password policies and the exposure of management interfaces to the public internet. Attackers gained unauthorized access to ICS environments, allowing them to alter operational parameters of critical equipment, such as pumps and alarms. This created a direct risk to the continuity and safety of water supply operations.
The ABW and supporting sources attribute the campaign to Russian APT groups APT28 and APT29, as well as the Belarusian-aligned UNC1151. These groups are known for conducting intelligence collection, disruptive cyber operations, and coordinated information warfare campaigns targeting NATO and EU states. The campaign is seen as part of a broader Russian strategy to destabilize NATO/EU states through hybrid warfare, including cyberattacks on critical infrastructure (Security Affairs, May 8, 2026, TechCrunch, May 8, 2026).
No specific malware or custom tools were identified in the public reporting. The breaches were achieved through basic but effective techniques, rather than through the deployment of advanced malware or zero-day exploits.
Mitigation & Workarounds
The following mitigation actions are prioritized by severity:
Critical: Immediate removal of all direct internet exposure for ICS/OT management interfaces. All remote access to ICS environments must be routed through secure, monitored, and authenticated channels such as virtual private networks (VPNs) with multi-factor authentication (MFA).
Critical: Enforcement of strong password policies for all ICS/OT systems, including the elimination of default credentials, mandatory password complexity, and regular password rotation.
High: Comprehensive network segmentation to separate ICS/OT networks from corporate IT and public networks, minimizing the attack surface and limiting lateral movement in the event of a breach.
High: Continuous monitoring and logging of all access to ICS/OT systems, with real-time alerting for suspicious or unauthorized activity.
Medium: Regular vulnerability assessments and penetration testing of ICS/OT environments to identify and remediate security weaknesses before they can be exploited.
Medium: Implementation of strict access controls and least-privilege principles for all ICS/OT accounts, ensuring that only authorized personnel have access to critical systems.
Low: Ongoing security awareness training for all staff with access to ICS/OT environments, emphasizing the importance of password hygiene and the risks of exposing management interfaces.
All mitigation recommendations are based on the technical findings from the ABW report and corroborating sources, as well as established best practices for OT/ICS security (Security Affairs, May 8, 2026).
References
TechCrunch, May 8, 2026: https://techcrunch.com/2026/05/08/poland-says-hackers-breached-water-treatment-plants-and-the-u-s-is-facing-the-same-threat/ The Record, May 7, 2026: https://therecord.media/polish-intelligence-warns-hackers-attacked-water-treatment Security Affairs, May 8, 2026: https://securityaffairs.com/191868/security/cyberattacks-on-polands-water-plants-a-blueprint-for-hybrid-warfare.html
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks in their supply chain and critical infrastructure environments. Our platform enables continuous visibility into vendor security posture, supports automated risk assessments, and facilitates rapid response to emerging threats. For questions about this report or to discuss how Rescana can support your organization’s risk management needs, please contact us at ops@rescana.com.
