Polish intelligence warns hackers attacked water treatment control systems

Poland’s domestic intelligence service said attackers breached water treatment facilities in five towns in 2025, in some cases gaining access to industrial control systems that could have disrupted water supplies.

In a new public report, the Internal Security Agency (Agencja Bezpieczeństwa Wewnętrznego, or ABW) said water treatment stations in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko and Sierakowo were targeted.

“Attackers, gaining access in some cases to industrial control systems, had the ability to alter technical parameters of devices,” the report said, creating “a direct risk” to the continuity of water supply operations.

The ABW did not publicly attribute the incidents to a specific group or country. But it said Poland faced intensified hostile cyber activity in 2024 and 2025, “with particular emphasis on the special services of the Russian Federation.”

The report did not cover the ABW’s activities this year, which included the country narrowly avoiding a large-scale power outage after what authorities alleged was a Russian attack on its energy infrastructure. 

Poland has become a major logistics hub for Western military aid to Ukraine since Russia’s full-scale invasion in 2022 and has repeatedly accused Russian intelligence services of sabotage, cyberattacks and disinformation operations.

Polish cybersecurity publication CyberDefence24 previously linked several of the water-facility incidents to a pro-Russian hacktivist group that posted propaganda videos of its intrusions online. It reported that attackers at one facility altered settings linked to pumps and alarms after accessing an administrator account.

The ABW report described Russia as conducting a long-term campaign aimed at destabilizing NATO and European Union states. It said Russian intelligence services had carried out large-scale reconnaissance in Poland in preparation for sabotage operations targeting military sites, critical infrastructure and public facilities.

Incidents including a hack of the national railway’s communications network and an outage of the country’s air traffic control system have repeatedly provoked concern about Russian attempts to disrupt normal life in Poland.

Following the arrest of dozens of suspects in alleged Russian-linked sabotage — including cases involving arson, reconnaissance and damage to railway infrastructure — the country’s prime minister, Donald Tusk, said the government “will act ruthlessly” towards anyone “directly or indirectly aiding Russian services.”

According to the ABW report, Russian operations are evolving from using loosely-recruited online operatives tasked with acts of sabotage toward more structured networks linked to organized crime groups. Recruiters used encrypted messaging platforms and cryptocurrency payments to hire people for tasks often presented as ordinary work, it added.

The agency said cyber threats against Poland had intensified sharply over the past two years. Poland’s government incident response team recorded more than 40,000 reports of potential cybersecurity incidents during the reporting period.

In another high-profile incident last year, hackers compromised the Polish state news agency PAP and briefly published a false report claiming the country had ordered military mobilization.

The ABW also reported a sharp increase in espionage investigations linked largely to Russia and Belarus. It said 48 espionage investigations were opened in 2025 alone, compared with six in 2022, the year Russia invaded Ukraine.

The report said Russian intelligence services had increasingly accepted the risk of civilian casualties in sabotage operations, and warned that some of those activities could have caused rail or aviation disasters.

Poland has responded to this threat with arrests, expulsions and diplomatic measures, including the closure of three Russian consulates since late 2024.

The report’s publication marked the first public activity summary issued by the ABW since 2014, before the Russian invasion of Crimea. ABW chief Col. Rafał Syrysko said the agency intended to resume regular public reporting on national security threats.