APT28 / APT29 / UNC1151 (Polish water OT)

Current state: ABW 2025 Annual Report (2026-05-07 publication, covered 2026-05-09) is the formal-attribution development this week. Per SecurityWeek's coverage of the ABW report, the campaign against the five small Polish municipal water facilities is attributed to APT28 (GRU) and APT29 (SVR) — with UNC1151 (Belarusian-linked) named in the same attribution discussion. The granular per-facility breakdown and disinformation-overlay specifics carried in the daily 2026-05-09 UPDATE trace back to the Polish-language ABW report itself rather than the English secondary coverage; defenders relying on the English reporting should treat the actor-cluster trio as attributed jointly without per-facility specificity unless the ABW primary is consulted. The same APT28 cluster is in active operation against EU government ministries via CVE-2026-32202 (Windows Shell NTLM coercion, § 3). Outstanding defender question: whether ABW-recommended NIS2 expansion to critical-function entities below the headcount threshold gains EU-level momentum in coming weeks.