ctipilot.chSwitzerland · Europe · Public sector

Pro-Russian hacktivist OT intrusion at five Polish water treatment facilities — pump settings modified

incident · incident:polish-water-ot-2026

Coverage timeline
2
first 2026-05-08 → last 2026-05-09
Briefs
2
2 distinct
Sources cited
1
1 hosts
Sections touched
2
active-threats, updates
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-09CTI Daily Brief — 2026-05-09
    updatesUPDATE: ABW Annual Report 2025 names five specific facilities: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo. Formal tri-attribution: APT28 (GRU, initial access), APT29 (SVR, intelligence collection at Jabłonna Lacka), UNC1151 (Ghostwriter, disinformation). NIS2 coverage gap: all five facilities below 50-employee threshold at time of intrusion.
  2. 2026-05-08CTI Daily Brief — 2026-05-08
    active-threatsFirst coverage. ABW advisory. Five water treatment OT networks compromised; pump control settings modified; manual override prevented service disruption. Attribution: pro-Russian hacktivists, pattern consistent with NoName057(16)/Cyber Army of Russia Reborn. [SINGLE-SOURCE-NATIONAL-CERT]

Where this entity is cited

  • active-threats1
  • updates1

Source distribution

  • abw.gov.pl1 (100%)

All cited sources (1)

Items in briefs about Pro-Russian hacktivist OT intrusion at five Polish water treatment facilities — pump settings modified (1)

Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities

From CTI Daily Brief — 2026-05-08 · published 2026-05-10 · view item permalink →

Poland's Internal Security Agency (ABW) disclosed that pro-Russian hacktivist actors penetrated the operational technology (OT) networks of five water treatment facilities and modified pump control parameters. At least one facility activated manual override procedures to prevent potential service disruption; no compromise of drinking water quality or supply loss was confirmed. ABW attributed the activity to actors operating in support of Russian geopolitical objectives but stopped short of formal state attribution. The attack pattern — IT/OT flat network exploitation leading to HMI manipulation — is consistent with prior campaigns attributed to NoName057(16) and Cyber Army of Russia Reborn in Central and Eastern European infrastructure. Polish water sector authorities and critical-infrastructure operators have been placed on heightened alert. The ABW advisory is a single-source national CERT/authority disclosure.