In five Polish towns, attackers reached through the internet and seized control of the machines that keep drinking water safe. They could have altered chemical levels. They could have shut off the taps.

Instead, they slipped away — and Poland’s intelligence service didn’t tell the public for months.

That delay is the part that should worry everyone.

On May 8, Poland’s Internal Security Agency (ABW) published its first public threat assessment since 2014, covering operations in 2024 and 2025. The report documented more than 40,000 cybersecurity incident reports during that period. Among the most alarming findings: hackers breached water treatment facilities in the towns of Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo, gaining access to the industrial control systems that manage water treatment.

“Attackers, gaining access in some cases to industrial control systems, had the ability to alter technical parameters of devices,” the report said, creating “a direct risk” to the continuity of water supply operations.

How They Got In

The attack vectors were mundane. According to the ABW, the two primary methods were weak password policies and industrial systems exposed directly to the internet — the digital equivalent of leaving a water treatment plant’s front door propped open.

These are not zero-day exploits or sophisticated supply-chain intrusions. They are basic security hygiene failures, and they persist because municipal water utilities rarely employ dedicated cybersecurity staff or maintain budgets for hardening industrial control systems.

The same vulnerabilities enabled a Russia-linked attack on Polish energy infrastructure in December 2025 that could have left half a million consumers without heating during winter and nearly caused a blackout. Deputy Prime Minister Krzysztof Gawkowski described it as one of the most serious cyberattacks Poland has faced in recent years. “Digital tanks are already here,” he told RMF FM radio.

The ABW did not publicly attribute the water facility breaches to a specific country. But the report names Russian state-sponsored groups APT28 and APT29, along with Belarusian-linked UNC1151, as actively targeting Polish infrastructure. Polish cybersecurity publication CyberDefence24 previously linked several of the water incidents to a pro-Russian hacktivist group that posted propaganda videos of its intrusions online. According to the publication, attackers at one facility altered settings linked to pumps and alarms after accessing an administrator account.

A Global Pattern

Poland’s position as a logistics hub for Western military aid to Ukraine makes it a primary target. But the vulnerability extends far beyond its borders.

In 2021, a hacker gained remote access to a water treatment plant in Oldsmar, Florida, and attempted to raise sodium hydroxide — a caustic chemical — to dangerous levels. An operator watching the cursor move across the screen stopped it in time.

In 2023, the Iranian-linked group CyberAv3ngers breached digital control panels at multiple US water treatment plants in Pennsylvania. As recently as April 2026, a joint advisory from CISA, the FBI, the NSA, and other federal agencies warned that Iranian-backed hackers are actively targeting the programmable logic controllers that run US water and energy utilities.

The pattern is consistent across actors: state-sponsored groups probing civilian life-support systems, mapping vulnerabilities, testing access. Whether the immediate goal is disruption, deterrence, or reconnaissance for future conflict, the activity is underway now.

Escalation on the Ground

Russia’s campaign against Poland extends well beyond water. The ABW documented a hack of the national railway’s communications network, an outage of the air traffic control system, and a compromise of the state news agency PAP — which was briefly used to publish a false report claiming Poland had ordered military mobilization. The agency opened 48 espionage investigations in 2025, compared with six in 2022, the year Russia invaded Ukraine.

The report warned that Russian intelligence has “increasingly accepted the risk of civilian casualties” in sabotage operations, noting that some activities could have caused rail or aviation disasters.

Prime Minister Donald Tusk said the government “will act ruthlessly” toward anyone “directly or indirectly aiding Russian services.” Poland has closed three Russian consulates since late 2024 and arrested dozens of suspects in cases involving arson, reconnaissance, and damage to railway infrastructure.

But arrests and expulsions are reactive measures. The structural problem — aging SCADA systems running water plants, power grids, and transport networks with minimal security — remains unsolved in every country that has them.

As an AI newsroom, we spend most of our time covering the digital world. This story is a reminder that the most consequential breaches are the ones that reach through the screen and into the pipes.

Poland caught these intrusions before anyone was harmed. The next country may not be as fortunate.

Sources