Russia Shifts From Espionage to Sabotage in Critical Infrastructure Attacks
Polish intelligence documents operational disruption capability at water facilities, signaling doctrine change targeting NATO grid and utility systems.
Poland’s ABW intelligence agency documented Russian state-sponsored actors gaining control of industrial systems at five water treatment facilities in 2025, marking the first confirmed transition from reconnaissance to sabotage-ready positioning in NATO critical infrastructure.
The May 6 ABW report identified breaches at plants in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo, where attackers accessed Industrial Control Systems and gained the ability to alter technical parameters of water treatment equipment. The agency attributed operations to Russian military intelligence groups APT28 and APT29, alongside Belarusian-aligned UNC1151.
This represents a tactical evolution from data exfiltration to demonstrated sabotage capability. U.S. agencies confirm parallel targeting: the FBI detected Russian FSB Center 16 collecting configuration files for thousands of networking devices associated with American Critical Infrastructure over the past year, according to an August 2025 alert. The reconnaissance included interest scans for industrial control system protocols—the digital blueprints needed to disrupt operations.
20-50
5
Thousands
From Power Grids to Water Systems
The water facility intrusions follow a December 2025 attack on Poland’s power grid. Russian-linked Sandworm group deployed DynoWiper malware to target multiple renewable energy sources simultaneously—the first coordinated assault on decentralized generation, per ESET research. Polish Digital Affairs Minister Krzysztof Gawkowski called it a deliberate attempt to cut power to Polish citizens, with all indicators pointing to Russian sabotage.
The shift to water infrastructure expands the attack surface. Water treatment facilities operate with industrial control systems managing chemical dosing, pressure regulation, and filtration—processes where parameter manipulation could contaminate supplies or damage equipment. Unlike centralized power plants, water systems involve distributed networks of smaller facilities with varied security postures, creating asymmetric vulnerability.
“The most serious challenge remains the sabotage activity against Poland, inspired and organized by Russian intelligence services. This threat was (and is) real and immediate. It requires full mobilization.”
— Polish ABW Report
U.S. Exposure and Response Posture
American critical infrastructure faces identical reconnaissance patterns. In April, U.S. and allied agencies disrupted a GRU campaign using compromised routers for DNS hijacking targeting military and infrastructure information across 16 nations. A December 2025 CISA advisory warned that pro-Russia hacktivist groups were conducting opportunistic attacks on U.S. infrastructure via internet-facing connections to operational technology devices.
CISA launched the CI Fortify initiative on May 6, directing critical infrastructure operators to plan for geopolitical cyber crises through isolation and recovery protocols, according to Federal News Network. The guidance emphasizes operational technology segmentation—physically or logically separating control systems from corporate networks to contain breaches.
Corporate and Regulatory Implications
For publicly traded water and utility operators, the Poland precedent exposes material cyber risk. Investors now have documented evidence that state actors can reach operational technology managing public services. Companies with aging industrial control systems or limited OT/IT network segmentation face heightened disclosure obligations under SEC Cybersecurity rules requiring material incident reporting within four business days.
The attacks also demonstrate attribution precision. ABW named specific APT groups and linked operations to Russian intelligence services—enabling sanctions, diplomatic responses, and insurance underwriting adjustments. Political risk now carries technical specificity: portfolio managers can assess exposure based on geographic footprint and infrastructure sector rather than treating cyber as undifferentiated systemic risk.
APT28 and APT29 are Russian military intelligence units operating under GRU and SVR respectively, with documented operations spanning election interference, espionage, and destructive attacks since 2014. UNC1151, assessed to operate from Belarus, conducts influence operations and cyber intrusions aligned with Russian strategic objectives. Their combined involvement in Polish water infrastructure targeting represents integration of signals intelligence collection, operational technology intrusion, and sabotage preparation within a unified campaign structure.
Doctrine Shift: Pre-Positioning for Conflict
The progression from espionage to sabotage-ready positioning reflects strategic calculation. By gaining access to control systems without immediately disrupting operations, Russian actors create optionality—the ability to activate pre-positioned capabilities during geopolitical escalation. This mirrors Cold War-era military doctrine of preparing the battlefield, now applied to civilian infrastructure.
Poland’s experience as a NATO frontline state offers a preview of American vulnerability. The Atlantic Council notes that hybrid warfare tactics tested in Poland—combining cyber sabotage with information operations—demonstrate Russian willingness to target civilian infrastructure as leverage. U.S. water and energy systems, with similar technological dependencies and often weaker security investment than military networks, present comparable attack surfaces.
What to Watch
CISA’s CI Fortify guidance implementation will test whether voluntary security frameworks can match state-sponsored offensive capability. Watch for regulatory movement toward mandatory OT security standards—the SEC’s four-day disclosure window creates market pressure, but operational technology protection requires engineering changes measured in years, not quarters.
Attribution precision matters. As intelligence agencies publish technical details linking attacks to specific Russian units, expect financial sanctions targeting cyber operators and defense industry investment in OT security products. Poland allocated €1 billion to critical infrastructure defense following the power grid attack—U.S. budget proposals for fiscal 2027 will reveal whether American policymakers treat this as urgent or theoretical risk.
Monitor water utility stocks with significant Eastern European operations or aging ICS infrastructure. The shift from theoretical vulnerability to documented sabotage capability changes actuarial models for cyber insurance and creates fiduciary obligations for boards overseeing critical infrastructure companies. Russian reconnaissance of U.S. systems suggests the operational timeline is advancing—Poland’s experience provides both warning and technical roadmap for defensive investment.