A security breach at Polish water treatment plants may have allowed hackers to take control of the industrial equipment and tamper with water quality, according to an official report.
The report was published by Poland’s Internal Security Agency, Agencja Bezpieczeństwa Wewnętrznego (ABW), which is responsible for counterintelligence, counterterrorism, and cybersecurity.
It documented over 40,000 malicious cyber activities over the last two years, from 2024 to 2025, ranging from espionage, disinformation, sabotage, and attempts to destabilize Poland, NATO, and the European Union.
Hackers target Poland’s water treatment plants
The report found that a security breach at Poland’s water treatment plants may have undermined the quality of drinking water, potentially putting lives at risk.
“Cyberattacks have evolved from stealing information, damaging reputations, and causing financial loss to the point where people are now asking whether cyberattacks could directly cost lives. We are getting closer to that reality,” warned Lydia Zhang, President & Co-Founder, Ridge Security.
While the agency did not attribute the security breach to any specific country, it reported that the country frequently experienced cyber attacks from Russian and Belarusian hackers.
According to the report, each of the five Polish towns: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo, experienced a security breach targeting at least one of its water treatment plants.
In 2025, Polish cybersecurity outlet CyberDefence24 attributed a security breach on Polish water treatment plants to a vocal pro-Kremlin hacktivist group. The hacktivists compromised the Jabłonna Lacka Water Treatment Station in Masovian Voivodeship by gaining access to an admin account and setting all parameters to the highest possible levels except the alarm levels, which they set to the minimum. The group also attacked Szczytno and the SUW Małdyty water treatment plants.
“Attackers, gaining access in some cases to industrial control systems, had the ability to alter technical parameters of devices,” the report warned.
ABW also warned about Russian attacks aiming to destabilize NATO and European Union states. So far, dozens of suspects have been arrested and charged with various crimes, including espionage and vandalism. The attackers were carried out by individuals belonging to highly organized criminal groups or loosely connected operatives recruited online.
“And this is not random opportunistic hacking,” said Denis Calderone, CTO, Suzu Labs. “Poland’s internal security agency is describing what amounts to a sustained campaign against NATO critical infrastructure. The ABW report names Russian intelligence services as the driving force behind intensified cyber operations against Poland in 2024 and 2025, and these water attacks are part of a broader pattern that includes the national railway, air traffic control, and a foiled attempt to shut off water to one of Poland’s ten largest cities.”
“The ABW opened 48 espionage investigations in 2025 alone, up from six the year Russia invaded Ukraine. Considering everything we’re seeing, this is not run-of-the-mill hacktivism. This is a coordinated intelligence operation with critical infrastructure as a central target,” added Calderone.
The agency also found that the hackers targeted other critical infrastructure organizations, including military facilities, power grids, transport networks, public facilities, and networks supporting Ukraine’s resistance against the occupation.
“The most serious challenge remains the sabotage activity against Poland, inspired and organized by Russian intelligence services,” the agency stated. “This threat was (and is) real and immediate. It requires full mobilization.”
In December 2025, Russian hackers attempted to shut down Poland’s power grid and disrupt communication networks in one of the “strongest attacks” against the country’s critical infrastructure.
According to the report, the attacks primarily targeted supply chain contractors, critical infrastructure operators, and poorly secured remote management systems. Many industrial control systems remain exposed to the internet despite lacking the necessary security controls to prevent exploitation.
“Default passwords on devices running unauthenticated protocols, sitting directly on the public internet, operated by staff who mistook active cyberattacks for normal equipment glitches,” added Calderone. “Every one of those problems traces back to the same root cause, that these systems were converged onto IP networks with zero defensive posture in mind. If anyone had architected even basic protections against internet-borne attack vectors when these HMIs and PLCs were networked, you wouldn’t see this kind of systemic exposure across five water treatment facilities in a single country.”
Water treatment plants under persistent cyber attacks
The security breach followed similar attacks targeting U.S. critical infrastructure organizations, including water and wastewater treatment facilities.
On September 22, 2024, a water treatment facility in Arkansas City, Cowley County, Kansas, experienced a ransomware attack that disrupted operations, forcing the utility operator to resort to manual systems.
In March 2024, the Cybersecurity and Infrastructure Security Agency also warned that water facilities were attractive targets for state-sponsored attackers and that a major attack could cripple U.S. water systems.
In 2023, a security breach by a pro-Iranian hacktivist group, CyberAv3ngers, compromised water treatment plants in Pennsylvania by targeting Israel-made programmable logic controllers (PLCs).
In 2021, a threat actor breached a water treatment plant in Oldsmar, Florida, and attempted to increase sodium hydroxide levels.
CISA also warned that Chinese state-sponsored threat actors were pre-positioning themselves on U.S. critical infrastructure in anticipation of a major geopolitical conflict involving both countries.
“Volt Typhoon have been pre-positioning themselves on U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies,” CISA cautioned.

