TL;DR
Hackers breached five Polish water treatment plants using default passwords and internet-exposed control systems. Poland is spending a billion euros on cybersecurity; 70 per cent of American water utilities fail the same basic standards.
Hackers breached five Polish water treatment plants in 2025, gaining access to the industrial control systems that regulate pumps, filters, and chemical dosing. In some facilities, the attackers could have altered the operational parameters of equipment that determines what comes out of the tap. The attack vector, in every case, was unremarkable: weak passwords and control systems connected directly to the internet.
Poland’s Internal Security Agency, the ABW, disclosed the breaches this week in its first public activity summary since 2014, before Russia annexed Crimea. The report names the facilities: JabÅ‚onna Lacka, Szczytno, MaÅ‚dyty, Tolkmicko, and Sierakowo, five small towns whose water treatment stations were found to have been penetrated by attackers the agency attributes, with careful phrasing, to “hacktivist groups” that are “often personas used by foreign governments, particularly Russian intelligence services.”
The breaches
The incidents were not theoretical. In Szczytno, in May 2025, someone accessed the supervisory control system and changed flushing cycles while the facility was being monitored on a live feed. In JabÅ‚onna Lacka, in September, a video captured an intruder logging in through an admin account and manipulating pump and filter thresholds. The ABW said the attackers had the ability to alter technical parameters of devices, creating “a direct risk” to the continuity of water supply operations.
The agency identified two primary attack vectors: passwords that had not been changed from factory defaults and industrial control systems exposed directly to the public internet. Neither vulnerability requires sophisticated tooling to exploit. Both have been documented in cybersecurity advisories for more than a decade.
The ABW report names Russian APT groups including APT28 and APT29, and the Belarusian-linked group UNC1151, as operating against Polish targets. The agency stopped short of attributing specific water treatment breaches to specific groups, but the pattern is consistent with a broader escalation that Poland’s government says has made the country the target of between 20 and 50 cyberattacks per day.
The escalation
Cyberattacks on Poland surged after the election of its pro-Ukraine government, and the tempo has not slowed. In December 2025, a coordinated attack hit a combined heat and power plant supplying heat to almost 500,000 customers, along with multiple wind and solar farms. The cybersecurity firm ESET attributed the attack to Sandworm, a group the United States government has linked to Russia’s military intelligence directorate, the GRU.
Poland’s cybersecurity budget for 2026 is a record one billion euros, up from 600 million in 2024. Of that, 80 million euros has been allocated specifically to the cyber defences of water management systems. Germany has absorbed 90 per cent of Europe’s record defence tech funding, but Poland’s per-capita spending on cybersecurity now exceeds that of most NATO members.
The spending reflects a recognition that the threat has moved beyond espionage. Helsing, the European military AI startup, raised 450 million euros explicitly to defend NATO from Russia, and Ukraine’s emergence as a defence tech powerhouse has demonstrated that the countries closest to Russia’s borders are now building the capabilities to respond. But the water treatment plants in JabÅ‚onna Lacka and Szczytno were not breached by advanced persistent threats deploying novel exploits. They were breached because someone left the default password on a system connected to the internet.
The American parallel
The United States faces the same vulnerability at a larger scale. In 2024, the Environmental Protection Agency found that nearly 70 per cent of water utilities inspected by federal officials were in violation of basic cybersecurity standards, including the failure to change default passwords. The largest regulated water and wastewater utility in the country, American Water, was forced to shut down its billing systems in October 2024 after a cyberattack disrupted services for millions of customers.
The threats are not hypothetical. The Chinese state-sponsored group Volt Typhoon has compromised the information technology environments of multiple US critical infrastructure organisations, including water and wastewater systems, in what CISA, the NSA, and the FBI assess is an effort to pre-position for disruptive or destructive cyberattacks in the event of a major crisis or conflict. The Iranian-affiliated group CyberAv3ngers has targeted programmable logic controllers at US water treatment plants, including facilities in Pennsylvania.
The EPA, CISA, and the FBI have issued repeated advisories. Congress temporarily reinstated cybersecurity information-sharing authorities in November 2025, then let them lapse again in January 2026. The federal government has published cybersecurity planning tools, incident response templates, and procurement checklists. The water utilities that need them most are the ones least likely to use them: small municipal systems with limited budgets, ageing infrastructure, and no dedicated cybersecurity staff.
The gap
Defence stocks are surging across Europe as governments pour money into military technology. Poland is spending a billion euros on cybersecurity. NATO is funding innovation accelerators and defence AI alliances. The investment reflects an accurate assessment of the threat.
But the water treatment plants that were breached in Poland were not protected by any of it. The facilities in Jabłonna Lacka and Szczytno were running control systems with factory-default credentials exposed to the internet. The American utilities that the EPA found in violation of basic standards are running the same configuration. The sophistication of the attacker is irrelevant when the front door is unlocked.
Poland’s ABW published its first activity summary in a decade because the scale of the threat has made silence untenable. The United States has published advisory after advisory. The pattern is consistent across both countries: the governments that understand the threat best are the ones whose critical infrastructure remains most exposed, because the systems that treat drinking water are operated by municipalities that lack the resources, the expertise, or the regulatory compulsion to secure them. The hackers who breached five Polish water plants did not need a zero-day exploit. They needed a password.
