Poland's Internal Security Agency (Agencja Bezpieczeństwa Wewnętrznego, or ABW — the country's primary domestic intelligence and counterespionage service) has disclosed that attackers with suspected ties to Russia breached the industrial control systems of at least five water treatment facilities across the country. The attackers gained the ability to modify operational parameters including pump set points, chemical dosing thresholds, and water storage tank levels, creating what the ABW describes as "a direct risk to operational continuity and the public water supply." No water supply contamination has been confirmed, but the disclosures come as part of a broader pattern of Russian-linked cyber sabotage targeting Polish critical infrastructure.
ICS Breach: Technical Details
The ABW's report details a consistent attack playbook across the five facilities. Attackers gained initial access to Human-Machine Interfaces (HMIs) — the operator-facing control panels that allow staff to monitor and adjust industrial processes — and in several cases reached Programmable Logic Controllers (PLCs), the embedded computers that directly issue commands to pumps, valves, and chemical dosing systems.
Two primary entry vectors were identified:
Default and trivial credentials. Multiple facilities had ICS equipment protected by passwords as simple as 111111 or 123456. Some HMI devices enforced a maximum password length of only eight characters and placed no limit on login attempts, making brute-force attacks trivial. This is not a software vulnerability in the traditional sense — no CVE numbers were disclosed — but a persistent configuration failure endemic to industrial environments where OT systems are procured, installed, and then left unchanged for years.
Internet-exposed OT systems. HMI panels and SCADA (Supervisory Control and Data Acquisition — the broader software layer that aggregates data from PLCs and HMIs across a facility) interfaces were reachable directly from the public internet with no network segmentation between operational technology and internet-facing systems. This means an attacker with valid credentials — or the patience to brute-force trivial ones — could interact with physical plant controls from anywhere in the world.
At at least one named facility, attackers escalated to administrator-level access and made confirmed alterations to pump and alarm settings before detection.
The five named facilities are located across central and northeastern Poland — Jabłonna Lacka (Mazowieckie), Szczytno and Małdyty (Warmińsko-Mazurskie), Tolkmicko (Warmińsko-Mazurskie), and Sierakowo. Additional incidents beyond these five touched facilities in Wydminy, Kuźnica, Witkowo, and Chodaczów, and one attempted attack targeted an unnamed city among Poland's ten largest.
Exploitation Status and Threat Landscape
The ABW stopped short of formal attribution but stated Poland faced "intensified hostile cyber activity with particular emphasis on the special services of the Russian Federation." Reporting from The Record and Dark Reading connected the individual incidents to pro-Russian hacktivist groups that publicly posted intrusion footage, as well as to state-linked actors tracked as APT28 (Russian GRU military intelligence, also known as Fancy Bear) and UNC1151 (a Belarusian threat group that coordinates with Russian intelligence services).
The incidents fit within a documented wider Russian cyber campaign against Polish infrastructure that accelerated following Poland's support for Ukraine. In late 2024 and 2025, Polish authorities arrested and expelled several Russian intelligence operatives, and the ABW connected infrastructure targeting to a deliberate policy of hybrid warfare — cyber sabotage designed to erode public confidence in essential services without triggering a formal military response.
CISA issued a related advisory in February 2026 (following a parallel attack on a Polish energy facility) warning operators of OT systems about the exact attack patterns observed: internet-exposed HMIs, default credentials, and absence of multi-factor authentication on ICS devices.
Who Is Affected
The five named water treatment facilities serve municipal populations across four Polish administrative regions. Beyond the named plants, the ABW report acknowledges additional attempted intrusions at facilities serving Podkarpackie and Podlaskie regions. The same vulnerability profile — internet-exposed HMIs with default credentials — affects a significant proportion of water and wastewater utilities globally, not just in Poland. Shodan searches for common HMI software packages (Weintek, Beijer Electronics, GE iFIX, Inductive Automation Ignition) routinely return thousands of directly reachable devices.
