Polish Intelligence Details Escalating Russian Cyber Campaign Against Critical Infrastructure

Poland's ABW intelligence agency has documented a systematic campaign by Russian state actors targeting critical infrastructure across multiple sectors, with new details emerging about successful penetrations of water treatment facilities and energy systems throughout 2024 and 2025.

The ABW's 2025 special edition report reveals that hackers successfully compromised water treatment facilities in five Polish towns—Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo—gaining direct access to industrial control systems with the capability to alter technical parameters of critical devices. This represents operational-level access that could directly threaten water supply operations, moving beyond reconnaissance to manipulation capabilities.

According to ABW's assessment, Russian intelligence services have conducted large-scale reconnaissance operations throughout Poland in preparation for sabotage targeting military sites, critical infrastructure, and public facilities. The agency characterized the threat environment as "intensified hostile cyber activity" with particular emphasis on Russian Federation special services as the primary threat actor.

Multi-Vector Hybrid Operations

The Polish intelligence analysis describes a sophisticated hybrid warfare approach that extends far beyond traditional cyberattacks. Russian operations utilize non-state entities including activist organizations, national minorities, and criminal groups as operational vectors, while deploying massive media campaigns to maintain what ABW analysts characterize as a "besieged fortress" narrative.

In the Baltic Sea region specifically, ABW assesses that hybrid threats now incorporate autonomous platforms and dual-use systems, representing a technological evolution in attack methodologies. The agency warns that military escalation scenarios could involve Cold War-style confrontations including physical ship confrontations and communication route blocking.

This operational complexity reflects a pattern we have seen before, when Soviet intelligence services during the 1980s used multi-layered approaches combining technical espionage, influence operations, and proxy activities—though the current campaign operates at a scale and technical sophistication that would have been impossible in the analog era.

Industrial Control System Vulnerabilities

The successful penetration of Polish water facilities highlights persistent vulnerabilities in operational technology environments. The attackers gained access to programmable logic controllers (PLCs) and other industrial control systems, echoing similar incidents documented by CISA across multiple sectors.

CISA's November 2023 alert detailed exploitation of Unitronics PLCs at U.S. water facilities, where threat actors leveraged poor password security and direct internet exposure to gain system access. The agency has since documented Iranian Revolutionary Guard Corps-affiliated actors targeting similar infrastructure through comparable attack vectors.

The Polish incidents follow a documented pattern of Russian government cyber operations that DHS and FBI characterized as multi-stage intrusion campaigns. These operations typically target small commercial facilities' networks as staging areas, creating local administrator accounts and placing malicious files to maintain persistence before pivoting to primary targets in the energy sector.

Cross-Border Campaign Scope

Russian military intelligence hackers have simultaneously targeted Western technology and logistics companies involved in shipping assistance to Ukraine, according to the U.S. National Security Agency. This campaign sought access to internet-connected camera feeds near Ukrainian border crossings while targeting defense, transportation, and logistics companies across multiple Western countries, including ports, airports, and rail systems.

The geographic spread extends beyond Europe and North America. A Russian hacktivist group caused a water system overflow in Muleshoe, Texas, affecting approximately 5,000 residents. Mandiant linked this incident to actors potentially working with or as part of a Russian military hacking unit, demonstrating coordination between ostensibly independent hacktivist groups and state intelligence services.

Polish officials have attributed additional attacks to Russian domestic intelligence, including December 29 cyberattacks against 30 Polish renewable energy facilities. Deputy Prime Minister Krzysztof Gawkowski has characterized the situation as an ongoing cyberwar between Poland and Russia, announcing in August that Poland successfully foiled a cyber attack against a major city's water and sewage system.

Operational Implications

The documented incidents reveal Russian capabilities extending beyond espionage to operational manipulation of critical infrastructure systems. The successful access to water treatment facility control systems in Poland demonstrates adversary capabilities to potentially disrupt municipal services, while the energy sector targeting suggests preparation for broader infrastructure disruption scenarios.

CISA's December 9, 2025 alert about opportunistic pro-Russia hacktivists attacking U.S. and global critical infrastructure indicates sustained campaign activity rather than isolated incidents. The convergence of state-sponsored operations with hacktivist group activities suggests a coordinated approach designed to provide operational flexibility while maintaining plausible deniability.

Looking at what this means for defensive planning, the multi-vector approach combining cyber operations, influence campaigns, and proxy activities requires corresponding multi-layered defense strategies. Traditional network security measures alone cannot address the hybrid nature of these threats, particularly when attackers leverage legitimate business relationships and trusted communications channels as attack vectors.

The technological evolution toward autonomous platforms and dual-use systems in hybrid operations indicates that future incidents may involve increased operational complexity and reduced attribution certainty. Organizations responsible for critical infrastructure face an adversary with demonstrated capabilities to achieve operational-level access to industrial control systems while maintaining strategic ambiguity through the use of proxy actors and influence operations.