Poland's water treatment facilities were compromised by hackers exploiting default passwords, as the US encounters a similar threat to its critical infrastructure.

      TL;DR: Hackers accessed five water treatment facilities in Poland through default passwords and internet-exposed control systems. In response, Poland is investing a billion euros in cybersecurity, while 70 percent of US water utilities fail to meet basic standards.

      In 2025, hackers gained unauthorized access to five Polish water treatment plants, targeting the industrial control systems that manage pumps, filters, and chemical dosing. In some cases, they could have changed the operational settings of the equipment affecting tap water quality. The common entry point for these attacks was remarkably basic: weak passwords and direct internet connections.

      The ABW, Poland’s Internal Security Agency, revealed these breaches in its first public report since 2014, prior to Russia's annexation of Crimea. The identified facilities include Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo, all small towns whose water stations were compromised by attackers the agency refers to ambiguously as “hacktivist groups” often associated with foreign governments, particularly Russian intelligence.

      The breaches were not merely hypothetical scenarios. In Szczytno in May 2025, someone accessed the supervisory control system and altered flushing cycles while the facility was under live monitoring. In Jabłonna Lacka in September, a video showed an intruder entering an admin account and manipulating pump and filter settings. The ABW reported that these attackers could change technical parameters of the devices, posing a "direct risk" to the continuity of water supply operations.

      The agency identified two key vulnerabilities: unchanged factory-default passwords and industrial control systems that were directly accessible via the internet. Exploiting these weaknesses does not require advanced tools and has been highlighted in cybersecurity advisories for over a decade.

      The ABW report mentions Russian APT groups such as APT28 and APT29, as well as the Belarusian group UNC1151, as threats to Polish targets. While the agency refrained from linking specific breaches to particular groups, the situation reflects a broader trend, with Poland’s government reporting between 20 and 50 cyberattacks daily.

      The frequency of cyberattacks on Poland increased after the election of its pro-Ukraine government, showing no signs of slowing. In December 2025, a coordinated cyber assault targeted a combined heat and power plant serving nearly 500,000 customers, along with multiple renewable energy facilities. The cybersecurity firm ESET attributed this attack to Sandworm, a group associated with Russia’s military intelligence, the GRU.

      Poland's cybersecurity budget for 2026 has reached a historic one billion euros, a significant increase from the 600 million allocated in 2024. Of this total, 80 million euros is earmarked for enhancing the cybersecurity of water management systems. While Germany accounts for 90 percent of Europe’s record defense technology funding, Poland's per capita spending on cybersecurity now surpasses that of many NATO countries.

      This spending reflects a recognition that the threat landscape has evolved beyond mere espionage. The European military AI startup Helsing raised 450 million euros solely to safeguard NATO against Russia, while Ukraine's rise as a defense tech leader illustrates that countries near Russia are ramping up their defensive capabilities. However, the breaches at Jabłonna Lacka and Szczytno were not the result of advanced persistent threats employing sophisticated exploits; they occurred because default passwords were not changed on internet-connected systems.

      In the United States, a similar vulnerability exists, but on a larger scale. A 2024 EPA report revealed that nearly 70 percent of inspected water utilities failed to meet basic cybersecurity standards, including not changing default passwords. After a cyberattack disrupted services for millions in October 2024, the largest regulated water and wastewater utility, American Water, had to halt its billing systems.

      These threats are real and not hypothetical. The state-sponsored Chinese group Volt Typhoon has penetrated IT environments of various US critical infrastructure entities, including water systems, possibly to prepare for larger-scale disruptive or destructive cyberattacks during a crisis. The Iranian-linked group CyberAv3ngers has also targeted programmable logic controllers at US water plants, including those in Pennsylvania.

      The EPA, CISA, and FBI have continually issued warnings, and Congress temporarily reinstated cybersecurity information-sharing measures in November 2025, only to let them lapse again in January 2026. The federal government has made available cybersecurity planning tools, incident response templates, and procurement checklists, but the water utilities most in need of these resources are often the least likely to utilize them, particularly small municipal systems with limited budgets and no dedicated cybersecurity personnel.

      There is currently a surge in defense stocks across Europe as governments invest heavily in military technology. Poland’s billion-euro cybersecurity investment reflects an acknowledgment of the threat it faces. NATO is also funding innovation accelerators and defense AI initiatives.

      Nonetheless, the water treatment facilities breached in Poland remained unprotected against these investments. The control systems in Jabłonna Lacka and