Hackers Breached Water Treatment Plants Through Exposed ICS and Weak Passwords
Poland disclosed cyberattacks on five water treatment plants after intruders breached industrial control systems and, in some cases, gained the ability to change settings for pumps, alarms, and treatment equipment. Investigators said the compromises were enabled by basic security failures, including weak passwords and internet-exposed systems, and Polish authorities linked parts of the activity to Russian-aligned actors seeking to disrupt public services and probe infrastructure resilience.
The incidents echo the earlier intrusion at a Florida water plant, where attackers reportedly exploited outdated software and poor password practices to gain access to operational systems. Together, the cases underscore a persistent risk across municipal water utilities: insecure remote access, exposed human-machine interfaces, aging control technology, and weak authentication can turn preventable weaknesses into threats to service continuity and public safety.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Poland links parts of water utility campaign to Russian-aligned actors
In the same disclosure, Polish authorities said parts of the campaign were linked to Russian-aligned threat actors and described the activity as an effort to destabilize public services and test resilience. The disclosure framed the incidents as a warning about similar weaknesses in other countries’ water infrastructure.
Poland discloses cyberattacks on five water treatment plants
Polish authorities disclosed a series of cyberattacks affecting five water treatment plants, where attackers breached industrial control systems and in some cases gained the ability to alter settings for pumps, alarms, and treatment equipment. Investigators said the intrusions were enabled by weak passwords and internet-exposed systems.
Forbes reports technical weaknesses behind Oldsmar breach
Forbes published details that the Oldsmar water plant intrusion was enabled by old software and weak password habits, adding technical context to the already disclosed incident. The reporting highlighted broader security weaknesses in water utility remote access environments.
Hackers access Florida water treatment controls in Oldsmar
An intruder gained remote access to the City of Oldsmar, Florida water treatment plant’s control system and briefly changed sodium hydroxide levels, though an operator quickly reversed the change before it affected the water supply. Reporting tied the incident to outdated software and poor password practices that enabled the access.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Poland Water Plant Hacks Expose Growing Cyber Threat to U.S. Infrastructure - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceFlorida Water Plant Hackers Exploited Old Software And Poor Password Habits
forbes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Poland Water Plant Breaches Spur Broader Critical Infrastructure Resilience Push
Poland’s Internal Security Agency said hackers breached five water treatment plants and could potentially have taken control of industrial equipment, raising the risk of compromised water safety and possible physical harm. The incidents were disclosed alongside a wider warning that sabotage campaigns targeting Polish military sites, civilian entities, and critical infrastructure pose an immediate threat, while Sweden separately reported that suspected pro-Russian hackers attempted to disrupt a thermal power plant but were stopped by built-in protections. Officials in both countries described the activity as part of a broader pattern of increasingly aggressive attacks on operational technology across Europe, particularly against infrastructure in countries supporting Ukraine. In the United States, the disclosures add urgency to CISA’s new **CI Fortify** initiative, which tells critical infrastructure operators in sectors including water, energy, transportation, and communications to prepare to keep essential services running for **weeks to months** while isolated from business networks, vendors, and telecom providers. CISA said the program is designed for scenarios in which attackers may already have access to OT environments and foreign adversaries are prepositioned inside U.S. infrastructure, with guidance focused on isolating control systems, maintaining offline and manual operations, and rehearsing recovery through tested backups, documentation, and component replacement plans.
May 14, 2026
Hacktivist and Cyberattacks Targeting Water Utilities and Critical Infrastructure
Canada’s Centre for Cyber Security has issued a warning about the increasing threat posed by hacktivists and other malicious actors targeting industrial control systems (ICS) in critical sectors such as water, oil and gas, and agriculture. The agency highlighted recent real-world incidents where attackers gained access to control systems, including a case where hackers tampered with water pressure at a Canadian water utility, impacting customer service. The alert also referenced similar attacks in the United States, such as the Cyber Av3ngers’ intrusion into a Pennsylvania water authority’s ICS and the Oldsmar, Florida incident where a hacker attempted to alter chemical levels in the water supply. These events underscore the risks associated with internet-exposed ICS devices and the potential for operational disruption. In the United Kingdom, reports obtained from the Drinking Water Inspectorate (DWI) reveal that five cyberattacks have targeted Britain’s drinking water suppliers since early 2024. While none of these incidents directly compromised the safety of the water supply, they did affect the organizations responsible for its delivery. The DWI noted that current regulations only require formal reporting of cyber incidents that disrupt essential services, potentially leaving other significant threats unreported. British officials are considering changes to the legal framework to lower the threshold for mandatory disclosure of cyber incidents affecting critical infrastructure. Both Canadian and British authorities emphasize the growing cyber risk to water utilities and the need for improved resilience and reporting standards.
Mar 21, 2026
Cyber Av3ngers Exploited Unitronics PLCs at Water Utilities in the U.S. and Ireland
A cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania exposed a broader campaign targeting **Unitronics Vision Series PLCs** used in water and wastewater operations. Attackers linked to the pro-Iran **Cyber Av3ngers** group reportedly defaced facility screens and disrupted a remote water pressure station, prompting operators to take affected equipment offline and switch to manual or backup processes; officials said drinking water quality and core service were not affected because the compromised system was isolated from the main treatment plant. Reporting also cited a separate incident at a North Texas utility, underscoring concern that internet-exposed industrial control systems are being actively targeted across the sector. U.S. and Irish authorities later tied similar activity to exploitation of weakly secured or internet-accessible Unitronics controllers, including default or poor password practices and the vulnerability tracked as `CVE-2023-6448`, which was added to CISA's Known Exploited Vulnerabilities catalog. In Ireland, attackers disrupted water service to about 160 households in County Mayo after compromising a PLC at a private group water scheme. CISA warned water operators to remove PLCs from direct internet exposure, change default credentials, enforce multifactor authentication where possible, and back up device configurations as officials and experts warned that undersecured operational technology poses an ongoing risk to critical infrastructure.
May 27, 2026