Poland’s Internal Security Agency (ABW) recently disclosed a series of cyberattacks targeting industrial control systems (ICS) at five water treatment plants in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo during 2024 and 2025. These incidents, which could have disrupted public water supplies, underscore a dangerous escalation in state-sponsored cyber operations against critical infrastructure. While the ABW report attributes the attacks to Russian-linked groups like APT28 and APT29, as well as Belarusian-affiliated UNC1151, it misses the broader strategic context and systemic failures that enable such intrusions. This analysis delves into the geopolitical motivations behind these attacks, the persistent gaps in operational technology (OT) security, and the cascading risks to public safety and regional stability.

The ABW report highlights basic security lapses—weak password policies and internet-exposed systems—as primary attack vectors. These are not new issues; they echo vulnerabilities exploited in prior incidents, such as the 2021 Colonial Pipeline ransomware attack in the United States and the 2017 Triton malware attack on a Saudi petrochemical plant. Poland’s water sector breaches are a stark reminder that OT environments, often running on legacy systems, remain soft targets for adversaries. What the report underplays is the scale of negligence: many municipalities lack the funding or expertise to modernize ICS or implement robust cybersecurity frameworks like NIST 800-82. This systemic underinvestment is a global problem, but it is particularly acute in Eastern Europe, where infrastructure is often a patchwork of outdated Soviet-era systems and modern upgrades.

Geopolitically, the timing and targeting of these attacks are no coincidence. Poland, a staunch NATO member and a key supporter of Ukraine, has been a frequent target of Russian hybrid warfare since the 2014 annexation of Crimea. The surge in cyberattacks on Polish infrastructure in 2025 aligns with heightened tensions following Poland’s increased military aid to Ukraine and its role in hosting NATO exercises. Russian APT groups, often operating under the guise of hacktivist personas, aim to destabilize public services as a form of psychological warfare, eroding trust in government while testing Western resolve. The ABW’s mention of Belarusian UNC1151 further suggests a coordinated effort within the Russia-Belarus axis, a pattern seen in the 2021 Ghostwriter campaign targeting Polish and Baltic officials with disinformation and phishing.

What the original coverage misses is the potential for cascading effects beyond water supply disruptions. Compromised ICS at water treatment plants could lead to chemical imbalances—such as over-chlorination—or outright contamination, posing direct threats to public health. Moreover, supply chain attacks, as noted by ABW, could enable adversaries to pivot to other critical sectors like energy or transportation, amplifying the damage. The 2020 SolarWinds breach, which affected multiple U.S. government agencies, demonstrated how supply chain vulnerabilities can serve as a backdoor to broader systemic compromise. Poland’s water sector breaches may be a precursor to more ambitious operations, especially as state actors refine their tactics for maximum disruption.

The ABW report also downplays the attribution challenge. While it points to Russian and Belarusian actors, the use of hacktivist fronts complicates definitive blame. This mirrors tactics seen in the 2016 U.S. election interference, where Russian operatives masked their actions through proxies. Without public disclosure of forensic evidence—such as malware signatures or command-and-control infrastructure—attribution remains speculative, potentially fueling political narratives over actionable defense strategies.

Ultimately, these incidents signal an urgent need for international cooperation on critical infrastructure protection. Poland must prioritize OT security investments, enforce mandatory cybersecurity standards for municipalities, and integrate real-time threat intelligence sharing with NATO allies. Failure to act risks not only local crises but also emboldens adversaries to scale similar attacks across the region. As hybrid threats blur the line between cyber and kinetic warfare, water treatment plants are no longer just utilities—they are battlegrounds.