"There is a lot we can do to raise the bar in cybersecurity, just with the basics," said Piotr Kupisiewicz, the Cracow, Poland–based CTO of cybersecurity firm Elisity.
ABW ties five intrusions to a pro‑Russian hybrid campaign
Poland's Internal Security Agency (ABW) confirmed that five known intrusions into water utilities were pro‑Russian incidents and part of what it described as a Kremlin campaign of hybrid warfare against NATO's eastern flank. None of the five intrusions impacted the actual water supply, the agency said, but ABW reported "a steady increase" in cyberattacks against critical infrastructure and industrial control systems for municipal services such as sewage treatment plants, water treatment plants and waste incineration plants.
Attack techniques: exposed management panels and weak passwords
ABW said attackers targeted utilities serving small towns and rural communities by exploiting "improper password policies and unsecured device management panels accessible directly from the public internet." Piotr Kupisiewicz told ISMG that the intrusions "were nothing really sophisticated" and succeeded because some facilities used weak or default passwords on internet‑accessible portals or via poorly defended jump hosts.
The practical implication was simple: attackers who could reach exposed operator interfaces could act as if they were the on‑site engineer. As Josh Corman, who heads the non‑profit UnDisruptable27.org, put it, "an attacker can do basically anything that you could do as the water engineer, if you went evil or wanted to do harm."
The Jabłonna Lacka video: fear as the operational objective
Hackers posted a video showing access to a control interface for a water utility serving Jabłonna Lacka, a rural community of over 4,000 in Masovian Voivodeship. The video showed the hacker logged in as an administrator and able to change settings on water pumping and treatment equipment. Kupisiewicz said "the configuration was designed to suppress alarms while pushing the pump and filter assemblies into unsafe operating envelopes."
He assessed that "They couldn't poison the water, but they could change settings to make it unsafe to drink," by preventing proper filtering or treatment. Kupisiewicz and others emphasized that the psychological effect was a primary goal: the hacks produced propaganda and fear without forcing a serious operational response, undermining public confidence and raising questions about what else could be at risk, from hospitals to power plants.
Nozomi on Sandworm and the limits of "advanced" labels
Research published by Nozomi Networks examined dozens of intrusions attributed to Sandworm—also identified as Military Unit Number 74455—and concluded the group often relies on old, unpatched vulnerabilities and noisy post‑intrusion activity. "These were not stealthy zero‑day attacks," wrote Nozomi Cybersecurity Director Chris Grove; rather, they used "noisy, well‑documented techniques that went uninvestigated." The finding reinforces the view from Polish cases that basic cyber hygiene failures can enable high‑impact messaging campaigns.
How technologists, policymakers, and utilities are likely to respond
- Technologists and security teams: The U.S. federal advisory mirrored ABW's findings and urged critical infrastructure providers to "remove OT connections to the public internet" and "change default passwords immediately." Security consultants in the story stressed returning to basic controls like segmentation, password hygiene, and removing internet exposure.
- Policymakers and regulators: Danielle Jablanski, now lead OT cybersecurity consultant for STV, said the fast‑developing threat environment requires getting "back to basics," repeating a half‑dozen core mitigations. Regulators faced with many small, underfunded utilities will confront tradeoffs between prescribing basic minimums and funding engineering mitigations.
- Utilities and procurement leaders: Josh Corman noted that many small water utilities "lack the means, the time and the budget … to replace those old, unsupported devices." He argued that beyond cyber controls, utilities should "engineer in physical limits and controls"—for example devices that limit command rates to pumps to prevent destructive toggling.
Limits of cyber hygiene and the choice between "Shields Up!" and "Connections down!"
Corman drew a distinction between less capable attackers—those stopped by basic improvements such as changing default passwords and adding multi‑factor authentication—and more capable actors. The article references U.S. intelligence and CISA warnings that a threat actor tracked as Volt Typhoon had prepositioned in networks of water utilities and other providers, using edge devices such as routers and firewalls as initial access vectors rather than default passwords. For those actors, Corman said, "good password hygiene" will not be sufficient. He concluded that "Sometimes it's not a matter of 'Shields Up!,' but rather 'Connections down!' and disconnecting some system elements from the internet, or 'Engineering in!'"
These incidents illustrate a stark operational calculus: low‑cost cyber intrusions can serve strategic messaging objectives without causing direct service outages, and many small utilities remain below a "cyber poverty line" where the threat outpaces available defenses. Whether managers will prioritize the relatively modest measures urged by ABW and U.S. advisories—or invest in physical engineering mitigations to limit consequences—remains the immediate, tangible decision for communities whose hospitals and residents rely on continuous, safe water service.
https://www.govinfosecurity.com/russian-attacks-on-polish-water-utilities-use-fear-as-weapon-a-31681
