Critical infrastructure water (PL)

Five Polish municipal water-treatment facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) had their OT networks penetrated with pump control parameters modified; manual override at at least one site prevented service disruption (daily 2026-05-08). The ABW 2025 Annual Report (published 2026-05-07) formally attributed the campaign to APT28 (GRU) and APT29 (SVR), with UNC1151 (Belarusian-linked, Ghostwriter cluster) named in the same attribution discussion (SecurityWeek — Polish security agency reports ICS breaches at five water treatment plants · daily 2026-05-09 UPDATE) — materially more granular than the initial "pro-Russian hacktivist" framing. All five facilities were below the NIS2 essential-entity headcount threshold at intrusion time. Cross-cutting theme: small municipal CI operators sit below regulatory coverage but inside hostile-state targeting; Dragos's 8th annual OT YiR (§ 6) reinforces with 65 percent of assessed sites carrying insecure remote-access conditions and hidden IT/OT network paths surfacing during routine penetration tests. Swiss / EU water, energy, and utility operators should re-validate IT-OT segmentation and authentication posture on industrial-gateway and SCADA management interfaces as a direct action carried into 2026-W20.