Poland water treatment plants breached by hackers using default passwords as US faces same critical infrastructure threat

Poland water treatment plants breached by hackers using default passwords as US faces same critical infrastructure threat

Briefly

"Hackers breached five Polish water treatment plants in 2025, gaining access to the industrial control systems that regulate pumps, filters, and chemical dosing. In some facilities, the attackers could have altered the operational parameters of equipment that determines what comes out of the tap. The attack vector, in every case, was unremarkable: weak passwords and control systems connected directly to the internet."

"In Szczytno, in May 2025, someone accessed the supervisory control system and changed flushing cycles while the facility was being monitored on a live feed. In Jabłonna Lacka, in September, a video captured an intruder logging in through an admin account and manipulating pump and filter thresholds. The ABW said the attackers had the ability to alter technical parameters of devices, creating "a direct risk" to the continuity of water supply operations."

"The report names the facilities: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo, five small towns whose water treatment stations were found to have been penetrated by attackers the agency attributes, with careful phrasing, to "hacktivist groups" that are "often personas used by foreign governments, particularly Russian intelligence services.""

"The agency identified two primary attack vectors: passwords that had not been changed from factory defaults and industrial control systems exposed directly to the public internet. Neither vulnerability requires sophisticated tooling to exploit. Both have been"