Poland's Spy Agency Just Broke a 12-Year Silence to Warn That Hackers Reached Five Water Plants
Poland's Internal Security Agency (ABW) published a public report on May 7, 2026 — its first activity summary in 12 years — warning that hackers targeted water treatment stations in five Polish municipalities, gaining access in some cases to industrial control systems and developing the ability to alter technical parameters of devices. The ABW described "a direct risk" to water supply continuity. The report blames the broader 2024–2025 hostile cyber pressure on Poland on "the special services of the Russian Federation." The water-sector campaign itself is part of a documented two-year pattern that includes at least seven Polish facilities and one foiled major-city attack in August 2025.
On May 7, 2026, the Agencja Bezpieczeństwa Wewnętrznego (ABW), Poland's domestic counterintelligence and internal security agency, published a public activity report — its first in 12 years, since 2014. The report names water treatment stations in five Polish municipalities — Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo — that were targeted in cyber operations. According to the report and reporting by The Record, "Attackers, gaining access in some cases to industrial control systems, had the ability to alter technical parameters of devices." The ABW characterized the targeting as creating "a direct risk" to water supply continuity. ABW Chief Col. Rafał Syrysko stated the agency intends to resume regular public reporting on national security threats — a meaningful institutional shift after more than a decade of operational opacity.
The single most consequential element is that two stories run in parallel in this announcement. The first is the water-sector targeting itself, which is real but not new — at least seven Polish water and wastewater facilities have been documented in pro-Russian cyber operations since spring 2024, with public-domain analysis from the Lieber Institute at West Point and incident reporting from CERT Polska. The second is the institutional pivot: ABW resuming public reporting after 12 years signals that Poland's counterintelligence apparatus has decided that public attribution of Russian-aligned activity is now strategically more useful than operational secrecy. The water-sector findings are the lead in the report. The institutional shift is the deeper story.
| Polish ABW Water-Sector Warning Profile | |
|---|---|
| Detail | Information |
| Issuing agency | Internal Security Agency of Poland (Agencja Bezpieczeństwa Wewnętrznego, ABW) |
| Publication date | May 7, 2026 — first ABW public activity summary since 2014 (12-year gap) |
| ABW Chief | Col. Rafał Syrysko |
| Targeted water plants | Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo |
| Stated impact | Attackers gained access in some cases to industrial control systems and developed the ability to alter technical parameters of devices; "a direct risk" to water supply continuity |
| Attribution language | "With particular emphasis on the special services of the Russian Federation" — generic Russian-services attribution; ABW did not name a specific group |
| Period covered | 2024–2025; 2026 activity (including the December 2025 grid attack) not included in this report |
| Wider context | At least seven Polish water/wastewater facilities documented in pro-Russian cyber operations since spring 2024; foiled August 2025 attempt against a major Polish city's water supply |
| Pace of attacks | Per Deputy Minister for Digital Affairs Dariusz Standerski (September 2025): Poland faces 20–50 cyberattacks per day on critical infrastructure |
| Cyber budget | Poland's cybersecurity budget raised from €600M (2024) to €1B (2025); €80M specifically for water infrastructure |
| Public reporting commitment | Syrysko stated ABW will resume regular public reporting on national security threats |
The Five Towns and What Happened in Them
The ABW report names Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo as the five water-treatment stations included in the announcement. The agency does not provide specific incident dates per town, but multiple of these names overlap with previously documented cyber incidents. According to research by the Lieber Institute at West Point, hackers published videos from stacje uzdatniania wody (water treatment stations) in Tolkmicko, Małdyty, and Sieraków during January and February 2025, showing filters set to maximum cycles and other parameter abuse. In May 2025, the Szczytno city water plant was filmed live while someone changed flushing cycles. Jabłonna Lacka does not appear in the prior public record and is the new disclosure in the ABW report. The earlier 2024 incidents — at Wydminy and Kuźnica wastewater facilities, with reactor parameters published on Telegram — are not in the ABW's named-five list but are part of the same pattern.
The hacktivist tradecraft has been consistent: pro-Russian groups, most prominently CyberArmyofRussia_Reborn, have used Telegram to publish "bragging rights" videos demonstrating HMI access at Polish water facilities (and at U.S. and French facilities, per Mandiant's tracking). Most of these incidents have produced limited operational effect — defacement-grade access rather than service disruption — but the August 2025 foiled major-city attack represented escalation toward genuine harm. Polish authorities disclosed at the time that they had prevented "one of the most significant hacking operations since Russia's all-out invasion of Ukraine," targeting a city among Poland's ten largest. CyberSignal's nation-state coverage tracks the full pattern of Russian-aligned activity against NATO members in 2024–2026.
Why the 12-Year Silence Matters
The ABW last published a public activity summary in 2014 — before Russia's annexation of Crimea, before the 2016 election interference operations, before the 2022 invasion of Ukraine, and before the Polish government's 2023 transition to the Tusk-led coalition. The decision to break that silence on May 7, 2026 is itself significant. Counterintelligence agencies do not casually shift toward public reporting; the calculation is always whether public attribution provides more strategic value than operational discretion. Poland's apparent answer is yes — at least with respect to Russian-aligned cyber activity — and the trigger is the volume and severity of attacks the country has absorbed.
The framing in the report itself supports this read. The ABW does not name specific Russian threat groups (FSB Center 16, GRU Unit 26165, GRU Unit 74455 / Sandworm) and does not formally attribute the water-sector incidents to a state actor. It writes more broadly that Poland faced intensified hostile cyber activity in 2024 and 2025 "with particular emphasis on the special services of the Russian Federation." That generic-but-clear attribution is the point. Polish counterintelligence is now publicly stating that Russia's intelligence services are the dominant threat to Polish critical infrastructure, and is doing so in an agency activity report rather than only in classified assessments. That is a notable change in posture for an EU and NATO member state on the front line of European cyber risk.
