Poland Water Plant Breaches Spur Broader Critical Infrastructure Resilience Push
Poland’s Internal Security Agency said hackers breached five water treatment plants and could potentially have taken control of industrial equipment, raising the risk of compromised water safety and possible physical harm. The incidents were disclosed alongside a wider warning that sabotage campaigns targeting Polish military sites, civilian entities, and critical infrastructure pose an immediate threat, while Sweden separately reported that suspected pro-Russian hackers attempted to disrupt a thermal power plant but were stopped by built-in protections. Officials in both countries described the activity as part of a broader pattern of increasingly aggressive attacks on operational technology across Europe, particularly against infrastructure in countries supporting Ukraine.
In the United States, the disclosures add urgency to CISA’s new CI Fortify initiative, which tells critical infrastructure operators in sectors including water, energy, transportation, and communications to prepare to keep essential services running for weeks to months while isolated from business networks, vendors, and telecom providers. CISA said the program is designed for scenarios in which attackers may already have access to OT environments and foreign adversaries are prepositioned inside U.S. infrastructure, with guidance focused on isolating control systems, maintaining offline and manual operations, and rehearsing recovery through tested backups, documentation, and component replacement plans.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
ABW linked Poland water-plant breaches to APT28, APT29, and UNC1151
Poland's Internal Security Agency attributed the 2025 compromises of five water treatment plants to Russia-linked APT28 and APT29 and to Belarusian-aligned UNC1151. The agency said the intrusions were enabled by internet-exposed management interfaces and weak passwords, not advanced zero-day exploits.
Poland published a two-year threat report on sabotage attempts
Poland's Internal Security Agency released a broader report saying it had thwarted multiple sabotage operations attributed to Russian spies and hackers targeting military facilities, critical infrastructure, and civilian entities. The agency warned that such attacks posed a real and immediate threat and could have caused fatalities.
Poland detected intrusions at five water treatment plants
Poland's Internal Security Agency said attackers breached five water treatment plants and could potentially have taken control of industrial equipment, creating a worst-case risk to water safety. The agency presented the incidents as part of a broader pattern of hostile activity against Polish critical infrastructure.
CISA urged operators to plan for weeks or months in isolation
As part of CI Fortify, CISA publicly called on critical infrastructure owners to prepare to operate while disconnected from business IT, vendors, and telecom dependencies for extended periods during conflict or major cyberattack. The guidance emphasized backups, documentation, component replacement rehearsals, and manual operations to sustain service continuity.
CISA launched the CI Fortify initiative
CISA rolled out CI Fortify to help critical infrastructure operators maintain essential services during severe cyber incidents by focusing on OT isolation and recovery. The initiative includes pilot assessments and planning support for sectors such as water, energy, transportation, and communications.
Sweden publicly disclosed the 2025 power plant intrusion attempt
Swedish civil defense minister Carl-Oskar Bohlin said a suspected pro-Russian hacker group had attempted to breach a thermal power plant in western Sweden in spring 2025. Officials framed the case as part of a broader trend of increasingly destructive cyber operations against European critical infrastructure.
Hackers attempted to breach a Swedish thermal power plant
In spring 2025, a suspected pro-Russian group tried to disrupt a thermal power plant in western Sweden, but built-in protections prevented the intrusion from succeeding. Sweden's security service investigated and linked the perpetrators to actors believed connected to Russian intelligence services.
CyberAv3ngers targeted U.S. water utilities
In 2023, the Iranian-linked CyberAv3ngers group conducted intrusions affecting U.S. water infrastructure, reinforcing concerns that foreign state-backed actors were targeting internet-exposed industrial control systems. The activity was later cited alongside broader federal warnings to the sector.
