Russia's Cyber Attacks on Polish Water and Power Systems: What We Know

Poland's intelligence agency, the ABW, has documented a sustained campaign by Russian state hackers targeting critical infrastructure—water treatment plants and power grids—across the country throughout 2024 and 2025.

The ABW's 2025 report details successful breaches of water treatment facilities in five Polish towns: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. In each case, hackers gained access to industrial control systems—the computers that actually operate water pumps, valves, and treatment processes—and could change how these systems behave. This is more serious than stealing data; it means attackers could theoretically disrupt water supply to thousands of people.

According to the ABW assessment, Russian intelligence services have conducted extensive surveillance of Polish infrastructure to prepare for potential sabotage of military sites, energy plants, and public facilities. The agency calls this "intensified hostile cyber activity" and identifies the Russian state as the primary threat.

Hybrid Warfare Beyond Traditional Hacking

Polish intelligence describes a layered approach that combines multiple tactics at once. Russian operations don't rely only on hackers; they also use activist groups, criminal organizations, and non-state groups as cover, while running large-scale media campaigns to shape public perception. This is hybrid warfare—blending cyber, propaganda, and physical threats into a coordinated strategy.

In the Baltic Sea region, the assessment highlights an additional shift: Russian operations now incorporate autonomous platforms and systems designed for dual purposes (civilian and military). These tactics are more complex and harder to trace back to Moscow than traditional cyberattacks alone.

The broader context here is that we have seen multifaceted campaigns like this before. During the 1980s, Soviet intelligence combined technical espionage, media manipulation, and proxy activities in similar ways. What has changed is speed, scale, and sophistication—capabilities that would have been impossible in the analog era.

Why Water Treatment Plants Are Vulnerable

The Polish breaches expose a widespread problem in how industrial control systems are secured. The attackers accessed programmable logic controllers (PLCs)—specialized computers that run physical machinery—through methods that U.S. authorities have documented many times.

CISA, the U.S. government's cybersecurity agency, documented a similar pattern in November 2023 at American water facilities, where hackers used weak passwords and systems directly exposed to the internet to break in. Iranian military hackers have used the same approach. The common thread: water facilities often lack robust cybersecurity compared to banks or tech companies, and some are even reachable from the internet without strong protection.

Russian military hackers typically follow a staged approach. They start by breaking into smaller, less-protected company networks—a contractor or supplier—and establish hidden administrator accounts there. From that foothold, they move laterally toward bigger targets in the energy sector, mapping out systems as they go.

A Global Campaign, Not Just Poland

Russian military intelligence has also targeted Western companies involved in shipping aid to Ukraine, according to the U.S. National Security Agency. Hackers sought access to security cameras near the Ukrainian border and targeted defense, transportation, and logistics companies across multiple Western nations, including ports and airports.

The campaign isn't limited to Europe. In Muleshoe, Texas, a Russian hacktivist group caused a water system to overflow, affecting roughly 5,000 residents. U.S. intelligence firm Mandiant assessed that these hackers may have been working with or as part of a Russian military hacking unit, suggesting coordination between independent-seeming activist groups and the state.

Polish officials have attributed other recent attacks to Russian domestic intelligence, including assaults on 30 renewable energy facilities on December 29. In August, Poland's Deputy Prime Minister announced that the country had stopped a major cyberattack against a major city's water and sewage system. Polish officials have called this ongoing state of conflict a "cyberwar."

What This Means for Defense

The documented attacks show that Russian operators can go beyond spying to actively controlling critical infrastructure systems. Successful access to water facility controls raises the possibility of disrupting municipal services, while energy sector targeting suggests preparation for larger-scale infrastructure attacks.

In December 2025, U.S. authorities reported sustained activity by pro-Russia hacktivist groups attacking critical infrastructure globally, indicating this is an ongoing campaign rather than isolated incidents. The fact that state-sponsored operations and independent hacktivist groups appear coordinated gives attackers flexibility and helps them hide who is really behind the attacks.

The key challenge for organizations protecting critical infrastructure is that traditional network firewalls and intrusion detection are necessary but not sufficient. When attackers use multiple vectors—cyber, influence campaigns, proxy groups—and exploit trusted business relationships, defense needs to be equally layered. Technical security alone cannot address hybrid threats that combine espionage, media campaigns, and proxy actors.

Looking ahead, the trend toward autonomous systems and dual-use technologies in these operations suggests future attacks may be harder to trace and more technically complex. Organizations running water, power, and other essential services face adversaries with demonstrated ability to reach inside their control rooms while hiding behind multiple layers of deniability.