The Wider 2024–2026 Polish Cyber Context
The water-sector findings sit inside a much larger picture of Polish critical-infrastructure attacks that the ABW report does not fully cover. The report focuses on 2024–2025 and notably excludes 2026 activity — including the December 2025 attack on Poland's distributed energy resources (DER) that hit 30 wind, solar, and combined-heat-and-power sites. Dragos attributed that attack to ELECTRUM, a Russian-linked threat cluster that overlaps with Sandworm/APT44; CERT Polska attributed the supporting infrastructure to "Static Tundra" (also tracked as Berserk Bear, Dragonfly, Energetic Bear — all overlapping FSB Center 16-linked actor names). Poland narrowly avoided a large-scale power outage from that incident.
The pace of attacks is high. Poland's Deputy Minister for Digital Affairs Dariusz Standerski stated in September 2025 that the country faces between 20 and 50 cyberattacks per day on critical infrastructure. The cybersecurity budget rose from approximately €600 million in 2024 to €1 billion in 2025, with €80 million specifically allocated to water infrastructure protection. Industrial Cyber's reporting characterizes Poland as the most-frequently targeted EU country for Russian cyber operations. The water-sector incidents named in the ABW report are a slice of that activity — significant on their own, but representative of a campaign that runs across telecommunications, energy, water, transportation, and government sectors.
Defender Actions for Water Utilities and Critical-Infrastructure Operators
- Inventory all internet-exposed HMI, SCADA, and ICS interfaces. If you can reach them from a residential broadband connection, so can attackers. Move them behind VPN access only and restrict by source IP. The Polish incidents have consistently exploited internet-exposed plant interfaces; addressing the exposure is the first-order control.
- Review remote access and vendor maintenance pathways. Many of the documented Polish water-sector incidents involved exposed remote-access portals used by maintenance contractors. Replace shared-credential vendor access with named accounts and MFA. Audit vendor pathways quarterly; document who can reach what and verify it matches operational reality.
- Implement default-credential audits across all ICS devices. A high percentage of these incidents leverage default or weak credentials. CISA, EPA, and WaterISAC have published guidance specifically on this for water utilities; review against your actual deployment, not against your asset-management database, which is often out of date.
- Establish out-of-band monitoring and manual-override capability. If your only insight into plant operations is via the same network the attacker is on, you cannot trust what you see during an incident. Plan for a scenario where the attacker has display-layer access and you need physical confirmation of plant state.
- For non-water-sector defenders: the broader pattern matters. Poland's experience — 20-to-50 daily critical-infrastructure attacks, Russia-aligned attribution by domestic counterintelligence, an ABW deciding public reporting is now strategically necessary — is a leading indicator for what other NATO members in geographic proximity to Russia will face. Multinational utilities, energy operators, and government agencies should treat the Polish picture as a forward look at their own 2026–2027 threat profile.
The CyberSignal Analysis
Signal 01 — The water-sector targeting is documented, repetitive, and operationally serious
The narrative that pro-Russian hacktivism against Polish water infrastructure is "limited operational effect" requires updating. Two years of incidents — at Wydminy, Kuźnica, Tolkmicko, Małdyty, Sieraków, Szczytno, Jabłonna Lacka, and others — have produced a pattern where attackers reach industrial control systems, demonstrate ability to alter technical parameters, and in at least one case (the foiled August 2025 city attack) appear to have intended actual service disruption. The "limited operational effect" framing reflects what has happened so far, not what the attackers have demonstrated they can do. For water utility defenders globally, this is the empirical case that internet-exposed water-sector ICS is now an active target category. The Polish experience is the warning shot; the operational requirement is to address exposure before the same actors reach U.S., U.K., German, or other NATO water utilities with the same tradecraft.
Signal 02 — The 12-year silence-break is a meaningful posture change
Counterintelligence agencies prize operational secrecy. When one publishes a public activity summary after 12 years, the institutional calculation has shifted: public attribution is judged to provide more strategic value than operational discretion. For Poland, this likely reflects a combination of factors — domestic political pressure for transparency, allied-coordination value of public Polish attribution to Russian services, deterrent value of demonstrating that Polish counterintelligence is tracking and willing to name the threat, and recognition that the operational tempo of attacks no longer permits the prior posture of silence. Other allied counterintelligence agencies will be watching how this plays. If Poland gains tangible benefits from the public reporting — legitimacy, international support, deterrent effect, or simply better defender awareness — expect similar shifts from other agencies on Russia's frontier in the next 12 to 24 months.
Signal 03 — Generic attribution is doing real work that named-actor attribution does not
The ABW's "special services of the Russian Federation" framing is generic by intention. It does not name FSB Center 16, GRU Unit 26165, or GRU Unit 74455. That generic framing is operationally useful in a way that named-actor attribution often is not. Named-actor attribution invites debate about evidentiary standards, source protection, and whether the named unit was actually responsible for the specific incident. Generic attribution to the broader Russian intelligence apparatus avoids those debates while making the strategic point: this is state activity, the relevant counterintelligence service tracks it as such, and Polish national security is assessing the response accordingly. Defenders who want to use this attribution — for procurement decisions, geopolitical risk assessments, or board briefings — can rely on the ABW framing without needing to wait for unit-level attribution that may never come publicly. The ABW report gives them a citation; the strategic reality the citation describes is what matters.
