Polish water treatment plants breached by hackers using automated passwords as US faces similar infrastructure threat
The TL;DR
Hackers have broken into five Polish water treatment plants using automated passwords and control systems exposed on the Internet. Poland spends one billion euros on cybersecurity; 70 percent of America’s water utilities fail the same basic standards.
Hackers broke into five Polish water treatment plants in 2025, gaining access to industrial control systems that control pumps, filters, and chemical dosing. In some facilities, attackers could have changed the operating parameters of the machines that determine what comes out of the faucet. The attack vector, in all cases, was unremarkable: weak passwords and control systems connected directly to the Internet.
Poland’s Internal Security Agency, ABW, revealed the breach this week in its first public service briefing since 2014, before Russia annexed Crimea. The report calls these facilities: JabÅ‚onna Lacka, Szczytno, MaÅ‚dyty, Tolkmicko, and Sierakowo, five villages with water treatment stations that were found to have been infiltrated by the agency’s attackers, with careful naming, that “hacktivist groups” that “usually people used by foreign governments, especially Russian intelligence services.“
Violation
Events were not statistics. In Szczytno, in May 2025, someone accessed the steering control system and changed the tuning cycles while the site was being monitored with a live feed. In JabÅ‚onna Lacka, in September, a video captured a hacker logging in with an administrator account and manipulating the parameters of the pump and filter. ABW said attackers have the ability to change technology parameters, making “direct danger” in continuing water supply operations.
The agency identified two main attack vectors: passwords that had not been changed from factory defaults and industrial control systems exposed directly to the public Internet. There is no vulnerability that requires advanced tools to implement. Both have written about cybersecurity advice for more than a decade.
TNW City Coworking Space – Where your best work happens
A workplace designed for growth, collaboration, and endless networking opportunities at the heart of technology.
The ABW report names Russian APT groups including APT28 and APT29, as well as the Belarusian-linked group UNC1151, as operating against Polish targets. The agency has stopped short of identifying specific water treatment violations for specific groups, but the pattern is consistent with a broader increase that the Polish government says has made the country the target of between 20 and 50 cyber attacks a day.
Ascension
Cyberattacks in Poland increased after the election of its pro-Ukraine government, and the tempo has not slowed down. In December 2025, a planned attack hit a combined heat plant that provides heat to nearly 500,000 customers, as well as numerous wind and solar farms. Internet security company ESET revealed that this attack was caused by Sandworm, which is a group that the United States government has linked to the Russian military intelligence unit, GRU.
Poland’s cybersecurity budget for 2026 is a record one billion euros, up from 600 million in 2024. Of that, 80 million euros have been allocated specifically for the cyber protection of water management systems. Germany accounts for 90 percent of Europe’s record-keeping technology funding, but Poland’s per capita spending on cybersecurity now exceeds that of most NATO members.
The spending reflects a recognition that the threat has gone beyond espionage. Helsing, Europe’s military AI, raised 450 million euros apparently to protect NATO from Russia, and the emergence of Ukraine as a technological powerhouse in defense has shown that countries close to Russia’s borders are now building countermeasures. But the water treatment plants in JabÅ‚onna Lacka and Szczytno have not been breached by the ongoing threats of novel use. They were breached because someone left a default password on a system connected to the Internet.
The American parallel
The United States faces similar vulnerabilities on a larger scale. By 2024, the Environmental Protection Agency found that nearly 70 percent of water utilities inspected by federal officials were violating basic Internet security standards, including failing to change default passwords. The nation’s largest regulated water and wastewater utility, American Water, was forced to shut down its billing plans in October 2024 after a cyber attack disrupted services for millions of customers.
Threats are not speculation. The Chinese government-sponsored group Volt Typhoon has compromised the information technology environments of several US critical infrastructure organizations, including water and wastewater systems, in what CISA, NSA, and the FBI are investigating as an attempt to pre-empt a disruptive or destructive cyber attack in the event of a major crisis or conflict. The Iranian-linked group CyberAv3ngers has targeted programmable logic controllers at US water treatment facilities, including facilities in Pennsylvania.
The EPA, CISA, and FBI have issued repeated advisories. Congress temporarily reinstated the cybersecurity information sharing authority in November 2025, then rescinded it in January 2026. The federal government has published cybersecurity planning tools, incident response templates, and procurement checklists. The water utilities that need them most are the ones most likely to use them: small municipal systems with limited budgets, aging infrastructure, and no dedicated cybersecurity staff.
The gap
Defense stocks are rising across Europe as governments invest in military technology. Poland spends one billion euros on cybersecurity. NATO is funding new accelerators and defense AI alliances. Investments reflect an accurate risk assessment.
But the water treatment facilities that were breached in Poland were not protected by any of them. The buildings in Jabłonna Lacka and Szczytno were using control systems with factory default information exposed online. U.S. facilities found by the EPA to be in violation of basic standards use the same configuration. The sophistication of the attacker is irrelevant if the front door is open.
Poland’s ABW has published its first operational summary in a decade because the level of the threat has made peace unacceptable. The United States has published advisory after advisory. The pattern is consistent in both countries: the governments that understand the threat best are those whose critical infrastructure is most exposed, because the drinking water systems are operated by municipalities that lack the resources, technology, or regulatory clout to protect them. The hackers who broke into five Polish water plants did not need a zero-day exploit. They needed a password.
