Hackers Breach Polish Water Treatment Plants Using Default Passwords
Hackers breached five Polish water treatment plants. The attack vector was default passwords. Seventy per cent of American water utilities fail the same test.
Summary (TL;DR)
In 2025, hackers successfully penetrated five Polish water treatment plants, gaining access to industrial control systems. The breaches exposed potential risks to water supply operations, with some attackers even altering flushing cycles and pump settings while operators monitored in real-time.
The primary vulnerabilities exploited were passwords left at their factory defaults and internet-exposed industrial control systems. These are well-documented issues that require relatively simple tools to exploit. Polish authorities attribute the attacks to "hacktivist groups," likely with connections to foreign governments, specifically Russian intelligence services.
Details of the Breaches
In Szczytno, in May 2025, someone changed flushing cycles while the facility was under live surveillance. Jabłonna Lacka saw an intruder manipulating pump and filter thresholds through a compromised admin account in September 2025. The Polish Internal Security Agency (ABW) stressed that these attacks posed a "direct risk" to continuous water supply operations.
Attacker Tactics, Techniques, and Procedures (TTPs)
The ABW report identifies Russian APT groups such as APT28, APT29, and UNC1151 as potential perpetrators. While the agency stops short of direct attribution, the pattern aligns with a broader escalation in cyberattacks targeting Poland since its pro-Ukraine government came to power. These attacks have included targeting critical infrastructure like heat and power plants and renewable energy facilities.