Hackers remotely altered controls at Oldsmar water plant
An intruder accessed the Oldsmar, Florida water treatment facility and changed chemical settings, demonstrating the real-world risk of cyber compromise to water safety. The incident later became a prominent example cited in warnings about water-sector cyber threats.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Russian Attacks on Polish Water Utilities Use Fear as Weapon
govinfosecurity.com
Open sourceCyberattacks on Poland's Water Plants: A Blueprint for Hybrid Warfare - Security Affairs
securityaffairs.com
Open sourcePoland says hackers breached water treatment plants, and the U.S. is facing the same threat | TechCrunch
techcrunch.com
Open sourceCISA Urges CI to Make Plans to Remain Active if hit by Cyber-Attack - Infosecurity Magazine
infosecurity-magazine.com
Open sourceCISA 'CI Fortify' Aims to Keep Services Running Under Attack
bankinfosecurity.com
Open sourceCISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict | CyberScoop
cyberscoop.com
Open sourceSweden says pro-Russian hackers attempted to breach thermal power plant | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Hackers Breached Water Treatment Plants Through Exposed ICS and Weak Passwords
Poland disclosed cyberattacks on five water treatment plants after intruders breached industrial control systems and, in some cases, gained the ability to change settings for pumps, alarms, and treatment equipment. Investigators said the compromises were enabled by basic security failures, including weak passwords and internet-exposed systems, and Polish authorities linked parts of the activity to Russian-aligned actors seeking to disrupt public services and probe infrastructure resilience. The incidents echo the earlier intrusion at a Florida water plant, where attackers reportedly exploited outdated software and poor password practices to gain access to operational systems. Together, the cases underscore a persistent risk across municipal water utilities: insecure remote access, exposed human-machine interfaces, aging control technology, and weak authentication can turn preventable weaknesses into threats to service continuity and public safety.
May 25, 2026
CISA Warns Critical Infrastructure to Prepare for Cyberattacks Without OT Connectivity
CISA officials warned that a military confrontation with a peer adversary such as **Russia or China** would likely bring successful cyberattacks against U.S. critical infrastructure, causing severe disruptions across **water, power, healthcare, law enforcement, and parts of banking**. Agency leaders said operators should expect to lose reliable internet access, third-party and vendor connections, and some **SCADA** functionality, and should plan to continue delivering essential services in a degraded state rather than relying solely on traditional cyber hygiene measures. To support that shift, CISA is prioritizing operational resilience through its **CI Fortify** initiative, redirecting OT resources to conduct **75 to 100 assessments** over the next year and expand emergency planning guidance across sectors. Officials called for "ruthless prioritization" during crises, including decisions on which facilities receive limited water or power, while the EPA is preparing a national cybersecurity exercise for the water sector to test operations without supervisory control and data acquisition technology; CISA also warned that prolonged cyber-induced outages could erode public trust more sharply than natural disaster recovery delays.
Jun 18, 2026
Destructive Cyberattack on Poland’s Energy Sector via Vulnerable Edge Devices
Poland’s Computer Emergency Response Team reported that a **destructive cyber incident** in December 2025 compromised **OT/ICS environments** across the country’s energy sector, including **renewable energy plants** (wind and photovoltaic), a **combined heat and power** facility, and at least one **manufacturing** organization. The intrusion reportedly began through **vulnerable internet-facing edge devices**, after which the actor deployed **wiper malware** that damaged **remote terminal units (RTUs)**, destroyed data on **human-machine interfaces (HMIs)**, and **corrupted firmware** on OT devices—resulting in a loss of operator “view and control” even where renewable generation continued producing power but could not be monitored or controlled as designed. Reporting indicated the activity overlapped with infrastructure associated with a **Russian government-linked** hacking group. CISA issued an alert to U.S. critical infrastructure organizations to amplify the Polish findings and emphasize mitigations for **energy-sector OT/ICS** defenders, highlighting the ongoing risk from **end-of-support edge devices** and the need to harden remote access paths, credential hygiene (including **default credentials**), and incident response planning for scenarios where OT devices may become inoperable or permanently damaged due to firmware corruption. Separate industry commentary and a Dark Reading article provided broader context on the evolution of OT threats (e.g., lessons from Ukraine’s 2015 grid attack and emerging “living-off-the-plant” techniques), but did not add incident-specific details about the Poland event beyond reinforcing the general trend of increasing attacker capability and interest in industrial environments.
Mar 21, 2026