Poland’s Internal Security Agency (ABW) reported that hackers broke into industrial control systems at five water treatment plants in 2025.
In some cases, the attackers could change equipment settings, putting the water supply and operations at direct risk.
Polish intelligence confirmed the attacks targeted five plants, and SecurityWeek named the affected sites as Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo.
ABW has seen more cyberattacks on industrial control systems and other operational technology in 2024 and 2025. State-backed groups are now focusing more on disrupting critical services.
In some water-sector cases, attackers got into ICS environments and could change how systems worked, not just look at them from the outside.
Old weaknesses are still opening the door
A key detail in the Polish report is that the weaknesses are not new.
SecurityWeek said ABW found two main ways the hackers got in: weak password policies and systems left open to the internet. These are long-standing security problems that still make municipal infrastructure vulnerable, even as threats become more serious.
TechCrunch reported that the Polish incidents are part of a larger sabotage and espionage campaign. ABW says this campaign has targeted military sites, critical infrastructure, and civilian locations over the past two years.
The report quoted ABW as saying the “most serious challenge remains the sabotage activity against Poland, inspired and organized by Russian intelligence services,” but also noted that ABW did not directly link the water-plant hackers to Russia.
Why the story matters beyond Poland
This report is important beyond Poland because the U.S. has faced similar attacks on water systems.
TechCrunch compared it to the 2021 incident in Oldsmar, Florida, where a hacker briefly got in and tried to increase sodium hydroxide to dangerous levels.
The FBI and the Cybersecurity and Infrastructure Security Agency have warned that American water utilities are still easy targets for foreign hackers.
A recent warning from U.S. agencies. Last month, CISA, the FBI, the NSA, and other federal groups said Iranian-backed hackers are now targeting programmable logic controllers, which are the computers that control water and energy plants.
The CyberAv3ngers group broke into digital control panels at several water treatment plants in Pennsylvania in 2023.
A local utility problem with geopolitical consequences
Poland had already warned about this risk last year. In August 2025, a Polish official said a cyberattack could have cut off a city’s water supply, but that attack was stopped. The new ABW report now gives much more detail about how serious the threat is.
Overall, the incidents in Poland and the warnings from the U.S. show that water utilities are still seen as easy targets in larger efforts to disrupt or threaten critical infrastructure.
The attacks in Poland as part of a broader plan to destabilize Western countries through cyberattacks and espionage.
Even simple problems, like weak passwords and systems open to the internet, can make a local water plant a national security risk.
