Poland’s Internal Security Agency (ABW) has documented a significant escalation in cyberattacks targeting industrial control systems (ICS) and other operational technology (OT) infrastructure during 2024 and 2025, with state-sponsored threat actors increasingly shifting focus toward the physical disruption of critical services.
A Polish official revealed in August 2025 that a cyberattack could have caused a city to lose its water supply, but the attack was thwarted. No technical information was shared at the time.
The government agency’s new report [written in Polish] provides more information about these types of attacks on the country’s water sector.
[ Read: Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion ]
According to ABW, the most significant incidents involved direct intrusions into ICS at water treatment facilities across multiple Polish municipalities. In 2025, the agency recorded security breaches at water treatment stations in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo.
In some cases the attackers gained access to ICS and obtained the ability to modify the operational parameters of equipment, creating a direct risk to operational continuity and the public water supply.
The agency identified two primary attack vectors enabling these ICS intrusions: weak password policies and systems exposed directly to the internet. These are longstanding OT security hygiene failures, and they were also recently leveraged in a Russia-linked attack on Polish energy facilities.
Beyond water systems, ABW documented an increase in attacks targeting supply chains, critical infrastructure, and ICS at other types of municipal utilities, including wastewater treatment plants and waste incineration facilities.
Investigators determined that attackers targeting supply chains specifically sought contract data, project documentation, and authentication credentials that enable downstream access to systems.
ABW attributed primary responsibility to hacktivist groups, though these are often personas used by foreign governments, particularly Russian intelligence services.
The report specifically names Russian APT groups such as APT28 and APT29, and Belarusian-linked UNC1151 as operating against Polish targets.
Related: Polish Space Agency Hit by Cyberattack
Related: Poland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy Sector
Related: Man Linked to Phobos Ransomware Arrested in Poland
Related: Hacking Attempt Reported at Poland’s Nuclear Research Center
