Thought for the week: Is Poland's ABW report a sign of the trajectory of nation-state cyberattacks?

Poland's Internal Security Agency, or ABW, recently published its report covering the agency's activities over the past two years. In the report, the ABW found that nation-state cyberattacks targeting industrial control systems and public infrastructure escalated sharply through 2024 and 2025. 

In particular, state-backed actors targeted military facilities, critical infrastructure and civilian locations throughout Poland, including systems that regulate water, electricity, transportation and other essential services. This Industrial Cyber article cites a growing role for AI that is adding a layer of complexity for defenders and notes that the overall trend is away from data theft and toward physical disruption. 

According to my translation of the original report in Polish, the attack types are cyber espionage — particularly APT groups — disinformation campaigns, supply-chain attacks and industrial control system attacks. The key techniques are QR phishing, or "quishing," social engineering campaigns and exploiting cloud infrastructure for malware attacks. The overall statistics include more than 40,000 incident reports, 5.5 million alerts and 18% year-over-year increase in attacks.

Why Poland's experience matters  

My sense is that Poland's experience can be a sign of the trajectory of nation-state cyberattacks. Poland is proximate to the Ukraine-Russia conflict, and is citing attacks from Russia, Belarus and other nation-states. So, the Polish experience has been that, as tensions escalate, the first step is not kinetic military attacks, e.g., missiles/drones, but rather cybersecurity attacks that can be effectuated from a distance. And, whereas nation-state attacks previously had focused on data theft, they increasingly now focus, for Poland, on disruption in the context of critical infrastructure, e.g., water, electricity and the like. This can lead to not only business disruption but also physical harms to civilians.

Hope for the best but preparing for the worst

I think we all are hoping and praying for the best that the various hot spots of wars and military action around the world will cool, and potential areas of conflict will settle before spiking. But given these real-world developments in Poland and elsewhere, it's important for business, legal and IT/security teams to recognize that the threat model is changing and adjust priorities and resources to start taking these into consideration. Several key themes to consider.

Focus on preparation and protection against destruction, not just data theft, as a security matter. The IT/security team will be best positioned to address in the context of the company's overall environment, but this could focus on potential attacks related to destruction of systems — wipers — disruption of operations such as operational technology and industrial control systems, and other physical impacts. 

Update incident response plan and tabletops to address destructive attack scenarios. Consider building more features into incident response plans to address destructive attack scenarios and incorporating such attacks into tabletop exercises. Among other points, how would the organization respond if a scenario matures with mass system destruction, loss of active directory/identity infrastructure, or a total network outage?  

Beyond the business and security response, what substantive security, notification requirements and other duties would arise under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and other cybersecurity regulatory requirements globally? How would the enterprise handle executive decision-making, board reporting, customer notifications and public relations issues in the context of one of these attacks?

Evaluate and address supply chain risks. One layer of supply chain risk relates to the providers' connections to and other interactions with the organization, such as MFA for vendor access, zero trust access controls and monitoring of third-party connections. A deeper and broader layer of supply chain analysis relates to overall reliance on third-party providers, and where and how disruption of such providers might impact the organization.  

The latter might warrant a closer look at information security controls, as well as business continuity and disaster recovery planning. It could also fit within a broader evaluation of the geopolitical dimensions of supply chain risk, e.g., trade sanctions and the like. 

Overall, I think it's fair to assert that western companies in the current environment need to overcome at least two legacy hurdles to understand and address the current nation-state threat landscape. First, we have had decades of relative quiet in terms of large-scale warfare, which reduces an appreciation of the intensity of such conflicts. Second, while the notion that a nation state might exfiltrate data and IP is not new, the notion that a nation state would reach across oceans and natural boundaries to initiate destructive attacks against companies is relatively new. 

When combined with the realities that threat actors typically have an asymmetry advantage — the hacker only needs to be right once, whereas the company needs to be right 100% of the time — and the relatively vast amount of resources that nation states bring to the exercise, the challenge for companies can be quite daunting. 

It certainly requires a cross-functional team effort across business leaders, IT/security, legal/compliance and other functional areas to decide upon and execute the right strategic decisions to seek to address the most pressing aspects of these emerging threats.