The OT attack surface is particularly difficult to harden because:
- Patching cycles for ICS equipment are measured in years, not weeks.
- Many water utilities operate on lean staffing with no dedicated ICS security personnel.
- Legacy SCADA systems were designed for isolated networks and were never intended to be internet-facing.
What You Should Do Right Now
For water utility operators and ICS security teams, the ABW disclosures and the CISA advisory jointly point to a short list of urgent actions:
- Audit internet-facing ICS assets immediately. Use a tool like Shodan or your own network scanner to identify any HMI, SCADA server, or PLC management interface reachable from the public internet. There is no legitimate operational reason for these systems to be directly internet-accessible.
- Enforce strong, unique credentials on all ICS equipment. Replace any default passwords. Require a minimum of 12-character passwords. Document and centrally manage credentials in a privileged access management (PAM) system.
- Implement network segmentation. Place OT equipment behind a dedicated industrial DMZ (demilitarized zone) that permits only required protocol traffic. Use a unidirectional gateway (data diode) where bidirectional connectivity is not operationally required.
- Deploy multi-factor authentication (MFA) on all remote access paths. If operators connect to HMIs via VPN or remote desktop, MFA is non-negotiable. Check whether your HMI software supports MFA natively; if not, enforce it at the VPN or jump server layer.
- Monitor for unauthorized configuration changes. ICS systems should log every parameter change and alert on changes made outside of scheduled maintenance windows. Correlate HMI login events with downstream PLC configuration writes.
- Review the CISA advisory. The February 2026 advisory on OT vulnerabilities following the Poland energy sector attack contains specific detection guidance and recommended mitigations for the attack patterns documented by ABW.
Security teams without dedicated OT expertise should engage a specialist in ICS/OT security. The ICS-CERT advisories and SANS ICS curriculum are useful starting points.
Background: Understanding the Risk
The risk profile of industrial control system attacks on water infrastructure is fundamentally different from enterprise IT breaches. A ransomware attack on a hospital's billing system disrupts operations; an attacker who can modify chlorine dosing parameters at a water treatment plant can directly harm thousands of people who have no knowledge of or recourse against the attack.
Water treatment relies on tightly controlled chemical processes. Chlorination — the addition of chlorine compounds to kill pathogens — must remain within a specific concentration range. Too little, and waterborne diseases can proliferate. Too much, and the water becomes chemically unsafe. Dosing is controlled by automated systems that the ABW report shows were accessible to unauthorized actors.
This is not theoretical. In February 2021, an attacker accessed the HMI of the Oldsmar, Florida water treatment plant and attempted to increase sodium hydroxide (lye) concentrations to 111 times the normal level. A plant operator noticed the cursor moving on screen and reversed the change before it reached distribution. The attack vector — remote desktop software with a shared password — is identical in character to the weak-credential exposure documented in Poland five years later.
The Polish cases are significant not because the attacks succeeded in poisoning water supplies — they did not — but because they demonstrate that the same ICS access that allows operators to run facilities remotely also allows attackers to interact with physical plant controls once credentials are compromised. The barrier between a network intrusion and a public health emergency is, in some facilities, a single password change or a single misconfigured firewall rule.
Pro-Russian hacktivist groups have openly stated their intent to target critical infrastructure in NATO-aligned states. The ABW disclosures provide documented evidence that the intent has become operational reality, with confirmed access to systems capable of affecting drinking water for municipal populations.
Conclusion
Poland's ABW has confirmed that attackers with suspected Russian ties reached the operational controls of at least five water treatment plants, gaining the ability to modify the physical parameters that govern safe water supply. The root causes — default credentials and internet-exposed ICS — are preventable with immediate, low-cost mitigations. Water utility operators globally should treat this disclosure as a direct threat model for their own infrastructure and act on the six-step hardening checklist above without delay.
For any query contact us at contact@cipherssecurity.com
