ctipilot.ch

Home · Live brief · Weekly 2026-W19

ABW (Poland) 2025 Annual Report — APT28/APT29/UNC1151 tri-attribution on small-municipal water facilities

notable annual-report discovered 2026-05-04 05:00 UTC single-source · national CERT

Part of run 2026-W19-a5788b22 (weekly · Claude Opus 4.7)

ABW's 2025 Annual Report (published 2026-05-07) is the only annual report this week that combines new ground-truth attribution detail with explicit regulatory-coverage-gap framing. The five named municipal water facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) all sit below the NIS2 essential-entity headcount threshold. ABW formally attributes initial access and persistence to APT28 (GRU), intelligence-collection overlay at Jabłonna Lacka to APT29 (SVR), and a disinformation overlay (fabricated leak documents purporting contamination data) to UNC1151 (Belarusian, Ghostwriter-affiliated) — granular tri-attribution materially beyond the "pro-Russian hacktivist" framing in initial reporting. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount. The cross-finding pattern for Swiss / EU public-sector readers: small municipal CI operators sit below regulatory coverage but inside hostile-state targeting; expect more regulator-side movement on this gap in coming weeks (daily 2026-05-09 UPDATE).

nation-state ot-ics russia-nexus hacktivism disinformation europe